Email Via SSH Tunnel

07:43 Wed 16 Aug 2006. Updated: 14:02 11 Jan 2007
[, ]

SSH is a secure way of connecting from one computer to another. I use it very frequently to log into the command line of my machines at home. Recently I’ve become more interested in using “tunnels”, or “port forwarding”, and just set that up for email from my laptop.

  • Assumption #1: you have a machine (we’ll call it moonbase) that can receive SSH connections, and another machine (your local machine) that can connect using SSH.
  • strong>Assumption #2: you have a service on the moonbase machine that you normally access from that machine itself, and that for any number of reasons you don’t want open to the outside world.
  • Assumption #3: you want to use this service from your local machine and you don’t want to do it via the command-line after SSHing into moonbase.

What the port forwarding allows you to do is to tell your local machine to send signals that it receives on a certain port to the remote server, via SSH, where they will be treated as if they are coming from that server itself (instead of from the outside).

Sending email is a good example. We don’t want our email server to accept oubound messages from just anyone, because that will turn it into a magnet for spammers and have generally bad results. So instead we tell it to only accept outbound messages from itself, and perhaps from machines on its local subnet. That’s fine, but is inconvenient when we’re not on the local subnet and still want to send email messages. SSHing into the email server and sending email from the command line is one way out, but that’s definitely a lot more awkward than just using our preferred mail client (in this case, Thunderbird).

So what we want to do is make Thunderbird pass outbound messages to the SSH client, which then SSHes into the email server and then sends those messages from the server itself.

An SSH tunnel does this by establishing a connection between a specific port on the local machine and a port on the server.

The two steps are configuring the mail client and establishing the tunnel. To configure Thunderbird, open the Tools menu and go to Account Settings, then to Outgoing Server (SMTP), click Add…, give some description (e.g. “local tunnel”), enter “localhost” in Server Name and an arbitrary port (say 22225) in the Port field. Turn off any Security/Authentication settings.

To set up the tunnel, run this from the command line:

ssh -N -C -f username@moonbase -L 22225:moonbase:25

This assumes that the server taking SSH connections and the email server are the same thing. If not, change the second instance of moonbase to the email server, e.g.:

ssh -N -C -f username@moonbase -L 22225:moonmail:25

Depending on the setup of the email server, it may require a very specific name, not just any name that resolves to its IP address.

I did this using OS X. I assume it would work on any machine that has an SSH2 client. For Windows, PuTTY is able to make tunnels. I was aided in figuring out how to do this by an article on how to do it for KMail.

Email is just one application. If you have the server for it, you can tunnel more or less everything via SSH, which is more secure and which may help your privacy in work environments (although it might aso make your network administrators very suspicious, so be warned). A useful tool I suspect I’ll find many more uses for.

Leave a Reply