In this eighth part of a nineteen-part article series on advanced topics in SSH, you'll learn about the e-mail program Pine, IMAP authentication, and how to handle it all through the secure shell. This article is excerpted from chapter 11 of the book SSH, The Secure Shell: The Definitive Guide, Second Edition, written by Daniel J. Barrett, Richard E. Silverman and Robert G. Byrnes (O'Reilly; ISBN-10: 0596008953).
11.3 Pine, IMAP, and SSH
Pine is a popular, Unix-based email program from the University of Washington (http://www.washington.edu/pine/). In addition to handling mail stored and delivered in local files, Pine also supports IMAP* for accessing remote mailboxes and SMTP† for posting mail.
In this case study, we integrate Pine and SSH to solve two common problems:
In many cases, IMAP permits a password to be sent in the clear over the network. We discuss how to protect your password using SSH, but (surprisingly) not by port forwarding.
Restricted mail relaying
Many ISPs permit their mail and news servers to be accessed only by their customers. In some circumstances, this restriction may prevent you from legitimately relaying mail through your ISP. Once again, SSH comes to the rescue.
We also discuss techniques to avoid Pine connection delays and facilitate access to multiple servers and mailboxes, including the use of a Pine-specific SSH connection script. This discussion will delve into more detail than the previous one on Pine/SSH integration. [4.5.3]
11.3.1 Securing IMAP Authentication
Like SSH, IMAP is a client/server protocol. Your email program (e.g., Pine) is the client, and an IMAP server process (e.g., imapd) runs on a remote machine, the IMAP host, to control access to your remote mailbox. Also like SSH, IMAP generally requires you to authenticate before accessing your mailbox, typically by password. Unfortunately, in some cases this password is sent to the IMAP host in the clear over the network; this represents a security risk (see Figure 11-8).‡
Figure 11-8.A normal IMAP connection
There’s no longer any good reason for this. Years ago, security options were rarely available in IMAP software; these days, however, they’re common and should be used! There are standard ways to secure IMAP traffic using SSL or Kerberos. With SSL, the entire IMAP session is protected, so even plain password authentication can be used relatively securely. Kerberos can provide secure authentication and singlesignon with or without session encryption; for example, the Apple Mail client implements both. Pine uses Kerberos only for authentication, not encryption—but you can combine Kerberos with SSL to get both single-signon and privacy. Note the power of having multiple independent and standards-based options available!
Nonetheless, it is still all too common to encounter IMAP servers with no security features; here, we show you how to address this problem with SSH.
If your mail server is sealed—that is, your only access to it is via the IMAP protocol—then there’s nothing you can do to improve security using SSH. However, if you can also log into the IMAP server host via SSH, you have options. Because IMAP is a TCP/IP-based protocol, one approach is to use SSH port forwarding between the machine running Pine and the IMAP host (see Figure 11-9). [9.2.1]
Figure 11-9.Forwarding an IMAP connection
However, this technique has two drawbacks:
On a multiuser machine, any other user can connect to your forwarded port. [188.8.131.52] If you use forwarding only to protect your password, this isn’t a big deal, since at worst, an interloper could access a separate connection to the IMAP server having nothing to do with your connection. On the other hand, if port forwarding is permitting you to access an IMAP server behind a firewall, an interloper can breach the firewall by hijacking your forwarded port, a more serious security risk.
In this setup, you must authenticate twice: first to the SSH server on the IMAP host (to connect and to create the tunnel) and then to the IMAP server by password (to access your mailbox). This is redundant and annoying.
Fortunately, we can address both of these drawbacks and run Pine over SSH securely and conveniently.