10, 12 and
I use ssh for everything, even for e-mail,
and file transfers.
In a VPS (Virtual Private Server), along with web server
nginx for my website, I also have an
e-mail server.
On my laptop, I retrieve and archive e-mails using the
legacy program Eudora 7.1.0.9. My laptop
runs Linux and Eudora is for Windows, so I have to use
wine.
I also send e-mails from Eudora, via the e-mail server on
the VPS. The e-mail server has the components
postfix,
dovecot,
spamassassin,
spamc,
spamd,
sa-update, and
dkim.
Quite complicated, but now that it works, it works.
In this day and age, encryption is a must. So to fetch mail under the POP3 protocol, use port 993 instead of 110. To send mail over SMTP (Simple Mail Transport Protocol) use port 587, not 25. My old Eudora can probably do that, it has settings for it, but when I tried them in the past, it often didn’t work, if ever.
To keep things simple, I now just use the unencrypted ports.
Isn’t that unsafe? No, because traffic is to and from
localhost, that is, within my own laptop.
How? Thanks to ssh port redirection.
I made a little shell script, which I called mailtunnel,
that contains this:
cd $HOME sudo -P ssh -L 110:localhost:110 -L 25:localhost:25 -Nf ruudh@rudhar.com
Options -L tell ssh that this is about
port forwarding. Otherwise in the remote session (that is,
on my e-mail server, on my VPS), there is nothing to do, as
indicated by option -N. What option -f
is for I can’t remember, it solved some problem, see
man ssh.
For security, executing this command requires root rights,
hence sudo, which if not used before recently,
will require me to type my user password. Next, ssh
will ask for the password (unless I arranged for keys, which
is better) of e-mail user ruudh om my server
rudhar.com.
Once all of that is settled satisfactorily, the effect is this:
When I have my e-mail program Eudora send an outgoing e-mail
to local port 25, ssh provides for a tunnel, so
that the message is really sent to port 25 of the remote!
I use an unencrypted port, but ssh encrypts
tunnel traffic, so this is safe to go over the public internet.
The e-mail server thinks the traffic comes from a local port,
so it will allow relays, and I can send e-mails to any destination
around the globe.
Likewise, when I have Eudora listen on encrypted port 110, to
look for any unreceived e-mails waiting in the post office,
ssh really listens on port 110 on the remote,
and fetches messages from the mail server there, through its
encrypted tunnel.
Myself I don’t use IMAP, but it can be done in the same way, with port 143.
I have no e-mail server on my laptop or anywhere else in my LAN (Local Area Network), and that’s better because most Internet Access Providers will deem any mail coming from a personal or small business connection to be spam, even when it isn’t.
I don’t know why, but my impression is that as an added advantage, this way of doing things is somehow even faster than using the encrypted e-mail ports.
(The reason for doing cd $HOME is to avoid that
port forwarding could accidentally keep a directory busy,
that is on an ejectable device, or on an encrypted container
I might want to unmount later.)
Note: For the mail tunnel to work, on my server I needed to add
these settings in openssh’s configuration file
/etc/ssh/sshd_config :
AllowTcpForwarding yes PermitOpen any
Well, those are probably the defaults anyway. But just to be sure.
For file transfers I don’t use the unsafe FTP
of the early days of Internet, and I also don’t use a
more modern, safer FTP replacement.
Everything I want to do is efficiently possible using
rsync via ssh.
Occasionally I also use sshfs. That too is
based on an ssh tunnel.
The above means that on my VPS web and e-mail server, the
firewall needs to open up very few incoming ports.
(I use nftables, but iptables,
with or without ufw, will also do the job.)
Open ports:
Seems quite safe to me.
Copyright © 2024 by R. Harmsen, all rights reserved.