Secure wireless email on Mac OS X
Wireless hotspots blossom in recent years and have become popular spots for businessmen, executives, working class, students and even veterans to surf, read and send emails. Cafes, restaurants, shopping complexes and many other public installations are providing wireless hotspots to lure visitors. Majority of these public wireless networks are configured with lowest security to allow trouble-free and ultra convenient connections to visitors. People equipped with wireless-capable notebook computers and PDAs overdrive this convenience. While they are enjoying their coffee and communicating wirelessly, little do they know that someone could be eavesdropping their digital conversation.
When you are connected to public wireless network, anyone with some technical knowledge could have easily watching you sending your username, password, messages and essentially everything you send or receive. This is like someone overhearing your conversation in public area. With packet sniffer, anyone with little computer knowledge could effortlessly intercept your wireless signal going to and coming from your computer without you knowing they are doing so.
How? Computers communicate with each other over the network send and receive information in a form of packets. A packet contains information about the origin and destination of the packet in the header. This information includes the IP addresses of both sender and recipient. The body contains the data. When the packets are transmitted wirelessly, anyone within the wireless range can intercept the packets without any difficulties and you knowing it. These data packets travel freely through the air in clear text. There is also no indication that the packets have been intercepted or received by computers other than the intended recipient. It is just like you are talking to your friend with many strangers around you in a cafe. Everyone including your friend can listen to your conversation. The only difference is that they are not necessarily sitting near you. They can be in another room or anywhere as long as they are within the wireless range.
They can receive, save and analyze packets to obtain your username and password and use them against you. The next terrible fact you need to know, is that, the packets can be intercepted even on wired network. As long as the perpetrators are on the same network with you, they can easily intercept your packets using any sniffer software.
SSH tunneling
When an email client is sending or receiving messages to and from your email server, these messages including your username and password are in clear text and not encrypted.
How can we secure our wireless email? One easier way to do it is to tunnel your email access through SSH (Secure SHell). SSH is the standard for secure file transfer and remote logins over the internet. All traffic including terminal emulation and X11 traffic is encrypted with public key cryptography. It also supports tunneling and forwarding arbitrary TCP ports.
Essentially, anything that passes through SSH will be encryoted and appears to be garbled and meaningless to human eyes. Through SSH tunneling and port forwarding, all incoming and outgoing email as well as your username and password used to access your email will be encrypted.
In this article, I am going to show the steps to configure SSH tuneling on Mac OS X. I assume you already have set up public and private RSA or DSA keys for SSH. Although it looks a little tricky, the setting up of these keys can be as simple as the execution of a few Terminal commands. I will skip this part.
Port forwarding
An email client typically uses POP mail which usually travel over port 110 to receive email. Sending email via SMTP uses port 25. This process of sending and receiving email needs to be redirected through the SSH tunnel to take advantage of its security. This is done by using port forwarding.
The setting up and controlling of the SSH tunnel is done through Terminal with long command-line instructions that intimidate users. Fortunately, some programmers have developed small applications to handle this job with easy to use GUI.
SSH Tunnel Manager
There is a FREE Mac OS X utility called SSH Tunnel Manager (STM). It is a convenient GUI utility allowing you to create SSH tunnel to connect between SSH and your email client. It is simple to configure when you have understood ports and forwarding and SSH tunnel. Once configured, it can connect the tunnel automatically every each time you login to your Mac OS X user account.
On Linux, there is Gnome SSH Tunnel Manager (gSTM) which appears to perform similar task.
STM setup
Download and install STM to your Applications folder. Launch STM. You will see STM’s main window (SSH Tunnels). Click Configuration to add new tunnel. A preference window will appear. Click [+] button below tunnel list. Enter the name of this tunnel, your ssh username, password and your ssh server location. The standard ssh port is 22. Most likely your ssh server uses port 22 as well.
Next, you will need your mail host and port number. In my case, my mail host is mail.adrianhoe.com, POP port is 110 and SMTP port is 25.
Then you’ll also need to configure unique port number to correspond the server’s port number for each connection you want to make. For instance, to redirect your POP’s 110 port number to your SSH tunnel port number 1100. In my case, I added another 0 to 110. Similarly, I added 00 for my SMTP tunnel. Remember, the local ports must be greater than 1023 and should not have conflict with anything else running on your local machine.
In this case, my POP and SMTP port (110 and 25) are tunnel through port 1100 and 2500 on adainmotion.com respectively. You can use a local IP as your ssh host.
Since you want to redirect through the tunnel locally on your computer, you’ll use Local port forwarding. At the preference window under Local redirections, click the [+] button to add new port forwardings. Your unique local port will be on the left, then your remote mail host, and followed by your mail port number on the right.
The last thing you need to do this click on “Options” button on the lower right of the preference window. Make sure the “Auto connect” option is checked. Other options and the command-line instruction are available in this drawer:
Close the preference window. You’ll see your new tunnel in the main STM window. Click on the grey start button to connect. Hopefully, after a few seconds, you’ll be asked to enter your password for your ssh account if password is required to authenticate. Enter your password and you should be connected to your tunnel.
Email client setup
The last thing you need to configure is your email client. Before you can take the advantage of SSH tunneling, the settings of your email client have to be tweaked slightly. The following steps are specific to Apple’s Mail application. It is possible to make similar changes in other email clients.
Open your Mail’s preference and go to Account. Under Account Information, change “Incoming Mail Server” to localhost.
Click on “Server Settings” under Outgoing Mail Server (SMTP). Change “Outgoing Mail Server” to localhost and “Server port” to 2500.
Lastly, click “Advanced” tab. Change “Port” to 1100. Save your changes and quit Mail.
You’re done!
Launch STM and allow it to connect automatically or click the grey start button to manually connect the tunnel. Once the tunnel is connected, you’ll see a green button beside your tunnel name. Launch Mail. Assume everything has been configured correctly and is working, your email should automatically be encrypted, garbled and safe from preying eyes on the same wireless network.
If you see your mailbox in the Inbox has been greyed out, that means Mail cannot connect to local port 1100 and 2500. Check whether STM is running and your tunnel has been connected. If your computer shuts down or goes to sleep, it will disconnect the tunnel. A brief outage of the wireless connection will destroy the tunnel as well. In this case, reconnect the tunnel.
You can configure Mac OS X to launch STM every each time you login to your user account. On the dock, right click the STM application icon and make sure “Open at login” is checked.
That’s it. You have just protected your email from wireless sniffing. These steps should help keep your email more private than you think it was.