• Home
• Meta
  • Faq
• Rock
• Tech
  • Password generator
  • SSH email tunnel

IMAP over SSH in OS X Mail

Synopsis

You may find yourself connecting wirelessly to your email and your email provider is so lame as to not allow encryption over SSL/TLS. Or maybe you want to take advantage of key rotation regardless of the server's SSL setup. Below are some steps to create an SSH tunnel to enable encrypted IMAP without the need for your ISP to support IMAP/SSL.

Note

In order for this to work, your ISP must allow you to log in via the secure shell on the server you get your mail from. Also, this document is a hacked together beta based on a purely POP/SMTP configuration, so it may not work quite right. Please send corrections my way.

Step 1: Create the Tunnel

Creating the shell script

To create the tunnel, we use a line of code in the command line, but we don't want to type it out all the time. So we'll make a li'l program to automate the process.

#!/bin/sh
# builds ssh tunnel to mail server.

ssh -2 my@emailAddress.com -L 55143:127.0.0.1:143 -L 55110:127.0.0.1:110 -L 55025:127.0.0.1:25

exit

Copy and paste this into your favorite text editor. By text editor I mean you should be able to save the file as plain text. A .doc or .rtf or whatever won't work. Change the email address to yours. Save the file to your home directory with the name sshmail.txt.

A brief explanation of what's going on here: The "ssh" bit is the program we're running, the "-2" bit tells the program not to use an older insecure version of it's protocol, the email address portion is actually telling the program to connect to the server with that username, the "-L" part tells it to 'listen' for programs trying to connect to your computer, the "55xxx:127.0.0.1:xxx" part says to specifically listen for connections on port 55xxx from your computer to your computer then reroute the connection through ssh to the remote server then send it to port xxx on that server once it arrives. Some of you may be asking 'why port 55143'? If we used the defult port for IMAP (143, or any other protocol for that matter) we'd need to run ssh as an administrator. Being that we're doing this for security reasons, we should try our best not to give the cogs in our machine godlike powers in case one of them is taken over by an attacker.

Open up the terminal (/Applications/Utilities/Terminal) and use the following commands to turn our text file into an executable script:

Running the shell script

Now we should be able to run the script in the terminal and launch the tunnel. Type the following then hit return:

My-Computer:~ Me$ ./sshmail.sh

You will be prompted for a password. Enter your password for that server. You should see a welcome message. Leave the terminal window open. This little bit is all we need to do to start the tunnel. Now see why we made a script? Typing all them commands every time we wanted to check mail would be lame.

Step 2: Configure Mail

Tweaking the settings.

Tell mail to connect to 127.0.0.1 instead of the mail server. This way we connect through the tunnel instead of the normal way. Click around in here. When it asks for a server, use 127.0.0.1.

And change the settings for the outgoing mail server:

In your advanced, change the outgoing port number:

You should now be able to connect as normal, only whopass crypto stylee.

Step 3: Close the Tunnel

Exiting the remote shell

After we've quit our email app and we're done for the day, exit the remote shell by typing 'exit' and hitting return.

mail-server:~ me$ exit

Addendum

Again, this document is a beta. I adapted it from a purely POP/SMTP configuration I had earlier. If you have problems, try just setting it to a POP account, and using 55110 instead of 55143 in the Mail configurations.