Departmental MembersIT HelpFAQsSecurityEmail Over Ssh

Tunnelling your e-mail over SSH

What is an tunnel?

A tunnel is a way of forwarding many channels of information through a single channel. 

One analogy is the Channel Tunnel.  In Calais, cars, vans and lorries are all destined for the UK. They all drive on to the train, although they do not know what route the train takes.  At the other end of the tunnel in Folkestone, they disembark and continue on their journey.

Applying it to network traffic, network data is collected at one point, transferred through the tunnel and then redistributed at another.

Why does the tunnel need to be encrypted?

If we get creative with our Channel Tunnel analogy;  if by some miracle the vehicles destined for the UK were all sea-worthy and could easily cross the channel themselves, pirate ships in the English Channel could easily intercept them en-route and steal their cargo, or worse, steal their passports and gain unauthorised entry into the UK.  To stop the pirates, people could install 10 inch thick shields around their vehicles.  This would stop the pirates, although it would make the vehicles cumbersome and slow when on land.  A single vehicle which is well protected could house many unprotected vehicles during the dangerous crossing.

Why isn't all network data encrypted by default?

As with the above analogy, it takes a lot of processing power to encrypt data and as a result, data transfer may be slow.  Most trusted local area networks do not need encryption - The Maths Institute network is one of them.  All network connections made from the Institute workstations to the servers (inside the Institute or DH) go through a series of Network Switches which only allow a single route to the server.  The result of this is that nobody can 'sniff' your network traffic.  The Internet is not a trusted network.  When you connect to your ISP, it can go through many routers before it gets to our servers, and many people can view your data.  For this reason, it's useful to have an encrypted tunnel to protect your sensitive data when it crosses over the dangerous Internet.

When do I need to use an IMAP/SMTP ssh tunnel?

When you are away from the University and will be sending sensitive information using e-mail.  There may also be the situation where the mail reader you are using does not support SSL, or will not (by local policy enforcements) accept our self signed SSL certificate.

What is required?

An ssh client, and an IMAP compatible mail reader (e.g. Netscape, Eudora, Outlook, Outlook express).

I can't connect to imap.maths.ox.ac.uk:22 (SSH)

This is because the Institute's firewall is blocking the connection.  You will need to use an extra hop to complete the tunnel.  This requires setting up an initial tunnel to gate.maths.ox.ac.uk which tunnels your unprivileged local pseudo-random SMTP and IMAP ports to unprivileged pseudo-random SMTP and IMAP ports on gate.  You will then need to set up another tunnel to imap.maths.ox.ac.uk from gate with gate's pseudo-random SMTP and IMAP ports tunnelling to the real IMAP and SMTP ports at imap's end.  For more information, see the configuration and setup section below.

Configuration and setup:

Two ends of the tunnel must be specified, as well as the channels of information or TCP/IP ports that are to be tunnelled.  The tunnel must be created and the mail client configured to use your end of the tunnel.

  • Your end of the tunnel is known as localhost.  Each machine using TCP/IP has an internal loopback device - IP address:127.0.0.1 or hostname localhost.
     
  • The other end of the tunnel is imap.maths.ox.ac.uk
     
  • The TCP/IP ports you will need to tunnel are: SMTP: TCP/25 and IMAP: TCP/143.
     
  • Depending on the port numbers at your end of the tunnel, your mail client should be configured to use localhost and the corresponding port number for SMTP and IMAP.

Starting the tunnel using a command line ssh:

ssh -N -l <username> -L LP#:fqdn.of.local.host:RP# fqdn.of.remote.host

The -N switch tells SSH to only act as a forward.  For security reasons, there are no shells allowed on imap.maths.ox.ac.uk.  Note.  The -N switch only works on SSH2 command line clients.

The -l <username> switch is your username on the Maths Institute systems.  (Substitute <username> for your username).

The -L switch instructs ssh which ports to use and consists of 3 sections separated by a colons.  There can be any number of -L switches:

LP#: The local port number
fqdn.of.local.host: is the fully qualified domain name of the local host.
RP#: The remote port number

The fqdn.of.remote.host is the fully qualified domain name of the remote host.

So, to connect to the maths system, one would type:

ssh -N -l <username> -L 25:localhost:25 -L 143:localhost:143 imap.maths.ox.ac.uk

Occasionally, if you are running on a locked down multi-user machine, you will need to modify the LP# fields to an unprivileged port (i.e. >1024), for example:

ssh -N -l someuser -L 2025:localhost:25 -L 2143:localhost:143 imap.maths.ox.ac.uk

It should then be easy to modify your IMAP client to use these ports instead.

Examples:

In addition, see information on getting ssh clientsUsing a combination of IMAPS and SMTP over an SSH tunnel.

Last updated by Waldemar Schlackow on Mon, 17/09/2007 - 11:39am.
This page is maintained by Elliott A Nichol. Please use the contact form for feedback and comments.