[sf-lug] sending mail through SSH port forwarding

[Asheesh Laroia]

On Mon, 13 Oct 2008, Rick Moen wrote:

> I might be missing something fundamental about the problem the original 
> poster was trying to solve.  Isn't the MTA you're tunneling to going to 
> turn around and (generally speaking) deliver the SMTP stream across the 
> global Internet in plaintext, anyway?  That being the case, and 
> considering that it's simply unwise to send confidential data via SMTP 
> at _all_ (unless content-encrypted at the sub-SMTP level, or confined to 
> special scenarios), what's the point of tunneling "for protection 
> against password sniffing" over the first hop _only_?

Old thread, but here's my answer: It's the issue of my credentials to use 
the SMTP server.

Sure, SMTP is generally done in plaintext.  What I was worried about is 
the credentials to use my SMTP server as outbound.  Restricting access to 
it is nice so that people don't blame me for spma.  The SSH mail-tunnel 
way that I use is passwordless since it uses a key shared out of band and 
secure against a sniffer eavesdropping on the wireless (or other) 
connection to my server; that person can't replay my credentials and 
impersonate me.

Generally I try to avoid having different login credentials for different 
services, especially on the same machine.

> Over hear at Chez Moen, we all know that the wireless network is 
> fundamentally insecure, and so simply make a point of not trusting it.

Yup, me too.  For some reason, I tend to not-trust the wireless network on 
a per-application basis; my web browsing is secured using SSH SOCKS5 
tunnels, and SMTP separately over these on-demand SSH connections.

-- Asheesh.

-- 
Another good night not to sleep in a eucalyptus tree.