Securing POP mail access in MacOSX

I always worry about my website. Security is serious stuff, and you really can't be too careful. I don't enable telnet, rlogin and use long, complicated passwords with ssh and so on. I use a shared webserver ( that allows me virtual root access, and I fortunately don't have to worry about things like sendmail; Interland keeps on top of that sort of thing for me.

But one glaring hole is POP access for mail. I could install pop3s but then that's just one more thing to keep up with for security patches, and because that's not part of the standard services Interland provides, it would be mine to maintain.

Instead, I decided to tunnel POP through ssh. This doesn't require changing anything at the server - it still thinks it is just running plain old POP3 and has no idea it is running over a secure tunnel. I can set up the tunnel without using sudo or root, which is more convenient.

There are some disadvantages to this approach. Whle it is possible to set up ssh to use more advanced authentication like Kerberos, it isn't at all easy, and requires changes at the server end that you might not be able to do. The default authentication (public/private keypairs) is a bit easier to set up (see but it is going to require that you type a password or passphrase at least once when you start the tunnel.

For my purposes, that's a small disadvantage. I use a Mac iBook, and when I'm not using it, it's just asleep: I seldom logout or reboot it. All I need to do is either remember to start the tunnel, or have it startup when I first login. I don't bother with starting it automatically because I logout so infrequently it's just not necessary, and I don't need the automation. Besides, I have to type the passphrase anyway, and I'd rather do that on my own terms. I don't generally have much that starts up for me automatically: I do that kind of thing for other people, but I like to control my own startup files. When and if some strange problem develops, it's best NOT to have a bunch of stuff firing off by itself.

So, the first task is to create a tunnel. Ssh has command line switches to do that, and a quick check of the man page (you thought I remembered this stuff?) brought me to:

ssh -L -l mylogin  -N

That tells ssh that I want a tunnel to using the user name "mylogin" (-l mylogin), that I don't want to execute a command (-N), that I want to connect to the pop3 port at using port 1110 here (-L The choice of 1110 for the local port is entirely arbitrary: it has to be above 1024 (because only root is allowed to use the low ports) and it has to be presently unused.

Next, we need to change the mail application. In Mac, that's easy: just go to Preferences, Accounts, Account Information, and change the incoming mail server to "localhost". Also click Advanced, and change the port number to 1110 (it looks like there is only space for 3 numbers but you can type in 1110). That's it: when it next goes to get mail, it will connect to port 1110, which ssh will forward to port 110 at the mailserver, and everything happens over an encrypted connection.

It doesn't quite work, though.

Here's the problem: for various reasons, the other end of the connection is going to drop the link every now and then. When it does so, the ssh tunnel at this end dies. There's also the problem unique to sleeping: the other end gives up because this end just goes away.. but the ssh process here has no idea that happened.

So, we need a little script instead. I call mine "startmail", and it's just this:

while true
ssh -L -l mylogin  -N

Not much to it. But this introduces another problem: ssh needs my password every time it starts this tunnel up again. I don't want to keep typing that long, nasty password all day long. So instead, I will use ssh-agent. The procedure for setting that up is covered more completely at , but once set up, I just need a simple script that I call "agent" to get going:

ssh-agent /bin/bash --init-file ~/.ssh_bash_start

The .ssh_bash_start file is this:

. ~/.bashrc

The invocation of ssh-add asks for my passphrase, which still isn't fun to type, but I'm only going to have to do that once: from then on, ssh-agent will manage any ssh sessions in this shell and I won't get bugged every time the tunnel restarts. So after running "agent", I run "startmail" and then everything is set until I logout or reboot (sometime next month or the month after..).

There are, of course, other ways to do this. There are commercial and shareware programs that allow you to create tunnels that you can set and forget. As usual, I'd rather control things myself.

See also Spamassassin on Mac OS X

Got something to add? Send me email.

(OLDER) <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> -> Securing POP mail access in MacOSX

Increase ad revenue 50-250% with Ezoic

More Articles by

Find me on Google+

© Tony Lawrence

ENO: Instead of typing your password over and over again you can use SshPassKey, a little tool ssh talks to to get its password. SSHPAsskey uses the keychain to store your password so it is as secure as the other stuff there.

Give it a whirl, I found this tool invaluable to deal with CVS for example.

There's a much easier way of sending ssh to the background. Just pass the -f flag and it will fork, e.g. ssh -f -N .
To keep the connection up all the time, use autossh -

Kerio Connect Mailserver

Kerio Samepage

Kerio Control Firewall

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us