Comments on: Secure wireless email on Mac OS X

By: Eduard

Eduard — Mon, 18 Apr 2005 16:51:52 +0000

This is an important topic and the information posted by various people is quite interesting. I think I have some things to mention here as well.

One, any wireless links you use for anything should be encrypted with a WEP key. Not just email and not just for sensitive information. An exposed home wireless router will allow any intruder to use your bandwidth, even if your information is no use to them.

Two, any sensitive-information email should be encrypted with a personal certificate and the receiver must use your public certificate to decrypt it. Otherwise, whether you use SSH or not is irrelevant once the email is in route to the receiving SMTP server. Many people (including corporations) are taking great lengths to protect their systems, but no effort is made to educate the end-user as to encryption usage and privacy requirements. I’ve also blogged about this serious omission related to today’s IT environments:

http://www.linkany.com/plog/index.php?op=ViewArticle&articleId=17&blogId=3

Three, if you are an ISP or hosting email provider or IT manager, you should absolutely set up SPF records for the sending domains you’re responsible for, backup storage for emails (European law requires 10 years of emails to be saved for corporations), updated working anti-spam filtering (EU law also requires this), and intelligent anti-virus protection (not just blocking attachments).

By: Stef

Stef — Mon, 11 Apr 2005 00:44:58 +0000

Just chipping in again with another useful free (BSD-like, open-source) tool: Fugu. It's a Mac OS X SFTP, SCP and SSH frontend with drag and drop, perms, console, key authentication, directory upload, keychain support, etc. Oh, and SSH tunnels ;)

By: Stef

Stef — Mon, 04 Apr 2005 18:48:51 +0000

Here's a very good article on SSH and keys, which is a bit more thorough than the MacDevCenter article, and a tutorial on using ssh-agent, which is a simple commandline "keychain" that'll stop you being prompted for your passphrase every time you SSH to a host, and it's standard on most *NIXes. (Handy if you can't/don't want to use SSHKeyChain.) For Windows users I'd highly recommend PuTTY, an excellent free (MIT licence) terminal emulator that does port forwarding, as well as telnet, SCP, SFTP. (The Pageant tool in PuTTY is the equivalent of ssh-agent, and sits in the tray.) To go with that: a pretty much identical to Doug's but for PuTTY/Windows tutorial and another PuTTY port forwarding howto for good measure.

By: Jakob Heuser

Jakob Heuser — Mon, 28 Mar 2005 18:47:56 +0000

For those who are (after all this while) having difficulty with outgoing mail via SSH, another alternative is to grab a tool such as Postfix Enabler http://www.roadstead.com/weblog/Tutorials/PostfixEnabler.html for OSX. This allows you to use localhost for sending mail. Additionally, it’s default configuration prevents other users from using your postfix installation, keeping it nice and secure. It also handles setup of your config file for SASL Authentication. Just another road to consider of course, and the more options for email security, the better everyone will be.

By: Grurp

Grurp — Thu, 24 Mar 2005 01:53:11 +0000

There is documention on ssh under Mac OS X. The two places that I know of are: the ssh man pages and “www.openssh.org” the homepage for the version of ssh that Mac OS X uses. The man pages for ssh are: scp, sftp, ssh, ssh_config, sshd_config, sftp-server, ssh-add, ssh-agent, ssh-keygen, and ssh-keysign (the presence of some of these man pages depends on what parts of openssh is installed on your system). To read the manpage ssh type “man ssh” at the commandline. There are several other programs that can read man pages. I personally use pinfo (http://dione.ids.pl/~pborys/pinfo) to read man pages. You can find more programs to read manpages at “freshmeat.net” (freshmeat is a website that lists a lot of different software).

There is a configuration file for the ssh client called “config”. It is located in the “.ssh/” directory under your home directory. Below is a slightly munged and pared listing of my ssh config file:

— begin file listing —
# this is a comment

Host *
#Compression yes
Compression no
#CompressionLevel 9
CompressionLevel 0
ForwardX11 yes
KeepAlive yes
StrictHostKeyChecking no
NoHostAuthenticationForLocalhost yes
EscapeChar ~
#VerifyHostKeyDNS yes

Host uncensored
HostName uncensored.citadel.org
User bbs
LocalForward 1304 uncensored.citadel.org:110
LocalForward 1305 uncensored.citadel.org:143
Compression yes
CompressionLevel 9

Host osuny.inri.net
User bbs
Compression yes
CompressionLevel 9

Host eisner
HostName encompasserve.org
#User some_user
Compression yes
CompressionLevel 9
LocalForward 1302 mail.encompasserve.org:25
LocalForward 1303 mail.encompasserve.org:993
LocalForward 1301 mail.encompasserve.org:995
ForwardX11 yes
ServerAliveInterval 70

Host eisner.proxy
HostName encompasserve.org
ProxyCommand /home/bork/bin/stunnel %h %p
Compression yes
CompressionLevel 9
LocalForward 1302 mail.encompasserve.org:25
LocalForward 1303 mail.encompasserve.org:993
LocalForward 1301 mail.encompasserve.org:995
ForwardX11 yes
ServerAliveInterval 70

Host ferdberful
Compression no
CompressionLevel 0
Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc

Host pizzabox
Compression no
CompressionLevel 0
ForwardAgent yes
Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
ForwardX11 yes

Host manson
HostName manson.vistech.net
User bork
Compression yes
CompressionLevel 9
Ciphers blowfish-cbc,aes128-cbc,3des-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
ForwardX11 yes
ServerAliveInterval 70

Host dahmer
#HostName openvms-rocks.com
HostName dahmer.vistech.net
Compression yes
CompressionLevel 9
ForwardX11 yes
ServerAliveInterval 70

— end file listing —

You can read about the options used here in the “ssh_config” man page. The entry for “uncensored” is worth noting as it allows me to simply type “ssh uncensored” at the commandline to login into “uncensored.citadel.org” as the user “bbs”, setup some tunnels, and turn on compression (compression is usefull on slow links like dialup internet access).

The reason I specify the order of ciphers to use when logging into some machines is because they are slow. Specifying this order lets me use a faster cipher for these machines which makes ssh work faster on them.

Finally let me mention that while I don’t have a mac myself I have read enough about Mac OS X to know that it uses OpenSSH which I have lots of experience with. As for the OSes I use they are linux, Solaris, OpenVMS, and NetBSD. Most of my working computers are non x86 architecture stuff.

Grurp

By: leonard

leonard — Sat, 12 Mar 2005 20:05:04 +0000

I made a pretty comprehensive walkthrough on how to set up SOCKS proxying (w/ SSH dynamic port forwarding as others mentioned) on OS X this morning: http://next.randomfoo.net/blog/id/3908

By: Douglas Bowman

Douglas Bowman — Thu, 10 Mar 2005 16:48:13 +0000

Hey Ian,

I’m already doing this with a Yahoo email account, as you might be able to tell above in the post where I show my local/remote port equivalents table. Works the same as any other email account, as long as you already have POP access to your Yahoo account (a paid feature, I believe, but it also comes with SBC/Yahoo DSL).

If you don’t get it working for some reason, find me in Austin before the conference gets going. I’ll be there Friday night onward.

By: Ian Lloyd

Ian Lloyd — Thu, 10 Mar 2005 11:36:22 +0000

I know this isn’t a forum, but given that someone might be viewing this and have an answer …

Can I do what Doug’s suggested using Mail.app accessing accounts on Yahoo? If *you* have done this, please let me know!

By: Roger H.

Roger H. — Sun, 06 Mar 2005 00:49:53 +0000

Thanks for the instructions.

I had been searching for a solution to having port 25 blocked by wireless hotspots, bt I also like the idea of securing my e-mail and ftp transmissions in general.

Unfotunately, whils I can create a tunnell into my domain, I cannot access either the POP server or the SMTP server. This may be because I host on a server farm, and the mailservers are actually at a different domain than my own, and I can’t get direct SSH access to them. Is there a way around this (for a not too proficient unix newbie)?

Thanks,

Roger

By: Jacques Distler

Jacques Distler — Thu, 03 Mar 2005 09:10:07 +0000

I don’t quite understand why you feel the need to tunnel your outgoing SMTP connection.

Either

1) Your SMTP server does not require any sort of authentication (it’s an “open relay”, and you should promptly switch providers, or it uses antiquated methods like “POP before SMTP”).

2) It uses SMTP Auth and provides “secure” authentication schemes, like CRAM-MD5 or DIGEST-MD5 (both of which are natively supported by Apple’s Mail client).

3) It uses SMTP Auth + TLS and uses a ‘cleartext’ authentication scheme, tunnelled over the TLS connection.

I’m hard-pressed to think of a provider that doesn’t fall into one of these three classes.

On the receiving end, again, “most” POP3 servers support either APOP authentication or POP3-over-SSL (both of which are supported by Apple’s Mail client). And most modern IMAP servers support SSL connections.

The biggest problem I’ve had doing mail over wireless is Port 25-blocking.

Mind you, I use SSH tunnelling for all kinds of other stuff (VNC, MySQL, …). Just not for mail …

By: Alex

Alex — Wed, 02 Mar 2005 05:43:10 +0000

Doug, thanks again for your helpful suggestions about outgoing SMTP emails through tunnels. I’ve been poking around for a while, but didn’t find a way to make outgoing SSH play nice with my server.

However, I (hopefully) found another solution for securing outgoing mail from my Powerbook. I downloaded a program called Postfix Enabler that allows you to set up your powerbook as its own localhost SMTP server. Not only this, but it creates local SSL certificates so that you can turn SSL on in your outgoing mail settings in Mail.

I’ve just sent a few emails using this method, and it seems to work quite well. Does anybody know if this is actually a reliable way of sending email securely? I’m not an expert at this stuff, so if anybody has any cautionary notes, I’d be glad to take heed. Thanks!

By: Potencia

Potencia — Sat, 26 Feb 2005 22:19:08 +0000

How can you ever feal secure once your data leaves your computer. Security died after 9-11-2001. The PATRIOT ACT killed it. What ever happened to the good old days of PGP?

By: Jessica Lopez

Jessica Lopez — Fri, 25 Feb 2005 21:16:53 +0000

Fantastic! Thanks for this great tutorial. I found it very interesting…

By: Ian Lloyd

Ian Lloyd — Wed, 23 Feb 2005 00:06:59 +0000

Doug, I’ve printed out everything here, read it thoroughly, yet I’m still confused. I understand the risks of using wireless, but I know so little about what I can and can’t do with my email that I don’t know if I can use any of the advice here. Basically, all of my web ‘ventures’ make (almost) zero money , and hence all my hosting is cheap and (sometimes) cheerful. I use Yahoo mail extensively, using the POP forwarding so I don;t have to use webmail. I’ve checked all the comments so far, but have not seen any mention of this kind of usage. Could I secure my wireless accesss at SXSW this year using this technique with Yahoo-based mail accounts? Please, if anyone can add any extra infor for this dullard right here it’d be appreciated!

By: Jauhari

Jauhari — Tue, 22 Feb 2005 05:27:10 +0000

With SSH it’s more secure. Great article

By: Sahil

Sahil — Mon, 21 Feb 2005 22:54:45 +0000

This does not work for me. I configure the tunnel as per the post (thanks for taking the time out to explain!) but keep being rejected at Mail’s password prompt. I know the password is correct because I can get in via webmail. The mail server does *NOT* allow plaintext passwords. But I figured setting the tunnel to connect to port 143 would not make a difference even though otherwise plaintext connections to 143 are rejected, because doesn’t the tunnel pre-authenticate? I tried to set a tunnel to 993 on the mail server, in which case I don’t even RECEIVE a password prompt.

So confused.

By: Rebecca

Rebecca — Fri, 18 Feb 2005 21:16:07 +0000

David: there definitely is a way to do this. I couldn't walk you through it myself, but look around out there.

By: mr_mojo

mr_mojo — Thu, 17 Feb 2005 22:00:36 +0000

Yes, that’s what I thought. I just didn’t see anything about the intermeditary in the article, I thought I misread it; and I did.

By: Douglas Bowman

Douglas Bowman — Thu, 17 Feb 2005 20:38:45 +0000

Thanks Joe H. You explained it better than I could. I was starting to wonder if I was going crazy. And to echo lots of comments above: yes, if you have the ability to use SSL for your connections, USE IT! Using SSL will secure mail all the way to your mail server. You don't need SSH, or SSHTM, or any of the steps in my original post if that's the case. My SSH server and my mail server happen to be on the same machine -- everything is self-contained on one box. So, [I think] in my case, I'm essentially getting the same extensiveness of security that SSL would provide. Other people may SSH into a different box than their mail server. As Joe says above, once past the SSH server, hopefully at that point, your mail is passing along on a trusted wired network, where sniffing isn't as much an issue, nor possible without root (or similar high-privilege) access to one of the destination or intermediary relay servers.

By: Joe H

Joe H — Thu, 17 Feb 2005 19:44:31 +0000

mr_mojo: Your interpretation of the tunneling is incorrect.

Here is what it should look like:
Mail client -> SSH Tunnel Manager RUNNING ON SAME COMPUTER (this provides a secure connection) -> Internet (still secure here) -> Other computer running sshd (daemon) -> Internet from other computer (insecure now, unless using SSL or similar) -> Mail server.

So essentially, you make a secure tunnel to some other machine. From then on, you are NOT secured unless using another secure connection like SSL to your mail server. SSH Tunnel manager does the job of opening the tunnel and securing the connection (with ssh). Once your laptop is connected to the other computer, you are basically using the other computer’s ports you specify as your own.

The key thing to get here is that we are NOT trying to get an end-to-end secure connection between the laptop on wireless and the mail server. We are ONLY concerned about going from the wireless connection to an intermediary (Other computer in this example, something you trust) securely. Once we are at the other computer, we should hopefully be on a wired connection that we can mostly trust to talk to our mailserver.

Using SSL, as proposed in many posts above, allows complete end to end security, but you wouldn’t need ssh tunnels if you could communicate that way.

SSH is only being used to secure your wireless communications from an untrusted wireless network where your traffic could be sniffed to a “secure” network that you yourself trust.

If you need some more explanation, I can draw up a little picture of what this looks like.