How to securely send and retrieve your CCS mail via SSH Introduction SSH allows you to create an encrypted network tunnel between your machine and the CCS network. This document will show you how to set up this tunnel and then use it to securely send and retrieve your mail. Different SSH clients use slightly different methods for creating this tunnel. We'll look at how to set tunnels up using the F-Secure SSH clients we distribute and the freely-available Linux client. Before we get to the client particulars, let's take a moment to peek behind the scenes to get a better understanding of what's actually going on. SSH tunneling takes place using a mechanism called "port forwarding." ______________________________________________________________________________ Background: Ports To understand port forwarding, you first have to know what a port is. If we were to use a telephone analogy, the IP address of a machine would be the phone number and the port a phone extension at that number. To get hold of a specific person at a company I might call their main number and then transfer to that person's extension. To use a specific service on a machine, I would connect to a specific port at the IP address for that machine. When you use a mail program to read and send mail, usually your mail program makes a connection for you to two specific ports on the mail server. When you read mail, you connect to the POP3 port (usually number 110). When you send mail, you connect to the SMTP port (usually number 25) of our mail server. Here's a diagram: mail.ccs.neu.edu:25 (129.10.116.51:25) / -SMTP-> o--------------+ [your machine]| | mail server | \ <-POP3- o--------------+ mail.ccs.neu.edu:110 (129.10.116.51:110) ______________________________________________________________________________ Background: Port Forwarding SSH allows you to do port forwarding over a secure tunnel. You configure your SSH client (we'll see how to do this in a moment) to accept connections on the local machine for certain ports. Any data which is sent to these ports is then forwarded and returned across the tunnel. On the other side of the tunnel, the SSH server passes the data back and forth to a machine of your choice. This is port forwarding. In our case, we will be configuring our SSH client to listen for connections on the SMTP and POP3 ports of our local machine. Any data destined for these ports will be shunted over a secure connection to and from the CCS mail server. Here's a picture: mail.ccs.neu.edu:110 localhost:110 o-<+----------+ ~ ~ +----------+>--<<--o-------------+ |SSH Client|~ ~ ~ ~ ~|SSH Server| | mail server | localhost:25 o->+----------+ ~ ~ +----------+>-->>--o-------------+ mail.ccs.neu.edu:25 The final piece of this puzzle is the mail program configuration. To make this all work, you need to configure your mail client to connect to the forwarded ports on your local machine instead of connecting to a remote mail host as per usual. So where you would normally specify mail.ccs.neu.edu, you instead use localhost (a name which automatically refers to your local machine). The mail program connects to the local ports, this gets forwarded to the mail server, and all your communication takes place over a secure link. ______________________________________________________________________________ Configuring the SSH Client Luckily, it is a great deal faster to set up port forwarding than it is to explain it. The following directions assume that you have obtained an SSH client and have successfully used it to log into a UNIX box at CCS. IMPORTANT NOTE: a secure SSH tunnel only works while you maintain a connection to CCS using SSH. If you disconnect from us or quit the SSH program, your tunnel is no longer operative. Here's all you have to do to configure your SSH client: * DataFellows F-Secure Client 1. start the program and press return on the untitled window to get the connection dialog 2. enter a host to connect to (any CCS machine you can log in to will do) 3. press (properties) 4. select the forward tab 5. press (new) and fill in the form like this: Name: [Secure POP] Source Port: [110] Destination Host: [mail.ccs.neu.edu] Destination Port: [110] Allow local connections only: [ ] <--- not selected for Mac, select for PC press (OK) 6. press (new) and fill in the form like this: Name: [Secure SMTP] Source Port: [25] Destination Host: [mail.ccs.neu.edu] Destination Port: [25] Allow local connections only: [ ] <--- not selected for Mac, select for PC press (OK) Note: you only have to do steps 6 & 7 once per computer. From then on, these settings will be used for all of your future connections. 7. press (OK) to initiate a connection to CCS. 8. Continue with the section below on Configuring Your Mail Client. * Linux Client 1. Type (on your local machine): ssh -L 110:mail.ccs.neu.edu:110 -L 25:mail.ccs.neu.edu:25 You may need to add -l if your local and CCS usernames are not the same. If you receive a port in use message this means that there is currently a service running on your local machine listening on that port. You will need to either disable it (change /etc/inetd.conf) or choose a different port number for the local port (the first number in the -L switch). If you do change port numbers, be sure to change the port numbers in your mail client to match. 2. Continue with the section below on Configuring Your Mail Client. ______________________________________________________________________________ Configuring Your Mail Client Each mail client has a different way of specifying what mail server to use. The key is to configure your mail client to talk to your local machine. For instance, in Eudora, you would: 1. Go to the Special->Settings...-> 2. Set it like this: POP account: [@localhost] SMTP server: [localhost] Please see your mail client's documentation for more details. If your SSH connection is up, you should be able to send and receive mail securely. ______________________________________________________________________________ Troubleshooting If the above doesn't work for you: 1. Check all of your SSH port forwarding settings (note the different settings for macs and PC's above). 2. Check your SSH connection. Can you log into CCS via SSH? For command line clients (i.e. Linux), the -v switch can often help debug the connection. 3. Check your mail client settings. Is it set to go to the local host? 4. Try to connect to the tunnel directly. Bring up the SSH connection, then attempt to telnet to your localhost on a forwarded port. For instance, telnet localhost 25 should connect you to our mail server. If this works, then your mail program must not be working (double check to see that it is set to send mail to localhost port 25). If telnet localhost 25 doesn't work, then your SSH port forwarding isn't operational. If you still are having problems at this point, please send mail to systems@ccs.neu.edu with as much information as possible about your problem. We will do what we can to help you resolve the problem, but please note: CCS Systems does not have the resources to support non-CCS machines, so we may have to refer you to other forms of support. ______________________________________________________________________________ CCS Home | Feedback | Search | Online He lp | Serve r Info | Modified November 24, 1998