[sf-lug] sending mail through SSH port forwarding
asheesh at asheesh.org
Wed Nov 26 05:48:05 PST 2008
On Mon, 13 Oct 2008, Rick Moen wrote:
> I might be missing something fundamental about the problem the original
> poster was trying to solve. Isn't the MTA you're tunneling to going to
> turn around and (generally speaking) deliver the SMTP stream across the
> global Internet in plaintext, anyway? That being the case, and
> considering that it's simply unwise to send confidential data via SMTP
> at _all_ (unless content-encrypted at the sub-SMTP level, or confined to
> special scenarios), what's the point of tunneling "for protection
> against password sniffing" over the first hop _only_?
Old thread, but here's my answer: It's the issue of my credentials to use
the SMTP server.
Sure, SMTP is generally done in plaintext. What I was worried about is
the credentials to use my SMTP server as outbound. Restricting access to
it is nice so that people don't blame me for spma. The SSH mail-tunnel
way that I use is passwordless since it uses a key shared out of band and
secure against a sniffer eavesdropping on the wireless (or other)
connection to my server; that person can't replay my credentials and
Generally I try to avoid having different login credentials for different
services, especially on the same machine.
> Over hear at Chez Moen, we all know that the wireless network is
> fundamentally insecure, and so simply make a point of not trusting it.
Yup, me too. For some reason, I tend to not-trust the wireless network on
a per-application basis; my web browsing is secured using SSH SOCKS5
tunnels, and SMTP separately over these on-demand SSH connections.
Another good night not to sleep in a eucalyptus tree.
More information about the sf-lug