Resources
HOWTO Documents > How to securely send and retrieve your CCIS mail via SSH
Introduction
SSH allows you to create an encrypted network tunnel between your machine and the CCIS network. This document will show you how to set up this tunnel and then use it to securely send and retrieve your mail. Different SSH clients use slightly different methods for creating this tunnel. We'll look at how to set tunnels up using the SSH, Inc. SSH clients we distribute and the freely-available Linux client.
Before we get to the client particulars, let's take a moment to peek behind the scenes to get a better understanding of what's actually going on. SSH tunneling takes place using a mechanism called "port forwarding."
Background: Ports
To understand port forwarding, you first have to know what a port is. If we were to use a telephone analogy, the IP address of a machine would be the phone number and the port a phone extension at that number. To get hold of a specific person at a company I might call their main number and then transfer to that person's extension. To use a specific service on a machine, I would connect to a specific port at the IP address for that machine.
When you use a mail program to read and send mail, usually your mail program makes a connection for you to two specific ports on the mail server. When you read mail, you connect to the POP3 port (usually number 110). When you send mail, you connect to the SMTP port (usually number 25) of our mail server. Here's a diagram:
mail.ccs.neu.edu:25 (129.10.116.51:25)
⁄ -SMTP -> o--------------+
[your machine] | | mail server |
\ <- POP3- o--------------+
mail.ccs.neu.edu:110 (129.10.116.51:110)
Background: Port Forwarding
SSH allows you to do port forwarding over a secure tunnel. You configure your SSH client (we'll see how to do this in a moment) to accept connections on the local machine for certain ports. Any data which is sent to these ports is then forwarded and returned across the tunnel. On the other side of the tunnel, the SSH server passes the data back and forth to a machine of your choice. This is port forwarding.
In our case, we will be configuring our SSH client to listen for connections on the SMTP and POP3 ports of our local machine. Any data destined for these ports will be shunted over a secure connection to and from the CCIS mail server. Here's a picture:
mail.ccs.neu.edu:110
localhost:110 o-<+------------+ ~ ~ +-------------+>--<<--o------------+
[SSH Client] ~ ~ [SSH Server] [mail server]
localhost:25 o-<+------------+ ~ ~ +-------------+>--<<--o------------+
mail.ccs.neu.edu:25
The final piece of this puzzle is the mail program configuration. To make this all work, you need to configure your mail client to connect to the forwarded ports on your local machine instead of connecting to a remote mail host as per usual. So where you would normally specify mail.ccs.neu.edu, you instead use localhost (a name which automatically refers to your local machine). The mail program connects to the local ports, this gets forwarded to the mail server, and all your communication takes place over a secure link.
Configuring the SSH Client
Luckily, it is a great deal faster to set up port forwarding than it is to explain it. The following directions assume that you have obtained an SSH client and have successfully used it to log into a UNIX box at CCIS.
IMPORTANT NOTE: a secure SSH tunnel only works while you maintain a connection to CCIS using SSH. If you disconnect from us or quit the SSH program, your tunnel is no longer operative.
Here's all you have to do to configure your SSH client:
• SSH Secure Shell Client (Windows)
| 1. | Start up the client | |
| 2. | Select the Edit menu, and choose settings | |
| 3. | Under the Profile Settings menu, choose tunneling, then select outgoing | |
| 4. | Click Add | |
| 5. | Pick a display name (i.e., "Mail Tunnel to CCIS") | |
| 6. | Select TCP as your protocol (if TCP is indeed the protocol you are using) | |
| 7. | Enter 110 as the port number (POP runs on port 110 by default) | |
| 8. | Make sure the Allow local connections only is checked | |
| 9. | Enter mail.ccs.neu.edu as the destination host | |
| 10. | Enter port 110 as the destination port | |
| 11. | Click Enter |
Notes: This will forward port 110 on your local machine to mail.ccs.neu.edu on port 110 over a secure tunnel. You will need to forward port 25 in a similar fashion if you wish to send mail as well. For other services, such as telnet, you will need forward the appropriate local port (23) to a remote host (i.e., dac.neu.edu) on a remote port (23). Once you have a number of tunnels setup, you can save these settings under a new profile. The next time you need a secure set of tunnels, simply selecting your newly created profile will get you these tunnels. Configuring your applications to use these tunnels consists of telling your client to connect to localhost instead of the remote host that you have the tunnel to. For example: if you establish a secure tunnel between your machine on port 23 to lynx.dac.neu.edu on port 23, telneting to localhost on port 23 will connect you to lynx.dac.neu.edu. Along those same lines, forwarding ports 25 and 110 for mail, configuring your client (Outlook, Eudora, Mutt, whatever) to connect to your local machine on ports 25 and 110 for sending/receiving mail will in turn connect your client to the remote machine you tunneled to (presumably mail.ccs.neu.edu).
• SSH, Inc. Client
| 1. | start the program and press return on the untitled window to get the connection dialog | |||||||||||
| 2. | enter a host to connect to (any CCIS machine you can log in to will do) | |||||||||||
| 3. | press (properties) | |||||||||||
| 4. | select the forward tab | |||||||||||
| 5. | press (new) and fill in the form like this: | |||||||||||
|
||||||||||||
| press (OK) | ||||||||||||
| 6. | press (new) and fill in the form like this: | |||||||||||
|
||||||||||||
| press (OK) | ||||||||||||
| Note: you only have to do steps 6 & 7 once per computer. From then on, these settings will be used for all of your future connections. | ||||||||||||
| 7. | press (OK) to initiate a connection to CCIS. | |||||||||||
| 8. | Continue with the section below on Configuring Your Mail Client | |||||||||||
• Linux, MacOSX and Other Command-Line Clients
| 1. | Type (on your local machine): | |
| ssh <some CCS machine> -L 110:mail.ccs.neu.edu:110 -L 25:mail.ccs.neu.edu:25 | ||
| You may need to add -l <ccsusername> if your local and CCS usernames are not the same. If you receive a 'port in use message' this means that there is currently a service running on your local machine listening on that port. You will need to either disable it (change /etc/inetd.conf, edit the appropriate config file, or kill the daemon) or choose a different port number for the local port (the first number in the -L switch). If you do change port numbers, be sure to change the port numbers in your mail client to match. Note: to forward a remote port to your local machine, if the port you are forwarding to on your machine is < 1024, you will need to have root privileges. Anything above port 1024 will not require such permissions. | ||
| 2. | Continue with the section below on Configuring Your Mail Client. |
Each mail client has a different way of specifying what mail server to use. The key is to configure your mail client to talk to your local machine. For instance, in Eudora, you would:
| 1. | Go to the Special -> Settings... -> <Hosts Panel> | |
| 2. | Set it like this: | |
| POP account: [<username>@localhost] SMTP server: [localhost] |
Please see your mail client's documentation for more details. If your SSH connection is up, you should be able to send and receive mail securely.
Troubleshooting
If the above doesn't work for you:
| 1. | Check all of your SSH port forwarding settings (note the different settings for macs and PC's above). | |
| 2. | Check your SSH connection. Can you log into CCIS via SSH? For command line clients (i.e. Linux), the -v switch can often help debug the connection. | |
| 3. | Check your mail client settings. Is it set to go to the local host? | |
| 4. | Try to connect to the tunnel directly. Bring up the SSH connection, then attempt to telnet to your localhost on a forwarded port. For instance, telnet localhost 25 should connect you to our mail server. If this works, then your mail program must not be working (double check to see that it is set to send mail to localhost port 25). If telnet localhost 25 doesn't work, then your SSH port forwarding isn't operational. |
If you still are having problems at this point, please send mail to systems@ccs.neu.edu with as much information as possible about your problem. We will do what we can to help you resolve the problem, but please note: CCIS Systems does not have the resources to support non-CCIS machines, so we may have to refer you to other forms of support.