Let’s walk through an example of how you can use SSH to tunnel POP3 traffic:
1. Make sure the ssh client is installed on the local system where the
e-mail client will run.
2. Make sure the sshd daemon is installed and running on the POP3 server.
3. Ensure IP port 22 is open on the server where sshd is running.
4. On the system where sshd is running, switch to root and edit the
/etc/ssh/sshd_config
file.
5. Locate the AllowTcpForwarding parameter, uncomment it if necessary,
and then set it to a value of yes. An example is shown here:
AllowTcpForwarding yes
6. Save your changes to the file and exit the editor.
7. Restart the sshd daemon by entering systemctl restart sshd at the
shell prompt (as root).
8. Switch to the client system.
9. Create a local ssh tunnel from a local high IP port (in this
example, port 2345) to port 110 on the POP3 server using the following
command (enter the remote user’s password when prompted):
ssh -f -N -L 2345:pop3_host_address:110 user_name@pop3_host_address
The options specified in this command do the following:
• –N and –f
Tell ssh not to execute a command remotely on the server
and to run in the background after prompting for the remote user’s
password
• –L
Specifies three things:
• The local port to be used for the client end of the tunnel (in
this case, 2345)
• The hostname or IP address of the remote POP3 server
• The port on the remote server that will be used for the server
end of the tunnel (in this case, 110)
You don’t have to use port 2345. You can use the same port on both
ends if desired. However, be aware that you will need to switch to the
root user if you want to use a port number less than 1024 on the
client side of the tunnel. These are called privileged ports.
10. With the tunnel established, configure the local e-mail client
program to retrieve mail from the local system on the port you
configured for the client end of the SSH tunnel. In this example, you
would configure it to get mail from the local system’s IP address on
port 2345. An example of how to do this with the Evolution e-mail
client is shown in Figure 18-6.
Note that I used the hostname of the local host, not the POP3 server, in the Server field.
I also added the port number of the workstation end of the tunnel to the end of the
hostname.
At this point, when the client uses the POP3 protocol to download new
messages, the SSH client on the local system will encrypt the request
and forward it to the SSH server through the SSH tunnel you
established. The SSH server will receive the request, decrypt it, and
then pass the data on to the local port 110, where the POP3 daemon is
listening. The cool thing about this process is that it is completely
transparent to the e-mail client software. As far as it’s concerned,
it’s retrieving e-mail from a local POP3 server.
You can test the tunnel you created using the telnet command from the
client end of the tunnel. The syntax is
telnet localhost client_tunnel_port
Here’s an example:
telnet localhost 2345
Encryption IV
No comments:
Post a Comment