Secure email services exist, but the majority of web host / email providers don't bother to provide them.
When email is in transit from your mail server to the recipients mail server it is not secure by design, so many
providers don't see the point in offering secured email services. After begging your provider for secure email fails,
you may not be out of luck. If your ISP provides SSH (secure shell)
access but only supports unsecured POP3 or IMAP email access, you can securely fetch your email with SSH.
Here's our example network
setup. The laptop is connected to the Internet through an untrusted wireless access point. If we don't own it, we don't
trust it. More importantly, we shouldn't trust any of the other wireless network users.
For our how-to, we're
assuming that the email and SSH accounts are on a single server. The example email connection uses POP on standard port
110 to retrieve email from the server and SMTP on port 25 to send email to the server.
We'll use SSH to create a
pair of secured network tunnels that we can use to send and receive our unencrypted email. You might be able to create
just one tunnel for retrieving email, but some providers won't let you send via SMTP unless you recently checked your
email from the same machine. To keep them from thinking we're spammers, we'll create tunnels for both connections.
Creating the tunnels
The SSH tunnel will virtually
connect port 2110 on our local machine to the POP3 port (110) on the remote server. Remember, for our example the SSH
and email server are the same machine.
Here's a breakdown of the command:
- ssh - the
actual SSH command
- -N tells SSH we don't want to execute a remote command. Not terribly necessary, but
makes it safer.
- will@fakemachine.org - account and SSH host info. user name will at server
fakemachine.org
- -L 2110/localhost/110 This one creates the tunnel. It tells SSH to forward traffic from
port 2110 on the local machine to port 110 on the remote machine.
The second tunnel will virtually connect port 2025 on our local machine to the SMTP port (25) on the
remote server.
To simplify things, we can
combine the two tunnels into one command. If you haven't set up SSH keys already, you'll be asked for your password
every time you create the tunnel. You can easily generate a set of SSH keys if you want to get away from entering your
password over and over again. There's a simple SSH key creation guide in
Linux Server HacksConfiguring the email client
To make our email client
connect to the server using the new tunnel, we have to make a few changes to our email account settings in our email
client. In place of the server name, we now use localhost. Instead of port 110 for POP3 access, we now use 2110.
Instead of port 25 for SMTP
access, we now use port 2025. The SSH tunnels will carry the traffic to the normal ports on the server at the other end
of the tunnel.
The easy way
OK, so we said you
don't have to be a Unix geek to pull this one off. If you use OS X on a Mac, check out
SSH Tunnel Manager. It's a free utility built to create SSH tunnels on
demand. Download and install it in the usual fashion. Above you can see the setup from our example.
Creating the tunnel on
demand is as easy as hitting the friendly looking play button.
Tunnels for all
SSH tunnels aren't just
for email. They can be used to transport just about any sort of traffic. If you paid attention, you'd notice that we
use them for IRC and VNC as well. Hack-A-Day has a guide for
sending all of your web traffic through a tunnel using
PuTTY for Windows. For our example, we kept SSH and email
services on the same box, but you can also remotely redirect traffic to another machine if email and SSH are on separate
servers.
