Secure POP3 Mail Checking from a Windows Machine


[Last modified: 28 July 2001]
I have a Windows machine as well as a LINUX machine.  I want to check my mail at world.std.com without transmitting my password (for the POP3 server) over the Internet.  I also want to be able to post mail, via SMTP, from out on the Internet.  Even though SMTP doesn't require a password, it is good system management practice to offer that service only to people logged in on your ISP.  With SSH, I can do both POP3 and SMTP through world.std.com, while connected to the Internet directly with a high bandwidth channel (e.g., in a hotel room or dorm room or conference facility).

For my LINUX machine, there is a web page giving instructions on how to use SSH to do mail checking, by mapping ports 25 (SMTP) and 110 (POP3) through SSH.  Since a password needs to flow over port 110, to get mail, SSH protects that password from eavesdropping.  This is especially valuable if you have a cable modem or DSL, where this password would be traversing the actual Internet.  [If you have a dial-up connection direct to your POP3 server, this is less of an issue because someone has to mount a more sophisticated attack to get at the contents of your transmission than if you were using the raw Internet.]  I followed the instructions on that web page on my LINUX machine and it worked just as advertized.

ssh.fi has produced a version of the SSH client for Windows machines.  I tried that client, using the instructions in the web page cited above, to get the same effect.  Even though I got warning messages from my SSH client (about world.std.com not using SSH2), it worked just fine.

First, I had to ``buy'' and install the SSH client.  I put ``buy'' in quotes because it's free for individual users (and a few others).

Then, I had to configure a profile for my ISP (world.std.com).  In that profile, I specified the port mappings as shown below:

The screen doesn't expand, so here's a screen shot with the horizontal slider to the far right:

Note: these screenshots are old. One must now (June 2003) connect port 25 to smtp.theworld.com and port 110 to pop.theworld.com. News is served by nntp.theworld.com.

Then I had to set up my copy of Eudora to get to this port.  I'm using Eudora 3.0.5, so my Options screen may look different from yours, but I hope it's easy to translate from mine to yours.

The key here is to use ``localhost'' where you would have used ``world.std.com''.

To actually use this, I open an SSH connection to world.std.com, log in and just leave it there, without typing anything. 

I then use Eudora's ^N and ^M commands (send new mail and read old mail) as usual (under the personality ``ssh'', if I have more than one personality defined).

When I'm done with sending and receiving mail, I log out.

[Note: The normal instructions for accessing mail remotely call for the user to issue the command ``pop on'' to enable access to the POP and SMTP servers from over the Internet.  By using an SSH tunnel, those accesses to ports 25 (SMTP) and 110 (POP3) appear to be coming from world.std.com itself, and are therefore not in need of the ``pop on'' mode.]

I originally thought that this would lead to double connect time charging, but it doesn't, for the same reason that this doesn't require turning ``pop on''.  So, the only problem is that you have to open an SSH connection before doing mail and close it afterward. I did forget to close it once, so far, and ended up with hours of connect time.  I don't see a solution to that problem, yet.

The SSH client from ssh.fi also installs command line commands.  It turns out you can use the command line command:

ssh2 -L 25:world.std.com:25 -L 110:world.std.com:110 zzz@world.std.com

(substituting your own login name, of course, in place of ``zzz'' :) in place of the window with its profiles and setup, if you prefer.


Network News

I wanted to try reading network news through the same SSH channel.  The proper command line argument for reading news is

-L 119:news.std.com:119
with corresponding changes in the GUI client.  As with the e-mail setup, you have to set your news reader up to fetch from ``localhost'' instead of ``news.std.com''.

If you want to engage in a session of news reading that may take a while and don't want to forget to close the SSH client when you're done (as I did once with e-mail), it looks like you can close the client (log out from the command line session) and SSH will tell you that there are forwarded ports open (namely, 119) and it will wait until you close that port.  When you do, it will close the SSH session.  I don't think you can do this with e-mail, however, because mail agents don't tend to leave either of the mail ports (25 or 110) open while the agent is up.

NOTE when I first tried this, the GUI SSH client bombed out consistently while trying to download (in Netscape) the list of all available newsgroups.  It was getting an EOF and SSH was closing its tunnel.  I don't know why that happened.

I tried it with the command line (ssh2) client and got it working then I went over to the GUI client and it's worked ever since.  My work-around, if this bombs out for you, is to switch to the command line ssh2 and see if that works.  I doubt that support@world.std.com could help you through this, since it's probably not their problem at all.


Enjoy,

 - Carl Ellison; cme@acm.org