8.15. Securing POP/IMAP with SSH
Problem
You want to read mail on a POP or IMAP mail server securely. The mail server machine runs an SSH daemon.
Solution
Use SSH port forwarding. [Recipe 6.14]
Choose an arbitrary, unused TCP port number on your client machine, such as 12345.
Assuming your client is myclient and your mail server is mailhost, open a tunnel to its POP server (TCP port 110):
myclient$ ssh -f -N -L 12345:localhost:110 mailhost
or IMAP server (port 143):
myclient$ ssh -f -N -L 12345:localhost:143 mailhost
or whatever other port your mail server listens on.
Configure your mail client to connect to the mail server on port 12345 of localhost , instead of the POP or IMAP port on mailhost.
Discussion
As we discussed in our recipe on general port forwarding [Recipe 6.14], ssh -L opens a secure connection from the SSH client to the SSH server, tunneling the data from TCP-based protocol (in this case POP or IMAP) across the connection. We add -N so ssh keeps the tunnel open without requiring a remote command to do so.
Be aware that our recipe uses localhost in two subtly different ways. When we specify the tunnel:
12345:localhost:143
the name “localhost” is interpreted on the SSH server side. But when your mail client connects to localhost, the name is interpreted on the SSH client side. This is normally the behavior you want. However, if the server machine is not listening on the loopback address for some reason, you may need to specify the server name explicitly instead:
12345:mailhost:143 ...
Get Linux Security Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
