Tue, 25 Dec 2007
I often find myself on what I would call "hostile" networks: They allow only very limited Internet access, like by blocking port 25 so I can't connect to my mail server. Maybe for you, you're never on filtered Internet access, but your home ISP doesn't let you send mail out when you're not at home, but you want to send email directly from your laptop anyway.
Just do what I do! Let me explain.
- inetd listens on port 125
- Connections to it go through an SSH tunnel that executes "nc localhost 25" on some mail server
- (Optional) A real MTA runs on the laptop, so that I can send mail when offline; when mail delivery fails temporarily, Postfix queues the message until I get back online.
- Easy. Apps can be configured to use localhost port 25 (or port 125) with no password.
- Correct: Postfix (when using 25) handles sending mail when offline, and reattempts delivery for me.
- Secure: Encryption all the way through the network, with the icing on the cake that this all looks like SSH, so nosy networkers near your laptop can't even see that's what you're doing.
Implementation in Three Steps
Step 1: ssh tunnelThis is the hardest part. To make things simple, I create a dedicated user on each end.
On the remote server (server)
[me@laptop] $ ssh me@server [me@server] $ sudo adduser tunnelendpoint [me@server] $ sudo su - tunnelendpoint [tunnelendpoint@server] $ mkdir .ssh
On the local machine (laptop)
[me@laptop] $ sudo adduser tunnelclient [me@laptop] $ sudo su - tunnelclient [tunnelclient@laptop] $ ssh-keygen -t rsa # make it passwordless [tunnelclient@laptop] $ cat .ssh/id_rsa.pub | ssh tunnelendpoint@server 'mkdir -p .ssh ; chmod 0700 .ssh ; cat >> .ssh/authorized_keys'
On the remote server
[me@server] $ sudo su - tunnelendpoint [tunnelendpoint@server] $ nano -w .ssh/authorized_keysYou'll see a key that starts with "ssh-dss". Before that, add this string and leave a space before "ssh-dss":
command="nc localhost 25",no-X11-forwarding,no-agent-forwarding,no-port-forwarding
(Note: "nc" is in the netcat package.)
On the local machine (laptop)
[tunnelclient@laptop] $ ssh tunnelendpoint@server 220 rose.makesad.us ESMTP Postfix (Debian/GNU): "every tragedy is a beauty that has passed"
Hooray! If you see a reply like mine that starts with "220", then all is well.
You're done with the hard part. Now the easy parts.
Step 2: inetd
[me@laptop] $ sudo aptitude install openbsd-inetd
Now edit /etc/inetd.conf to have this line:
127.0.0.1:125 stream tcp nowait tunnelclient /usr/bin/ssh -q -T tunnelendpoint@server
Now restart the inetd (sudo /etc/init.d/openbsd-inetd restart) and test it:
[me@laptop] $ telnet localhost 125 220 rose.makesad.us ESMTP Postfix (Debian/GNU): "every tragedy is a beauty that has passed"
Step 3: Postfix (optional)
This is my favorite part, but it's only necessary if you plan to send email when you're not connected to the Internet.
Just install Postfix, and add this to /etc/postfix/main.cf:
relayhost = 127.0.0.1:125
Restart Postfix and you should be set. Try sending some mail!
I was inspired by a Debian Administration post, except I had my own ideas about the best way to do it. I still like my way best.
One problem with the above approach is that it requires root on "server". It would be possible to do the ssh tunnel thing without using a separate "tunnelendpoint" account, but instead to add that key to your regular username.