How to tunnel a connection to IMAP using SSH on Mac OS X

Question

Level 1

11 points

How to tunnel a connection to IMAP using SSH on Mac OS X

Hi to all,

I'm looking for a free and open source solution to allow me to connect to an IMAP server through a tunnel.

Server would be a Mac or Ubuntu box (preferably Mac since my Ubuntu box cannot be woken up a a distance).

I read the simplest way would be to allow SSH acccess to the server and to let traffic pass through this tunnel..

However, I have no idea about how I could actually make IMAP traffic pass through this SSH tunnel.

Only IMAP should go through this tunnel, since a home connection is far too slow to pass anything else, and downloading and uploading messages through IMAP is not that time-sensitive.

As such, Mail will likely be the only software to use this tunnel once it's open.

What software should I place "between" Mail and the SSH server?

2GHz MacBook unibody (reliable! At last!), Mac OS X (10.6), iPod Touch 2G 8GB (JB'ed but leaking RAM)

Posted on Sep 11, 2009 6:19 PM

Reply

Answer 1

deh2k

Level 4

1,890 points

Sep 11, 2009 6:40 PM in response to cubytus

The short answer to your question is that you should be able to do what you want with just the built-in software in your computers. Ssh can do the tunneling for you.

The syntax of the Terminal command is:

ssh -L <port 1>:<server 1>:<port 2> <user>@<server 2>

where
Port 1 is the port number on your local Mac that you should connect to.
Server 1 is the name of the server that's running IMAP.
Port 2 is the port on server 1 that IMAP is using.
User is the user to log into on server 2.
Server 2 is the name of the server you want to ssh to. It must have access to port2 on server 1.

If your ssh and imap server are the same machine you can use localhost as server 1.

For example use:
ssh -L 993:imap.company.com:993 myserver.company.com
to open a tunnel from port 993 on your Mac to 993 on imap.company.com via myserver.company.com

In Mail, specify localhost as the IMAP server and 993 for the port.

Using ssh in this way will open a shell to your server in the usual ssh way. The tunnel will disconnect when you log off. If you want to use a Mac for your ssh server, enable Remote Login in its System Preferences.

I hope this helps.

Reply

Answer 2

cubytus Author

Level 1

11 points

Sep 12, 2009 1:53 PM in response to deh2k

I did as you wrote, adapting to my case.

Syntax was:
sudo ssh -L 143:exchange. my_college.ca:143 crabett@m-net.arbornet.org (There's no SSL for this IMAP server)

I set up an Arbornet account for the trial, since it's outside the college's network, it should be able to connect to its IMAP.

In the Terminal window, each time I try to connect to the IMAP account, I get this error:

channel 3: open failed: administratively prohibited: open failed.

I guess it has something to do with the IMAP server needing authentication. Shouldn't Mail pass username/password?

As a side note, as I understand your post, I would always need to connect the SSH tunnel before synchronizing the IMAP server.

That's not what I want to do. I want to connect the SSH tunnel on demand and synchronize the mailboxes transparently (i.e. without changing a setting), then disconnect the tunnel as soon as it's not needed anymore.

Message was edited by: cubytus

Reply

Answer 3

deh2k

Level 4

1,890 points

Sep 12, 2009 2:18 PM in response to cubytus

Not sure but I suspect that your arbornet server does not allow tcp forwarding (AllowTCPForwarding in the sshd_config file).

You are right that as this stands, it is a manual process. I think it could be automated with some ingenuity though.

Reply

Answer 4

cubytus Author

Level 1

11 points

Sep 12, 2009 5:24 PM in response to deh2k

In fact, AllowTcpForwarding is set to "no" in the /etc/ssh/sshd_config file.

I saw that some users put a sshd_config file in their home directory; I guess the M-Net server won't use it, as it could be a security issue?

Does a better way to connect to this Echange IMAP exists? Like a VPN that would only forward one host ?

In such a case, what solution would be advisable?

Reply