Linux forwarding-ports mail traffic over ssh

by on August 1, 2005 · 7 comments· LAST UPDATED August 1, 2005

in

It is use to keep network traffic secure. Common examples are pop3, smtp, http protocols. If you are using DSL or wireless network then hackers (read as crackers) can read the your sensitive information such as email user-name, password, email contains, ftp login information etc. Recently friend of mine told me that his smtp login information is used to send spam email to thousands of users. Solution is simple use ssh to forward arbitrary TCP ports to the other end of your connection, so that you can protect the emails, web, ftp traffic etc.

Consider following scenario:
Normally from your workstation you directly pull or send email via ISP server. But with the help of remote ssh server you can secure the traffic. These days most of ISP don't provide the ssh access to pop3/smtp server. Then solution is use the your universities shell account or free service providers such as metawire.org or server provided by your work place. If you don't have remote ssh server then stop reading this post.
click to view image

Your ISP pop3 server name: pop3.myisp.com
Your remote ssh server name: metawire.org or ssh.myuni.ac.in
Your remote ssh server login name: vivek
Considering above information your ssh command will be as follows:
A) Login as root user type the command (when prompted for password, type vivek's password on metawire.org) :
# ssh -f -N -L110:pop3.myisp.com:110 vivek@metawire.org

Where,
-f: Requests ssh to go to background just before command execution.
-N: Indicates we are forwarding port i.e do not open shell prompt.
-L 110:pop3.myisp.com:110 : This is use to define a tunnel of port 110 on local system to port 110 on pop3.myisp.com. It uses following syntax:
port:host:hostport which means given port on the local (client) host is to be forwarded to the given host and port on the remote side.
vivek@metawire.org: Remote ssh user (vivek) and server name (metawire.org)
Here is another example where I'm using yahoo pop3 and smpt server to send and receive email via metawire.org's shell account:
# ssh -f -N -L110:pop.bizmail.yahoo.com:110 vivek@metawire.org
# ssh -f -N -L 25:smtp.bizmail.yahoo.com:25 vivek@metawire.org

Please note this is quite useful when you are on wireless network (laptop) or when you don't truest your local network. If your mail server also provides the ssh access then command would be:
# ssh -f -N -L 25:pop3.myisp.com:25 vivek@pop3.myisp.com

Naturally next step is to reconfigure your mail client such as Thunderbird or any other mail client, make sure you use pop3 server as localhost and rest of the configuration remain as it is, here is sample configuration:

POP3 Server: localhost
Port: 110
Username: my-pop3-username (pop3.myisp.com username)

Please note that secure SSH tunnel only works while you maintain a connection to remote UNIX/Linux SSH server. If you disconnect from remote ssh server or quit the SSH session, your tunnel also goes down.

TwitterFacebookGoogle+PDF versionFound an error/typo on this page? Help us!

{ 7 comments… read them below or add one }

1 Anonymous August 2, 2005 at 5:52 am

If your ISP offers it, use SSL when using your POP and SMTP services. Most mail clients offer this option, including mutt (mutt-ssl) and pine.

Reply

2 Anonymous August 2, 2005 at 11:18 pm

will putty on windows do the same thing?

Reply

3 Vivek August 2, 2005 at 11:43 pm

Anonymous said…
If your ISP offers it, use SSL when using your POP and SMTP services. Most mail clients offer this option, including mutt (mutt-ssl) and pine.

Yup only if you secure POP3/SMTPS avilable else use this trick.

Reply

4 Vivek August 2, 2005 at 11:53 pm

Anonymous said…
will putty on windows do the same thing?

Sure you can use putty on windows to the same thing. Try as follows:

(A) Visit putty download page and download both putty.exe and plink.exe (a command-line interface to the PuTTY back ends), Save them to C: or D:

(B) Open your windows xp/NT shell by clicking on Start > Run > Type command ‘cmd’. Once at XP/NT shell prompt type the commands:

plink -L 110:pop.bizmail.yahoo.com:110 vivek@metawire.org -N

Supply password and leave plink running once it connects.

Reply

5 Timothy Stone August 4, 2005 at 7:59 pm

I like this recommendation, but I have reservations about it…first your link to the remote sshd (ssh server) may be secure, but the weak link here is the POP3/SMTP connection from the remote ssh server.

[you][sshd][pop3/smtp]
            ^ secure                 ^not secure?

You would have to have a lot of trust in the remote ssh server you are using. If someone is eavesdropping on your unsecure connection (client to POP3/SMTP), it doesn’t proscribe an effort by a determined party to start eavesdropping from the unsecure link on the remote server (granted it might be harder, but not unlikely). So…I would agree with anonymous in the first comment, SSL is “secure” all the way from client to server.

It boils down to this: If you can’t have ssh directly to POP3/SMTP because your host doesn’t support it, you can’t have it from your remote connection either.

Reply

6 Vivek August 4, 2005 at 11:09 pm

First thanks for highlighting this point to all of our readers.

I must agree with you, If remote sshd is not trusty then it is not useful at all; however if remote sshd and mail server are same or trusty (like metawire.org) then you can use it.

Bottom line if SSL supported by email (POP3) server use it, else go to mail server/sshd :)

Reply

7 Anonymous January 4, 2006 at 3:36 pm

Hi Vivek,

I am a new reader who has just got a chance to read your articles. Your blog is very much interesting and it is really a knowledge sharing site. I am really impressed with your postings.

I’m maintaining 24 servers in remote manner. I am having 2yrs experience in this, but wish to learn many things from you. So, if you have any collections about linux, please let me know…

Thank you!
Soundar Raj

Reply

Leave a Comment

Previous post:

Next post: