On Wed, 16 Aug 2000, Derek Martin wrote:
>> To do so, configure your SSH client to forward local TCP port 110 (which
>> is POP3) to remote server TCP port 110. Do the same for TCP port 25
>> (SMTP). Then point your mail client to "localhost" for its mail servers.
>> SSH will forward the connections over the secure tunnel to your mail
>> servers, and your mail client will be none the wiser.
>
> Every time I see this it fails to make sense to me... I can't see where
> the encryption happens and where the protection is. Maybe you can explain
> it, or maybe I'll have to go read the How-tos.
Okay, let's follow a POP3-over-SSH session from start to finish.
Prerequisites
-------------
(1) Your mail server must be running SSH daemon (sshd).
(2) You must be able to establish a secure connection to the mail server from
the client station, including port forwarding.
(3) Your mail client must be set to use "localhost" as the POP3 ("Incoming")
and SMTP ("Outgoing") mail servers.
Setting up and Using the SSH Session
------------------------------------
(1) On the client, you open up SSH and connect to the mail server in
port-forwarding mode. Specifically, you forward local TCP port 110
(POP3) to the mail server (with the same remote port, TCP 110).
(2) Your SSH client begins listening on local TCP port 110. Any connections
to that socket are forwarded over the secure tunnel to the SSH daemon
on the mail server.
(3) You tell your client to request mail. The client initiates a
connection to TCP port 110 on "localhost", which the SSH client is
listening on. The SSH client forwards that connection to the SSH daemon
running on the mail server.
(4) The SSH daemon opens a local port (just like any other task would), and
requests a connection to TCP port 110 on the mail server. It knows you
want TCP/110 because that is what you told your SSH client when you setup
the port forwarding session.
(5) The mail server's POP3 daemon accepts the connection from the SSH
daemon as if it were a local process connecting to the mail server (which
it is).
(6) The POP3 dialog is tunneled from the client, over SSH, to the mail server.
All login and data transfer is encrypted as any other SSH session is.
(7) The mail client closes the socket connection to "localhost" on the
client. The SSH client closes down that sub-session to the SSH
daemon. The SSH daemon closes down the socket connection to the POP3
daemon on "localhost" on the mail server.
The exact same process is used for SMTP, you just use port 25.
This only works the way it does because both SMTP and POP3 (and IMAP)
protocols use only client-initiated connections, as far as a workstation is
concerned. The mail server never initiates a connection to the workstation.
If you are using a protocol that requires the server to initiate a
connection to the client, you need to use "remote port forwarding" in SSH.
Which is essentially the same process as above, except that the listening
socket is setup *on the server*, and the SSH *client* makes connections on the
SSH daemon's behalf. This tends to be tricker, because the listening socket
is often lower then 1024, and the SSH daemon will not normally let users
forward privileged ports on the server back to the client.
FTP is more complex still, because FTP uses multiple TCP sessions. In
active mode, the FTP daemon initiates the data connection back to the client,
which is a pain to work with. In passive mode, the client initiates the
connection to the server, which is easier, but you still have multiple TCP
ports to worry about. SecureFX solves this problem by integrating support for
FTP-over-SSH into the FTP client itself.
> Basically my question is this: How does the POP server communicate with
> the encrypted tunnel? Presumably it doesn't support encryption, which is
> the whole point. So when it receives encrypted data from ssh on its end
> of the socket, how does it get decrypted?
By the SSH daemon, which is acting as a proxy on behalf of the SSH client.
> And it seems to me that that scenario only works if EVERYONE uses an
> ssh-forwarded session to retrieve mail.
Yup. Security tends to only work if everyone uses it. ;-)
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
