Server Administration

  Home arrow Server Administration arrow SSH Case Studies: Pine and IMAP
SERVER ADMINISTRATION

SSH Case Studies: Pine and IMAP
By: O'Reilly Media
  • Search For More Articles!
  • Disclaimer
  • Author Terms
  • Rating:  stars stars stars stars stars / 0
    2012-07-18

    Table of Contents:
  • SSH Case Studies: Pine and IMAP
  • 11.3.1.1 Pine and preauthenticated IMAP

  •  
     

    SEARCH CODEWALKERS

    SSH Case Studies: Pine and IMAP


    (Page 1 of 2 )

    In this eighth part of a nineteen-part article series on advanced topics in SSH, you'll learn about the e-mail program Pine, IMAP authentication, and how to handle it all through the secure shell. This article is excerpted from chapter 11 of the book SSH, The Secure Shell: The Definitive Guide, Second Edition, written by Daniel J. Barrett, Richard E. Silverman and Robert G. Byrnes (O'Reilly; ISBN-10: 0596008953).

    11.3 Pine, IMAP, and SSH

    Pine is a popular, Unix-based email program from the University of Washington (http://www.washington.edu/pine/). In addition to handling mail stored and delivered in local files, Pine also supports IMAP* for accessing remote mailboxes and SMTP† for posting mail.

    In this case study, we integrate Pine and SSH to solve two common problems:

    IMAP authentication

    In many cases, IMAP permits a password to be sent in the clear over the network. We discuss how to protect your password using SSH, but (surprisingly) not by port forwarding.

    Restricted mail relaying

    Many ISPs permit their mail and news servers to be accessed only by their customers. In some circumstances, this restriction may prevent you from legitimately relaying mail through your ISP. Once again, SSH comes to the rescue.

    We also discuss techniques to avoid Pine connection delays and facilitate access to multiple servers and mailboxes, including the use of a Pine-specific SSH connection script. This discussion will delve into more detail than the previous one on Pine/SSH integration. [4.5.3]

    11.3.1 Securing IMAP Authentication

    Like SSH, IMAP is a client/server protocol. Your email program (e.g., Pine) is the client, and an IMAP server process (e.g., imapd) runs on a remote machine, the IMAP host, to control access to your remote mailbox. Also like SSH, IMAP generally requires you to authenticate before accessing your mailbox, typically by password. Unfortunately, in some cases this password is sent to the IMAP host in the clear over the network; this represents a security risk (see Figure 11-8).‡


    Figure 11-8. A normal IMAP connection

    There’s no longer any good reason for this. Years ago, security options were rarely available in IMAP software; these days, however, they’re common and should be used! There are standard ways to secure IMAP traffic using SSL or Kerberos. With SSL, the entire IMAP session is protected, so even plain password authentication can be used relatively securely. Kerberos can provide secure authentication and singlesignon with or without session encryption; for example, the Apple Mail client implements both. Pine uses Kerberos only for authentication, not encryption—but you can combine Kerberos with SSL to get both single-signon and privacy. Note the power of having multiple independent and standards-based options available!

    Nonetheless, it is still all too common to encounter IMAP servers with no security features; here, we show you how to address this problem with SSH.

    If your mail server is sealed—that is, your only access to it is via the IMAP protocol—then there’s nothing you can do to improve security using SSH. However, if you can also log into the IMAP server host via SSH, you have options. Because IMAP is a TCP/IP-based protocol, one approach is to use SSH port forwarding between the machine running Pine and the IMAP host (see Figure 11-9). [9.2.1]


    Figure 11-9. Forwarding an IMAP connection

    However, this technique has two drawbacks:

    Security risk

    On a multiuser machine, any other user can connect to your forwarded port. [9.2.4.3] If you use forwarding only to protect your password, this isn’t a big deal, since at worst, an interloper could access a separate connection to the IMAP server having nothing to do with your connection. On the other hand, if port forwarding is permitting you to access an IMAP server behind a firewall, an interloper can breach the firewall by hijacking your forwarded port, a more serious security risk.

    Inconvenience

    In this setup, you must authenticate twice: first to the SSH server on the IMAP host (to connect and to create the tunnel) and then to the IMAP server by password (to access your mailbox). This is redundant and annoying.

    Fortunately, we can address both of these drawbacks and run Pine over SSH securely and conveniently.

    More Server Administration Articles
    More By O'Reilly Media

    blog comments powered by Disqus
    Antalya eskort Antalya escort bayanlar

    SERVER ADMINISTRATION ARTICLES

    - SSH Case Studies: Gateway Hosts
    - SSH Case Studies: More on Pine and SSH
    - SSH Case Studies: Pine and IMAP
    - SSH Case Studies: More on the Passive Mode
    - SSH Case Studies: Network Address Translation
    - SSH Case Studies: The Passive Mode
    - SSH Case Studies: The FTP Protocol
    - SSH Case Studies: Batch Jobs, FTP and SSH
    - SSH Case Studies: Agents and Authentication
    - SSH Case Studies
    - Server Responses to Client Communication
    - Authentication in Client/Server Communication
    - Client/Server Communication
    - Understanding Awk in the UNIX Shell
    - Stream Editor in the UNIX Shell

    Developer Shed Affiliates

     



    © 2003-2014 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap