Recipe 8.15 Securing POP/IMAP with SSH

8.15.1 Problem

You want to read mail on a POP or IMAP mail server securely. The mail server machine runs an SSH daemon.

8.15.2 Solution

Use SSH port forwarding. [Recipe 6.14]

Choose an arbitrary, unused TCP port number on your client machine, such as 12345.
Assuming your client is myclient and your mail server is mailhost, open a tunnel to its POP server (TCP port 110):
```
myclient$ ssh -f -N -L 12345:localhost:110 mailhost
```
or IMAP server (port 143):
```
myclient$ ssh -f -N -L 12345:localhost:143 mailhost
```
or whatever other port your mail server listens on.
Configure your mail client to connect to the mail server on port 12345 of localhost, instead of the POP or IMAP port on mailhost.

8.15.3 Discussion

As we discussed in our recipe on general port forwarding [Recipe 6.14], ssh -L opens a secure connection from the SSH client to the SSH server, tunneling the data from TCP-based protocol (in this case POP or IMAP) across the connection. We add -N so ssh keeps the tunnel open without requiring a remote command to do so.

Be aware that our recipe uses localhost in two subtly different ways. When we specify the tunnel:

12345:localhost:143

the name "localhost" is interpreted on the SSH server side. But when your mail client connects to localhost, the name is interpreted on the SSH client side. This is normally the behavior you want. However, if the server machine is not listening on the loopback address for some reason, you may need to specify the server name explicitly instead:

12345:mailhost:143

In addition, if the server machine is multihomed (has multiple real network interfaces), the situation may be more complicated. Find out which socket the mail server is listening on by asking your systems staff, or by looking yourself: [Recipe 9.14]

mailhost$ netstat --inet --listening

If your mail client and SSH client are on different hosts, consider adding the -g option of ssh to permit connections to the forwarded port from other hosts. Be careful, however, as this option allows anyone with connectivity to the client machine to use your tunnel.

If your SSH server and mail server are on different hosts, say sshhost and mailhost, then use this tunnel instead:

myclient$ ssh -f -N -L 12345:mailhost:143 sshhost

sshhost could be an SSH login gateway for a corporate network, while mailhost is an internal mail server on which you have a mailbox but no SSH login. sshhost must have connectivity to mailhost, and your client machine to sshhost, but your client machine cannot reach mailhost directly (that's the point of the gateway).

8.15.4 See Also

ssh(1) and sshd(8) discuss port forwarding and its configuration keywords briefly. For more depth, try Chapter 9 of our previous book, SSH, The Secure Shell: The Definitive Guide (O'Reilly), which goes into great detail on the subject.

[ Team LiB ]