Mail port forwarding

Background

A client (end-user) receives and sends mail using client software such as Microsoft Outlook, Netscape Communicator, or Linux KMail. Such software must communicate with remote mail servers using protocols such as IMAP, POP or SMTP. Unfortunately the clients, servers and protocols have failed to implement useable high security.

A solution

A small virtual private network (VPN) is established using the port forwarding capabilities of ssh-2. SSH-2 has good security and is used to authenticate the client and server and to protect any network traffic. The insecure mail clients, servers and protocols never make a network connection, rather they each only communicate within the local machine.

From the point of view of a client, it will look as though mail servers are running on the same local machine. From the point of view of the mail servers it will look as though all clients are running on the same local machine.

Obtaining SSH

Linux users can install package openssh available from any linux site and usually already installed.

Windows users can install cygwin (which includes openssh) from http://www.cygwin.com .

Windows users should know that Cygwin is a small unix-like environment. A user bob will have a home directory of "/home/bob" with cygwin which will equate to "C:\cygwin\home\bob" under windows. Useful unix commands include "ls" "pwd" "hostname" "cd" "cp" "vi" "man" "exit". More info on each command can be obtained by reading the man page for a command e.g. "man ls".

Initializing keys

Each user will create some public key/private key pairs just the once. The keys will serve to prove his identity to others. The user will never reveal his private key or send it anywhere. The user will send his public key to everyone. Invent a secret passphrase to protect your private key, write it down and enter it when requested in the next step. This passphrase is not the same as any password on any computer system and is never used as such. No-one but you must know this passphrase. If you lose it then you will have to generate a new public key/private key pair and inform everyone of your new public key.

One time only, perform the following steps:-

cd
ssh-keygen -t dsa

Check that you now have a public key file as follows:-

cd .ssh
ls
cat id_dsa.pub

This file should have contents similar to this:-
ssh-dss AAAAB3NzaC1kc3MAAACBAK62..many.more.chars...BSWtQ== cwturner@thunderbird

Send this file to your mail server administrator. He will append it to the file ".ssh/authorized_keys2" on the mail server machine. Do not send any other file or reveal your passphrase.

After the mail server administrator has stored your public key, you will be able forward ports 110 and 25 from the mail server to your local client machine using the startforward.sh script in your home directory which you should create with the following contents:-
```
#!/bin/bash
#SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
#DISPLAY=:0
#export SSH_ASKPASS
#export DISPLAY
#whoami >> /tmp/ip-up.local.log
(/usr/bin/ssh-agent ~/subforward.sh )
#echo "started forwardmail" >> /tmp/ip-up.local.log
#sleep 10
exit 0
    
```
This script calls a subordinate script with contents as follows:-
```
#!/bin/sh
#env >> /tmp/ip-up.local.log
/usr/bin/ssh-add /home/cwturner/.ssh/id_dsa
/usr/bin/ssh -v -a -L 25:localhost:25 -L 110:localhost:110 cwturner@ns2.cyterm.com

    
```
You will need to edit this second script to substitute your local client username and also substitute your remote username and remote mail server hostname. For example a local client "bob" with a remote username of "robert" on mail server "mail2.cyterm.com" would make the following substitutions:-
- /home/cwturner becomes /home/bob
- cwturner@ns2.cyterm.com becomes robert@mail2.cyterm.com
Configuring the mail clients

The mail clients should use "localhost" as the name for both the POP server and the SMTP server. No encryption options should be used. The mail server login name should be your remote username (e.g. "robert") and the password will be your remote password (not your private passphase!).

Configuring the mail servers

The mail servers are configured by the mail administrator but briefly, relaying is only allowed for localhost (127.0.0.1) and the POP3 server must only listen on 127.0.0.1 (in /etc/xinetd.d/ipop3 have the lines:-
```
only_from = 127.0.0.1
bind = 127.0.0.1
```
Operational procedure
- Connect to internet
- Bring up a shell window (Cygwin bash or Linux bash)
- sh startforward.sh
- Enter you private key passphrase when requested
- Allow 20 seconds for the port forwarding to establish
- Use your mail clients to send and recieve mail
- Stop the port forwarding by using "Control-C" key to terminate the shell script
- Disconnect from internet
- Close the shell window
Possible problems

If the mail clients produce an error saying "host busy" or "cannot connect" the first time, just wait 20 seconds and retry.

If the error persists, check the shell window to ensure that the startforward.sh script is still running and hasn't finished too soon. If it has finished then re-run it or duplicate more final lines in the subordinate script "subforward.sh".

Alternative: Use of STARTTLS option for secure access to sendmail and to prevent others from relaying.

Sendmail 8.12.9 and later can be compiled to support TLS encryption which is dynamically negotiated with the client. Also sendmail can use a submission
agent listening on port 578 rather that 25. Also sendmail can support authentication using username and password. Combine all of these options and you will acheive an encrypted private connection via TLS which you can then use to authenticate using a password (knowing that your password cannot be sniffed) and then additionally you will then able to control mail permissions such as RELAY based on authenticated user.
Here is a screenshot of secure mail settings for mozilla mail client. A quirk of the browser means that when using self-signed server certificates you should only accept the certificate temporarily for this session when prompted, so that the prompt is re-presented whenever a new connection is required. Without this prompt, the creation of a secure session fails. When this happens you need to close all browser windows and restart browser to get the prompt again. If you accidentally accept the certificate forever, you will need to delete it from the clients list of trusted certificates using the mozilla 1.4 security preferences.

Some lines from sendmail.mc
define(`confAUTH_OPTIONS', `A p y')dnl define(`confTLS_SRV_OPTIONS', `V')dnl TRUST_AUTH_MECH(`LOGIN PLAIN')dnl define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl define(`confCACERT_PATH',`/usr/share/ssl/certs') define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt') define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem') define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem')

Some lines from devtools/Site/site.config.m4 (when compiling sendmail from source to get the STARTTLS option):-

[root@ns2 Site]# more site.config.m4 dnl Stuff for TLS APPENDDEF(`confINCDIRS', `-I/usr/local/include') APPENDDEF(`confLIBDIRS', `-L/usr/local/lib') APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS') APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto') APPENDDEF(`confENVDEF', `-DSASL') APPENDDEF(`conf_sendmail_LIBS', `-lsasl')

Alternative: Use of pop3s (TLS secured pop3 protocol)

Disable ipop3 and enable pop3s on the server by editting files /etc/xinetd.d/pop3s and /etc/xinetd.d/ipop3 and restarting xinetd.
Set your mozilla 1.4 mail client to use secure pop3 on port 995. See the screen shot of secure incoming mail settings for mozilla mail client.

Cycom Limited home page

Mail port forwarding

Background

A solution

Obtaining SSH

Initializing keys

Configuring the mail clients

Configuring the mail servers

Operational procedure

Possible problems

Alternative: Use of STARTTLS option for secure access to sendmail and to prevent others from relaying.

Alternative: Use of pop3s (TLS secured pop3 protocol)