A client (end-user) receives and sends mail using client software such as Microsoft Outlook, Netscape Communicator, or Linux KMail. Such software must communicate with remote mail servers using protocols such as IMAP, POP or SMTP. Unfortunately the clients, servers and protocols have failed to implement useable high security.
A small virtual private network (VPN) is established using the port forwarding capabilities of ssh-2. SSH-2 has good security and is used to authenticate the client and server and to protect any network traffic. The insecure mail clients, servers and protocols never make a network connection, rather they each only communicate within the local machine.
From the point of view of a client, it will look as though mail servers are running on the same local machine. From the point of view of the mail servers it will look as though all clients are running on the same local machine.
Linux users can install package openssh available from any linux site and usually already installed.
Windows users can install cygwin (which includes openssh) from http://www.cygwin.com .
Windows users should know that Cygwin is a small unix-like environment. A user bob will have a home directory of "/home/bob" with cygwin which will equate to "C:\cygwin\home\bob" under windows. Useful unix commands include "ls" "pwd" "hostname" "cd" "cp" "vi" "man" "exit". More info on each command can be obtained by reading the man page for a command e.g. "man ls".
Each user will create some public key/private key pairs just the once. The keys will serve to prove his identity to others. The user will never reveal his private key or send it anywhere. The user will send his public key to everyone. Invent a secret passphrase to protect your private key, write it down and enter it when requested in the next step. This passphrase is not the same as any password on any computer system and is never used as such. No-one but you must know this passphrase. If you lose it then you will have to generate a new public key/private key pair and inform everyone of your new public key.
One time only, perform the following steps:-
ssh-keygen -t dsa
Check that you now have a public key file as follows:-
This file should have contents similar to this:-
Send this file to your mail server administrator. He will append it to the file ".ssh/authorized_keys2" on the mail server machine. Do not send any other file or reveal your passphrase.
After the mail server administrator has stored your public key, you will be able forward ports 110 and 25 from the mail server to your local client machine using the startforward.sh script in your home directory which you should create with the following contents:-
#whoami >> /tmp/ip-up.local.log
(/usr/bin/ssh-agent ~/subforward.sh )
#echo "started forwardmail" >> /tmp/ip-up.local.log
This script calls a subordinate script with contents as follows:-
#env >> /tmp/ip-up.local.log
/usr/bin/ssh -v -a -L 25:localhost:25 -L 110:localhost:110 firstname.lastname@example.org
You will need to edit this second script to substitute your local client username and also substitute your remote username and remote mail server hostname. For example a local client "bob" with a remote username of "robert" on mail server "mail2.cyterm.com" would make the following substitutions:-
/home/cwturner becomes /home/bob
email@example.com becomes firstname.lastname@example.org
The mail clients should use "localhost" as the name for both the POP server and the SMTP server. No encryption options should be used. The mail server login name should be your remote username (e.g. "robert") and the password will be your remote password (not your private passphase!).
The mail servers are configured by the mail administrator but briefly, relaying is only allowed for localhost (127.0.0.1) and the POP3 server must only listen on 127.0.0.1 (in /etc/xinetd.d/ipop3 have the lines:-
only_from = 127.0.0.1
bind = 127.0.0.1
Connect to internet
Bring up a shell window (Cygwin bash or Linux bash)
Enter you private key passphrase when requested
Allow 20 seconds for the port forwarding to establish
Use your mail clients to send and recieve mail
Stop the port forwarding by using "Control-C" key to terminate the shell script
Disconnect from internet
Close the shell window
If the mail clients produce an error saying "host busy" or "cannot connect" the first time, just wait 20 seconds and retry.
If the error persists, check the shell window to ensure that the startforward.sh script is still running and hasn't finished too soon. If it has finished then re-run it or duplicate more final lines in the subordinate script "subforward.sh".