Wednesday, December 25, 2024

Securing POP mail access in MacOSX

Share

I always worry about my website. Security is serious stuff, and you really can’t be too careful. I don’t enable telnet, rlogin and use long, complicated passwords with ssh and so on. I use a shared webserver (http://www.interland.com) that allows me virtual root access, and I fortunately don’t have to worry about things like sendmail; Interland keeps on top of that sort of thing for me.

But one glaring hole is POP access for mail. I could install pop3s but then that’s just one more thing to keep up with for security patches, and because that’s not part of the standard services Interland provides, it would be mine to maintain.

Instead, I decided to tunnel POP through ssh. This doesn’t require changing anything at the server – it still thinks it is just running plain old POP3 and has no idea it is running over a secure tunnel. I can set up the tunnel without using sudo or root, which is more convenient.

There are some disadvantages to this approach. Whle it is possible to set up ssh to use more advanced authentication like Kerberos, it isn’t at all easy, and requires changes at the server end that you might not be able to do. The default authentication (public/private keypairs) is a bit easier to set up (see http://www.aplawrence.com/Security/ssh.html) but it is going to require that you type a password or passphrase at least once when you start the tunnel.

For my purposes, that’s a small disadvantage. I use a Mac iBook, and when I’m not using it, it’s just asleep: I seldom logout or reboot it. All I need to do is either remember to start the tunnel, or have it startup when I first login. I don’t bother with starting it automatically because I logout so infrequently it’s just not necessary, and I don’t need the automation. Besides, I have to type the passphrase anyway, and I’d rather do that on my own terms. I don’t generally have much that starts up for me automatically: I do that kind of thing for other people, but I like to control my own startup files. When and if some strange problem develops, it’s best NOT to have a bunch of stuff firing off by itself.

So, the first task is to create a tunnel. Ssh has command line switches to do that, and a quick check of the man page (you thought I remembered this stuff?) brought me to:

ssh -L 1110:pcunix.com:110 -l mylogin -N pcunix.com

That tells ssh that I want a tunnel to pcunix.com using the user name “mylogin” (-l mylogin), that I don’t want to execute a command (-N), that I want to connect to the pop3 port at pcunix.com using port 1110 here (-L 1110:pcunix.com:110). The choice of 1110 for the local port is entirely arbitrary: it has to be above 1024 (because only root is allowed to use the low ports) and it has to be presently unused.

Next, we need to change the mail application. In Mac Mail.app, that’s easy: just go to Preferences, Accounts, Account Information, and change the incoming mail server to “localhost”. Also click Advanced, and change the port number to 1110 (it looks like there is only space for 3 numbers but you can type in 1110). That’s it: when it next goes to get mail, it will connect to port 1110, which ssh will forward to port 110 at the mailserver, and everything happens over an encrypted connection.

It doesn’t quite work, though.

Here’s the problem: for various reasons, the other end of the connection is going to drop the link every now and then. When it does so, the ssh tunnel at this end dies. There’s also the problem unique to sleeping: the other end gives up because this end just goes away.. but the ssh process here has no idea that happened.

So, we need a little script instead. I call mine “startmail”, and it’s just this:

#!/bin/bash
while true
do
ssh -L 1110:pcunix.com:110 -l mylogin -N pcunix.com
done

Not much to it. But this introduces another problem: ssh needs my password every time it starts this tunnel up again. I don’t want to keep typing that long, nasty password all day long. So instead, I will use ssh-agent. The procedure for setting that up is covered more completely at http://www.aplawrence.com/Security/ssh.html , but once set up, I just need a simple script that I call “agent” to get going:

ssh-agent /bin/bash --init-file ~/.ssh_bash_start

The .ssh_bash_start file is this:

. ~/.bashrc
ssh-add

The invocation of ssh-add asks for my passphrase, which still isn’t fun to type, but I’m only going to have to do that once: from then on, ssh-agent will manage any ssh sessions in this shell and I won’t get bugged every time the tunnel restarts. So after running “agent”, I run “startmail” and then everything is set until I logout or reboot (sometime next month or the month after..).

There are, of course, other ways to do this. There are commercial and shareware programs that allow you to create tunnels that you can set and forget. As usual, I’d rather control things myself.

See also Spamassassin on Mac OS X

A.P. Lawrence provides SCO Unix and Linux consulting services http://www.pcunix.com

Table of contents

Read more

Local News