Frederik Questier

Use of encrypted ssh tunnels for mail, www and other services

by Frederik Questier on Mar.15, 2004, under HowTos


  • Encrypt your passwords and data traffic, e.g. on untrusted (WiFi) networks.
  • Avoid changing smtp servers when moving laptop between work and home.
  • Pass validation as a machine of your university/company/…

Setup of the tunnel

  • We will forward localhost ports over an encrypted tunnel through a ssh server (at our work/university/ISP/…) to our mail and proxyservers over there.
  • Choose your ssh-server as close as possible to your mail and proxyserver, or even better choose one of those two as the ssh-server if possible.
  • It’s easy to choose the local ports as { remote port + 10000 }
  • General example (one line):
      ssh -L 10080:proxyserver:80 -L 10025:smtpserver:25 -L 10110:popserver:110 -N sshserver -l your_username_on_sshserver
  • Example for my university (one line):
      ssh -L -L -L -N
  • UPDATE APRIL 2009: My University/VUB proxy server is dead. A proxyless solution can be constructed as follows:
      ssh -D 10080 -L 10025:smtpserver:25 -L 10110:popserver:110 -N sshserver -l your_username_on_sshserver
      ssh -D 10080 -L -L -N

Setup of the client programs

  • Mailclient: smtp host = localhost, port = 10025
  • Mailclient: pop host = localhost, port = 10110
  • Webbrowser
      With proxy: http proxy = localhost, port = 10080
      Without proxy: SOCKS host = localhost. port = 10080

Example of tunnel setup and Firefox (Iceweasel) web browser setup (click to enlarge):

Setup of tunnel and browser


  • This ssh encryption (actually encryption protocols can be chosen) is far superior to any WiFi WEP or WPA encryption.
  • Firewall your 10xx0 ports, otherwise bad people might be able to use your home machine to send spam through your company mailserver or access other info they are not entitled to.
  • This setup allows you to go through undesired firewalls blocking www, mail, or other services (imap 143, news 119, …, probably not ftp)
    • IF the ssh port is not blocked
    • and IF you have a valid ssh login.
  • Basically this allows you to use in a very secure way services that (probably for security reasons) are only available inside the organisation.
  • If the ssh-port is blocked somewhere in your path, you could setup ssh on any other non-firewalled port on some server inside your organisation ;-)
  • This method does not give you access to services you’re not entitled to, but you might need to consult the network policy of your organisation.

General considerations

  • Ofcourse one can tunnel much more than just mail and www.
  • Maybe stunnel could be used instead of ssh?
  • Above method is constructed on Linux with OpenSSH, but you find this OpenSSH or another SSH client (preferably command line) on most other decent Operating Systems (no, that does not include M$ Windows, see below).
  • ssh is standard available on Mac OS X and this is reported to work.
  • M$ Windows lacks a ssh client, but Windows users could have a look at OpenSSH for Windows, cygwin or Putty.
  • Test on a Sony-Ericsson P900 Smartphone: There is a putty client for Symbian, but it seems it does not (yet) support port forwarding.
  • Test on a Qtek 2200(?) PDA: There is a putty client for MS Windows Mobile Pocket PC, but it seems it does not yet support port forwarding.
  • UPDATE APRIL 2009: if you install the package “autossh – Automatically restart SSH sessions and tunnels” you can replace the ’ssh’ command in the above examples by ‘autossh’
  • You can avoid the need for passwords with ssh-keys:
      ssh-keygen -t rsa
      (enter empty passphrase)
      upload the generated ~/.ssh/ on your server at your server in .ssh/authorized_keys
Bookmark and Share:
  • Twitter
  • Facebook
  • LinkedIn
  • Diigo
  • Google Bookmarks
  • Technorati
  • Digg
  • Slashdot

1 Comment for this entry

  • Vitamin E

    I was once stuck in a hotel room in a foreign country on a business trip and it seemed like they were blocking my vpn connection. I contacted the company I was with and they easily helped me to restore my service. God I love my vpn service through the VPN Privacy Store. Its the best for my needs.

Leave a Reply

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!