Skip to content

Anders Andersen

Sections
Personal tools
You are here: Home » The (aa) blog » POP and SMTP over ssh with launchd
Blog
Categories:
BSD (11)
IfI (12)
Mac (312)
No (18)
Other (127)
PSP (10)
Plone (19)
Python (19)
TeX (8)

ÇxBlogxPhilesxÈ

 

POP and SMTP over ssh with launchd POP and SMTP over ssh with launchd

Document Actions
Submitted by aa. on 2005-05-28 11:01 PM. Mac
A short description on how to connect to your POP and SMTP sever using ssh and launchd

Tiger includes a new daemon called launchd. This is a replacement of several traditional Unix tools like cron and inetd (see what hubertf thinks about the format of all these new configuartion files :-). Since I bought my PowerBook (3 years ago) I've been using inetd (actually xinted, see the xinet.d/pop3 and xinetd.d/smtp files used in this setup) to set up a tunnel with ssh to my local smtp and pop server. Why? When I'm traveling my experience is that from all networks that I get access to ssh works. Our pop server does not accept connections from remote machines (computers outside our local network), and our smtp server will not relay email from remote machines. If I create a ssh tunnel to the server and on the server redirects the connection to the pop or smtp service, then this connection will be considered a local connection and the services accepts the request. Another reason is that my emails will be transfered over an encrypted connection. When I upgraded to Tiger I had to replace xinted with launchd. This was also a good excuse to present my setup on my blog.

OK, let me explain my setup. I will call my PowerBook the client (the box running the email client) and my pop/smtp server the server. It is easy to change this setup in the case when the pop and smtp service is hosted on different servers. If you don't have an account on the server (where you can install new public ssh keys) it is also possible to use an intermediate server where you have an account and where it is possible to create direct pop and smtp connections to the server. Obvious stuff is ignored in the steps below (e.g. when to use sudo, firewalls settings and so on).

  1. As root, generate new pair of ssh keys. I generated one called popkey and one called smtpkey (no passphrase on either of them): 
    ssh-keygen -t dsa -f popkey
ssh-keygen -t dsa -f smtpkey
  2. Copy the public keys (popkey.pub and smtpkey.pub) to the server.
  3. Append the public keys to the authorized keys file on the server: 
    cat popkey.pub >> .ssh/authorized_keys2
cat smtpkey.pub >> .ssh/authorized_keys2
    You should try to login from the client to the server using these keys now. First of all to test that i works, but also to answer the one-time-question about the authenticity of the remote host (since it might not be in the known_hosts file on the client). Do these two commands twice. The last time you should log in directly without any questions (replace user with your username on the server and server with the name of your server): 
    sudo ssh -i /private/var/root/.ssh/popkey user@server
sudo ssh -i /private/var/root/.ssh/smtpkey user@server
  4. Redirect the ssh connections to the server when these keys are used. A connection to the server with the popkey is redirected to port 110 (pop3) and a connection to the server with the smtpkey is redirected to port 25 (smtp). This is done by inserting a command in front of the key in the authorized keys file. My server is a NetBSD machine with the socket command (other options, like netcat, exists). With the socket command the following is inserted in front of the public popkey (in front of shh-dss) in the authorized keys file: 
    command="socket 127.0.0.1 110"
    You might also have to add some options (e.g. no-X11-forwarding,no-agent-forwarding,no-port-forwarding). The complete line will then look like this (ignore line breaks, and AAAA is the first 4 characters of the public popkey): 
    command="socket 127.0.0.1 110",no-X11-forwarding,no-agent-forwarding,no-port-forwarding ssh-dss AAAA...
  5. On the client copy the keys (popkey and smtpkey) to the ssh directory of root: 
    cp popkey popkey.sub smtpkey smtpkey.pub /private/var/root/.ssh/
  6. Create the launchd plist files for pop3 and smtp in the /Library/LaunchDaemons directory. See the following examples: pop3.plist, smtp.plist (replace user and server with your username on the server and the server name). After the files are created you can launch the services with the launchctl command (you might have to unload earlier configurations of these services): 
    launchctl load /Library/LaunchDaemons/pop3.plist
launchctl load /Library/LaunchDaemons/smtp.plist
  7. Test the ssh tunnels: 
    telnet localhost 110
telnet localhost 25
    The first command will give you the POP server prompt. A typical example (different pop servers will provide different prompts): 
    +OK Qpopper (version 4.0.5) at server starting.  <18105.1117318194@server>
    Just type QUIT folowed by return. Then try the second telnet command. This might give a prompt like this: 
    220 server ESMTP Sendmail 8.11.6p3/8.11.6; Sun, 29 May 2005 00:14:48 +0200 (CEST)
    Type QUIT again. Your setup is working.
  8. Configure your mail client to use this setup. This is done by naming the pop server and the smtp server localhost in the mail client configuration.

May 29 2005 (aa)

 
Powered by Plone

This site conforms to the following standards: