Dave, I was talking with my ISP and he suggested that I use an “ssh tunnnel” when I use my email program, Microsoft Entourage, on any public wireless networks to avoid exposing my account and password to anyone who might be sniffing the wi-fi network. Problem is, I have no idea what they’re talking about, but I’m definitely paranoid about security and the idea of point-to-point encryption sounds wonderful. Can you tell me how to set this up?
SSH tunnels are very cool, but unfortunately they are pretty tricky to set up properly. The basic idea is that your email program uses a different port to communicate with the remote server than usual, a port that’s mapped by the tunnel to the correct port on the remote system. So if you’re using POP3, as I am, then instead of the local program using port 110 to communicate with the remote system, you instead use a different port to connect to ssh running on your local system, then ssh encrypts the data, sends it to the remote server, then the version of ssh on the remote server decrypts it and hands it to the POP3 server.
If you’re thinking that this is just way more information than you want to know, you’re right! Instead of worry about how it works, let’s just step through the process of setting things up instead.
Your first step is to download the freeware SSH Tunnel Manager and install it on your computer. Then launch the program and let’s configure your POP3 tunnel.
The first thing you’ll see is a pretty austere window: click on the small “configuration” button on the lower left and you’ll get a window with lots of options. Here’s mine, filled out, for my POP3 server:
Starting from the left of the window, you’ll want to click on the tiny “+” to create a new tunnel, then fill in the tunnel name and your login information as appropriate. The port shown as ’22’ in the screenshot should be left that way: it’s the port for the ssh secure shell on the remote system.
To configure the tunnel, you want to pick an unused local port (anything over 1023 is available on a Mac system), specify the remote hostname, then specify which remote port should be used. For POP3, the service that you probably use to get your mail, you want to map port 110 to something else: I just add a ‘1’ to get port 1110. Sending mail is done with the simple mail transfer protocol, smtp, and that maps local port 1125 to remote port 25.
Almost done. Now click on “Options…” and choose “Auto connect” and “Handle authentication”. I imagine you can do try some of these other options, especially “Compress”, but I just use the first two and it seems to work fine.
All is good. Close the preferences window, then you’ll have an “SSH Tunnels” status window: click on the button to the right of the new tunnel name and you should get “Connected” and a happy green button. It’ll look like this:
That’s the hard part out of the way. Really.
The only thing left is to change the configuration in Entourage to use the new SSH tunnel rather than directly connect to the remote server, and that’s a lot easier. By the way, it’s worth noting that this technique will work with Apple Mail, Eudora, Mailsmith and any other mail client app you may prefer. Just use the same settings shown here in that application’s configuration options.
Start up Microsoft Entourage, then click on Tools -> Accounts and open up your existing configuration. It’ll look approximately like this:
Notice here that I’ve made two changes that should look weird: First, the POP3 server is specified as localhost, not the name given to you by your Internet Service Provider, and second, the “advanced configuration” specifies the ssh tunnel port detailed earlier in the SSH Tunnel utility (1110, not the default of 110).
In a very similar fashion, specify “localhost” as the outbound mail server, and make sure that you change the outbound port to 1125 instead of the default of 25. The latter you can tweak by clicking the “click here for advanced sending options” button on the configuration window.
Done! Now, get the ssh tunnel running if you haven’t already done so, then click on the “Send & Receive” button in Entourage and watch the lower right corner of the window. It should say ‘connecting to localhost’ and whir away, communicating happily — and encrypted! — with your remote server. Same should be true when you try to send out a message: it should be sent to “localhost” and automatically redirected through the ssh tunnel to the remote server.
This is not the easiest setup in the world to configure on your Mac OS X system, but having tried to solve this a variety of different ways, using SSH Tunnel makes for the easiest solution I’ve found. If you’d like to read a much more extensive writeup of why ssh tunnels are so cool I recommend the excellent stopdesign ssh tunnel tutorial.