Mail port forwarding

Background

A client (end-user) receives and sends mail using client software such as Microsoft Outlook, Netscape Communicator, or Linux KMail. Such software must communicate with remote mail servers using protocols such as IMAP, POP or SMTP. Unfortunately the clients, servers and protocols have failed to implement useable high security.

A solution

A small virtual private network (VPN) is established using the port forwarding capabilities of ssh-2. SSH-2 has good security and is used to authenticate the client and server and to protect any network traffic. The insecure mail clients, servers and protocols never make a network connection, rather they each only communicate within the local machine.

From the point of view of a client, it will look as though mail servers are running on the same local machine. From the point of view of the mail servers it will look as though all clients are running on the same local machine.

Obtaining SSH

Linux users can install package openssh available from any linux site and usually already installed.

Windows users can install cygwin (which includes openssh) from http://www.cygwin.com .

Windows users should know that Cygwin is a small unix-like environment. A user bob will have a home directory of "/home/bob" with cygwin which will equate to "C:\cygwin\home\bob" under windows. Useful unix commands include "ls" "pwd" "hostname" "cd" "cp" "vi" "man" "exit". More info on each command can be obtained by reading the man page for a command e.g. "man ls".

Initializing keys

Each user will create some public key/private key pairs just the once. The keys will serve to prove his identity to others. The user will never reveal his private key or send it anywhere. The user will send his public key to everyone. Invent a secret passphrase to protect your private key, write it down and enter it when requested in the next step. This passphrase is not the same as any password on any computer system and is never used as such. No-one but you must know this passphrase. If you lose it then you will have to generate a new public key/private key pair and inform everyone of your new public key.

One time only, perform the following steps:-

Check that you now have a public key file as follows:-

Alternative: Use of STARTTLS option for secure access to sendmail and to prevent others from relaying.

Sendmail 8.12.9 and later can be compiled to support TLS encryption which is dynamically negotiated with the client. Also sendmail can use a submission
agent listening on port 578 rather that 25. Also sendmail can support authentication using username and password. Combine all of these options and you will acheive an encrypted private connection via TLS which you can then use to authenticate using a password (knowing that your password cannot be sniffed) and then additionally you will then able to control mail permissions such as RELAY based on authenticated user.
Here is a screenshot of secure mail settings for mozilla mail client. A quirk of the browser means that when using self-signed server certificates you should only accept the certificate temporarily for this session when prompted, so that the prompt is re-presented whenever a new connection is required. Without this prompt, the creation of a secure session fails. When this happens you need to close all browser windows and restart browser to get the prompt again. If you accidentally accept the certificate forever, you will need to delete it from the clients list of trusted certificates using the mozilla 1.4 security preferences.

Some lines from sendmail.mc
define(`confAUTH_OPTIONS', `A p y')dnl
define(`confTLS_SRV_OPTIONS', `V')dnl
TRUST_AUTH_MECH(`LOGIN PLAIN')dnl
define(`confAUTH_MECHANISMS', `LOGIN PLAIN')dnl
define(`confCACERT_PATH',`/usr/share/ssl/certs')
define(`confCACERT',`/usr/share/ssl/certs/ca-bundle.crt')
define(`confSERVER_CERT',`/usr/share/ssl/certs/sendmail.pem')
define(`confSERVER_KEY',`/usr/share/ssl/certs/sendmail.pem'
)

Some lines from devtools/Site/site.config.m4 (when compiling sendmail from source to get the STARTTLS option):-
 
[root@ns2 Site]# more site.config.m4
dnl Stuff for TLS
APPENDDEF(`confINCDIRS', `-I/usr/local/include')
APPENDDEF(`confLIBDIRS', `-L/usr/local/lib')
APPENDDEF(`conf_sendmail_ENVDEF', `-DSTARTTLS')
APPENDDEF(`conf_sendmail_LIBS', `-lssl -lcrypto')
APPENDDEF(`confENVDEF', `-DSASL')
APPENDDEF(`conf_sendmail_LIBS', `-lsasl')
 


Alternative: Use of pop3s (TLS secured pop3 protocol)


Disable ipop3 and enable pop3s on the server by editting files /etc/xinetd.d/pop3s and /etc/xinetd.d/ipop3 and restarting xinetd.
Set your mozilla 1.4 mail client to use secure pop3 on port 995. See the screen shot of secure incoming mail settings for mozilla mail client.

Cycom Limited home page