I recently heard of a scenario where an individual was able to “sniff” or
listen in to the wireless network traffic within range and from that, determine
the account name, server and passwords from everyone who
happened to check email while he was looking.
And every time you use public internet facilities and hotspots, you may be
Become a Patron of Ask Leo! and go ad-free!
The simplest solution is to use webmail, making sure that it’s on an
“https”, secure, connection. That’s encrypted and safe from any sniffers that
happen to see it.
Enter “SSH Tunneling”.
hotspots, you may be at risk.”
Now, one of the requirements for SSH tunneling is that you have SSH (Secure
SHell) access to your mail server. If you do not (and if you don’t know, you
probably don’t), you can stop reading now. Check with your ISP if you like, to
see if you can get it, but this technique relies on SSH being available on your
The good news is that once you have SSH access, there’s no further
In short, the technique works like this:
- Using your SSH client or other tools, set up a “tunnel” for ports 25 and
110 on your machine to those same ports on your mail server. This does require
that the client or tool be kept running.
- configure your mail client to send to and fetch from “localhost” instead of
your mail server.
That’s really all there is to it.
Let’s walk through the details for Windows users.
Start by grabbing the free SSH client and tools called PuTTY. Get the ZIP file that contains all the tools,
because we’ll be using more than just the PuTTY client.
One of the tools is called “plink”. In a command shell, run the
plink -v -L 110:mailserver:110 -L 25:mailserver:25 -2
you@mailserver -N -pw yourpassword
- -v: verbose – optional, but it will show you what plink is
doing setting up the tunnel, and as long as the tunnel is active.
- -L 110:mailserver:110: defines a tunnel of port 110 on
your local machine to go to port 110 on the mailserver. Port 110 is the POP3
mail service. You would replace “mailserver” with the name of your POP
- -L 25:mailserver:25: defines a tunnel of port 25 on your
local machine to port 25 on the mailserver. Port 25 is the outgoing SMTP mail
port. Again, you would replace “mailserver” with the name of your SMTP
- -2: force ssh v2 protocol only. Optional, but slightly
more secure. Use it unless your remote server doesn’t support it.
- you@mailserver: your ssh login account name @ your
- -N: no shell. Normally plink will also open up an
interactive shell. For our purposes here we don’t need one.
- -pw yourpassword: your password for your ssh login account
name. You can also leave this off to be prompted instead.
Leave plink running once it connects.
Now, in your email client (Outlook, Eudora, whatever), change both
the POP3 and SMTP servers to “localhost”.
Here’s what happens now: when you reload your email client, it will attempt
to, for example, fetch POP3 mail from “localhost, port 110”. Plink is listening
to port 110 on your local machine, encrypts the data and sends it to the ssh
server running on the mail server. There, the ssh server decrypts the data, and
forwards it on to port 110 on the mail server. Data coming back is handled
similarly, as is the SMTP port 25 conversation we defined as well.
A couple of additional notes…
You can tunnel other protocols (like mySql, imap, etc…) by adding “-L
port:server:port” parameters to the plink line.
You can perform the port forwarding in PuTTY itself, the interactive client
if you like – there is a section in the options for that, and it can be saved
with the profile for that connection.
Remember that while your email is configured to use “localhost” as the mail
server, the tunnel must be running (the plink command must be active). If it is
not, email will fail.
There’s technically nothing wrong with using this all the time. Still, what
I’ve done in Outlook is to clone a separate profile that I can select at
Outlook startup. So when I’m at home using my own secure network, the
connections are direct and unencrypted as before. When traveling, I start the
tunnel, and select the profile that uses it.
Other SSH clients do support tunneling though not all. PuTTY is free, and
works well for me.