SSH Case Studies: Pine and IMAP
(Page 1 of 2 )
In this eighth part of a nineteen-part article series on advanced topics in SSH, you'll learn about the e-mail program Pine, IMAP authentication, and how to handle it all through the secure shell. This article is excerpted from chapter 11 of the book SSH, The Secure Shell: The Definitive Guide, Second Edition, written by Daniel J. Barrett, Richard E. Silverman and Robert G. Byrnes (O'Reilly; ISBN-10: 0596008953).
11.3 Pine, IMAP, and SSH
Pine is a popular, Unix-based email program from the University of Washington (http://www.washington.edu/pine/). In addition to handling mail stored and delivered in local files, Pine also supports IMAP* for accessing remote mailboxes and SMTP† for posting mail.
In this case study, we integrate Pine and SSH to solve two common problems:
Restricted mail relaying
We also discuss techniques to avoid Pine connection delays and facilitate access to multiple servers and mailboxes, including the use of a Pine-specific SSH connection script. This discussion will delve into more detail than the previous one on Pine/SSH integration. [4.5.3]
11.3.1 Securing IMAP Authentication
Like SSH, IMAP is a client/server protocol. Your email program (e.g., Pine) is the client, and an IMAP server process (e.g., imapd) runs on a remote machine, the IMAP host, to control access to your remote mailbox. Also like SSH, IMAP generally requires you to authenticate before accessing your mailbox, typically by password. Unfortunately, in some cases this password is sent to the IMAP host in the clear over the network; this represents a security risk (see Figure 11-8).‡
There’s no longer any good reason for this. Years ago, security options were rarely available in IMAP software; these days, however, they’re common and should be used! There are standard ways to secure IMAP traffic using SSL or Kerberos. With SSL, the entire IMAP session is protected, so even plain password authentication can be used relatively securely. Kerberos can provide secure authentication and singlesignon with or without session encryption; for example, the Apple Mail client implements both. Pine uses Kerberos only for authentication, not encryption—but you can combine Kerberos with SSL to get both single-signon and privacy. Note the power of having multiple independent and standards-based options available!
Nonetheless, it is still all too common to encounter IMAP servers with no security features; here, we show you how to address this problem with SSH.
If your mail server is sealed—that is, your only access to it is via the IMAP protocol—then there’s nothing you can do to improve security using SSH. However, if you can also log into the IMAP server host via SSH, you have options. Because IMAP is a TCP/IP-based protocol, one approach is to use SSH port forwarding between the machine running Pine and the IMAP host (see Figure 11-9). [9.2.1]
However, this technique has two drawbacks:
Fortunately, we can address both of these drawbacks and run Pine over SSH securely and conveniently.blog comments powered by Disqus