Secure POP/POP3 Mail over SSH on Windows HowTo

Version 0.1 - August 22, 2003

Jinn Koriech

In order to establish a secure connection to a standard POP3 mail server it is possible to create a secure tunnel from your local machine to the remote server, through which your local email client can connect transparently.

Disclaimer

The following document is offered in good faith as comprising only safe programming and procedures. No responsibility is accepted by the author for any loss or damage caused in any way to any person or equipment, as a direct or indirect consequence of following these instructions.

Requirements

• Windows NT, 2000, XP or 2003
• SSH access to the target mail server
• plink and puttygen from the putty project
• Firedaemon Lite
• 20 minutes and a cup of tea (milk, beer or whatever you like).

Get the required packages

• First get the plink and puttygen executables from the putty pages. For the firedaemon configuration to work you will need to put plink in a folder that doesn't contain spaces in the path. For example I use 'c:\putty'.
• Get firedaemon lite so that you can install plink as a Windows service. This will ensure that it is started up when you boot up your system.

Create your RSA public and private keys

• Load puttygen
• Click on 'Generate'
• Move the mouse over the blank space as indicated
• Click on the 'SSH2 RSA' radio button at the bottom of the page.
• Save your public and private keys in the folder where you put the plink executable.
• Do not save your keys with passwords as this will not allow you to establish an unattended connection.
• I use file names that follow the Unix standards: id_rsa.key and id_rsa.pub respectively. Note that puttygen will append a PPK to these file names - this is okay.

Upload your public key to the target mail server

• In a console window establish an SSH connection to your target mail server
• plink my.mail-server.net
• Add your public key to the authorized_keys file.
  • cd .ssh
  • vi authorized_keys
  • you can use your editor of choice, e.g. pico, etc.
  • Copy your public key from putty gen into the file you are editing. In vi you first need to type i to enter insert mode. You can then paste your public key, then press the ESC key and type :wq to tell vi to 'write' and 'quit'.
• Now type exit to close the connection.

Test that you can connect without having to enter your password

• Now that your public key is on the server you should be able to connect like this:
• plink -i c:\putty\id_rsa.key.PPK my_username@my.mail-server.net
• If this works then contine, otherwise go back and check that the authorized_keys file on the server has your public key in it, and that your private key is where this command is looking for it.

Test the plink connection and the port forwarding

• Set up a connection to your target mail server using plink with the following command:
• plink -C -L 10110:my.mail-server.net:110 my_username@my.mail-server.net
• -C
• compress the connection - this is a nice to have, but not essential
• -L 10110:my.mail-server.net:110
• tell plink (ssh) to accept connections on local port 10110 and forward them at the other end of the tunnel to remote port 110. The remote end of the connection is the server named in between the two ports.
• I've used port 10110 locally as any port above 10000 can be set up by an unpriveliged local user. Ports below 10000 need to be connected by an administrator.
• my_username@my.mail-server.net
• my_username refers to your username on the target server, and the text following the @ symbol is the server you are establishing the connection to.

Establish a test connection over the secure tunnel.

• Open up a second console
• Type in telnet localhost 10110
• If you get a welcome message then your connection has worked successfully. You can safely type quit to close the connection.
• Close the initial connection to the remote server so that there is no conflict with the following stage.

Set up the connection to start as a service using firedaemon

• Load up FireDaemon
• Set up a new service definition
• Set up some identificaiton details in the top half of the Program panel. This is information for you.
• Set up the application
• Make sure 'Console Application' is checked
• Browse for the plink exectuable.
• Copy the parameters that you know worked from the test connection above.
• Click Install - you don't need to set up any other options.
• Check that the service is running by checking the status in firedaemon.
• Go back and establish a test connection as outlined in the previous stage. If this works go on.

Set up your mail client to establish a connection through the tunnel.

• Open up your mail client.
• Edit your account settings for the account you want to secure.
• Edit the mail server to be localhost
• Edit the connection port to be that which you configured in the plink command above (10110 in this example).
• You should now be able to collect mail, and it's coming over a secure connection, and possibly even compressed if you chose to establish a compressed connection.