Single Configuration Email with IMAP and SSH
From BNL Physics Computing
This topic describes how you can securely access your email from a laptop in the same way as you do from you Lab workstation regardless of where you laptop happens to be.
Contents |
Overview
The goal here will be to set up your laptop and workstation so that:
- Your laptop does not have to have location specific configuration.
- You access your inbox and saved folders in the same as with your laptop and your workstation
- Remote access is secure.
- Mail sent from your laptop will appear to be sent from your workstation
This is mostly accomplished by using SSH tunnels from your laptop to your workstation (or some internal server). Note: sending and receiving are decoupled so one can use either or both of the methods described here.
In the examples the following hosts are implicated. Some of their roles may be on a single physical machine:
- laptop
- this is a system expected to be on both internal, visitor and home networks
- workstation
- this is the desktop in your office
- gateway
- this is the SSH gateway machine you use to access internal machines
- smarthost
- this is the SMTP server acting as a so-called "smart host". You can use "bnl.gov"
- imapper
- this is the IMAP server. One is running on "home.phy.bnl.gov".
Client Requirements
Your mail client needs:
- Support for IMAP or IMAPS on non-standard ports
- Sending via SMTP to non-standard ports.
Known to work:
- Evolution 2.12
- GNUS 5.11
Setup
Laptop SSH tunnels
You need two tunnels, one for receiving and one for sending mail. The examples below show how to set them up "by hand". You may also want to avail yourself of various GUIs to control tunnels.
The Sending Tunnel
This will set up a tunnel from a local laptop port, through gateway and on to smarthost and will be used to send SMTP.
ssh -L 2525:smarthost:25 username@gateway
Remember this "laptop SMTP port", here 2525, as you will need it later.
The Receiving Tunnel
This will set up a tunnel from a local laptop port, through gateway and on to imapper and will be used to send IMAP (or IMAPS) requests.
Before setting up the tunnel you have two choices to make:
- IMAP or IMAPS?
- IMAP sends passwords in plain text and will probably get caught by the BNL scanner
- IMAPS uses SSL encryption so is more secure but not all email clients may use it
- Server listens on localhost or external network interface?
- Listening on localhost means the IMAP/IMAPS server will not be seen on the network and negates any worry about plaintext passwords.
- However, it means a more complicated SSH tunnel setup
If you wish to keep the server listening only on the localhost network interface you will need to configure your SSH client to transparently pass through gateway.
Example conventions:
- LOCALPORT
- will be 10143 for IMAP and 10993 for IMAPS
- REMOTEPORT
- will be 143 for IMAP and 993 for IMAPS
- REMOTEHOST
- will be "localhost" if the server listens there, else will be "imapper"
- TARGETHOST
- will be "imapper" if the server listens on its localhost, else will be "gateway"
ssh -L LOCALPORT:REMOTEHOST:REMOTEPORT username@TARGETHOST
You will need to remember the LOCALPORT when configuring your email client.
Laptop Client Setup
Basically you setup your email client as if you had an SMTP and an IMAP/IMAPS server running locally but on nonstandard ports. These ports are the ones given when you established the SSH tunnel (the ones just following "-L").
Some clients will let you explicitly set the port, others will let you tack it on to the hostname using a ":", eg "localhost:2525".
Workstation Client Setup
This may be identical to the laptop client however, you may directly specify smarthost for your SMTP server. Or, your workstation may be setup to send mail directly, in which you can use it.
Likewise, the imapper may be directly accessed if listening on the external network interface. Otherwise you will have to make a tunnel from workstation to imapper as you did for laptop (but not necessarily going through gateway). Or, if imapper and workstation are one in the same you can simply use "localhost:LOCALPORT".
One thing you probably don't want to do is have your workstation client get its mail directly from the system inbox. This will bypass IMAP and not allow your laptop to see any new mail that comes in while you are working on workstation.
