Dave, I was talking with my ISP and he suggested that I use an “ssh tunnnel” when I use my email program, Microsoft Entourage, on any public wireless networks to avoid exposing my account and password to anyone who might be sniffing the wi-fi network. Problem is, I have no idea what they’re talking about, but I’m definitely paranoid about security and the idea of point-to-point encryption sounds wonderful. Can you tell me how to set this up?
SSH tunnels are very cool, but unfortunately they are pretty tricky to set up properly. The basic idea is that your email program uses a different port to communicate with the remote server than usual, a port that’s mapped by the tunnel to the correct port on the remote system. So if you’re using POP3, as I am, then instead of the local program using port 110 to communicate with the remote system, you instead use a different port to connect to ssh running on your local system, then ssh encrypts the data, sends it to the remote server, then the version of ssh on the remote server decrypts it and hands it to the POP3 server.
If you’re thinking that this is just way more information than you want to know, you’re right! Instead of worry about how it works, let’s just step through the process of setting things up instead.
Your first step is to download the freeware SSH Tunnel Manager and install it on your computer. Then launch the program and let’s configure your POP3 tunnel.
The first thing you’ll see is a pretty austere window: click on the small “configuration” button on the lower left and you’ll get a window with lots of options. Here’s mine, filled out, for my POP3 server:
Starting from the left of the window, you’ll want to click on the tiny “+” to create a new tunnel, then fill in the tunnel name and your login information as appropriate. The port shown as ’22’ in the screenshot should be left that way: it’s the port for the ssh secure shell on the remote system.
To configure the tunnel, you want to pick an unused local port (anything over 1023 is available on a Mac system), specify the remote hostname, then specify which remote port should be used. For POP3, the service that you probably use to get your mail, you want to map port 110 to something else: I just add a ‘1’ to get port 1110. Sending mail is done with the simple mail transfer protocol, smtp, and that maps local port 1125 to remote port 25.
Almost done. Now click on “Options…” and choose “Auto connect” and “Handle authentication”. I imagine you can do try some of these other options, especially “Compress”, but I just use the first two and it seems to work fine.
All is good. Close the preferences window, then you’ll have an “SSH Tunnels” status window: click on the button to the right of the new tunnel name and you should get “Connected” and a happy green button. It’ll look like this:
That’s the hard part out of the way. Really.
The only thing left is to change the configuration in Entourage to use the new SSH tunnel rather than directly connect to the remote server, and that’s a lot easier. By the way, it’s worth noting that this technique will work with Apple Mail, Eudora, Mailsmith and any other mail client app you may prefer. Just use the same settings shown here in that application’s configuration options.
Start up Microsoft Entourage, then click on Tools -> Accounts and open up your existing configuration. It’ll look approximately like this:
Notice here that I’ve made two changes that should look weird: First, the POP3 server is specified as localhost, not the name given to you by your Internet Service Provider, and second, the “advanced configuration” specifies the ssh tunnel port detailed earlier in the SSH Tunnel utility (1110, not the default of 110).
In a very similar fashion, specify “localhost” as the outbound mail server, and make sure that you change the outbound port to 1125 instead of the default of 25. The latter you can tweak by clicking the “click here for advanced sending options” button on the configuration window.
Done! Now, get the ssh tunnel running if you haven’t already done so, then click on the “Send & Receive” button in Entourage and watch the lower right corner of the window. It should say ‘connecting to localhost’ and whir away, communicating happily — and encrypted! — with your remote server. Same should be true when you try to send out a message: it should be sent to “localhost” and automatically redirected through the ssh tunnel to the remote server.
This is not the easiest setup in the world to configure on your Mac OS X system, but having tried to solve this a variety of different ways, using SSH Tunnel makes for the easiest solution I’ve found. If you’d like to read a much more extensive writeup of why ssh tunnels are so cool I recommend the excellent stopdesign ssh tunnel tutorial.
i am a new comer i want the traffic to my website
with the help of Google/Ad Sense Ads to commercialize
it and grow my business fast,
hoping full co-operation from Google/Ad Sense by
providing their Ads.
bummer. well thanks for the quick response though. keep up the good work.
Yep, it doesn’t work that way, alas, Brendan. Port 264 is “BGMP”, though I’m frankly not entirely sure what service that is. It clearly isn’t, however, SSH.
I did a scan using http://www.auditmypc.com and it says that port 22 is closed. So I scanned 0-2500 and it only came up with 264 & 265 open? Oout on a limb, I’ve tried plugging these ports into ssh tunnel, but no joy. I guess the other end needs to be listening to 264 or 265? thanks for your help.
Do you have port 22 open on the firewall in both directions? As far as I know, that’s the magic encrypted port for SSH. What you do with the SSH tunnel (in terms of IMAP, etc) should be irrelevant. Possibly, you might have to open port 614 too, according to this search of /etc/services on my server:
ssh 22/tcp #Secure Shell Login
ssh 22/udp #Secure Shell Login
sshell 614/tcp #SSLshell
sshell 614/udp
but I don’t think so. Try 22 and see how it goes!
I’ve been trying to get this working on my PB at work, behind a proxy server and firewall but cant for the life of me figure out how? The firewall/proxy blocks normal pop and smtp traffic (we use Lotus Notes, therefore different ports as far as i understand). Proxy’s using standard port 80, and Notes 8080. I’m wondering if there’s a way to set up a ssh tunnell to get through the firewall/proxy combo? I’m trying to set it up for IMAP.