Group: attr(1) header(2) footer(3) sidebar(4) Page: view(q) edit(w) attr(e) attach(a) history(d)

Setting up an SSH tunnel for exim and fetchmail (2004/05)

I recently had to setup my mail system once again. For security reasons I tunnel my mails via ssh . Also, I use exim to forward my mails to the smarthost. There was a slight problem, which was that exim doesn't like to forward mails to the local host (to avoid loops). I didn't want to dig through the exim documentation, so I came to this (in my oppinion) cleaner way to do it. I'm using Debian sid, btw.


'''You can do corrections on your own, by clicking on edit. When you want to add comments, links to similar topics, etc, please use Red color, Green color, or Blus color.

What you need is:

  • ssh on the client and the mailserver.
  • a real ssh account on the mailserver (you have to be able to login there and at least execute the ßocket program).
  • the socket program must be present on the mailserver
  • iptables on the client, and the REDIRECT target available.

If you miss one of these, it doesn't work that way for you. Otherwise, do this:

  • For the ssh tunnel: Create a dsa-key for the root-user and copy it to the other end of your tunnel:
> su -
> ssh-keygen -t dsa -f tunnel-identity
Use no passphrase (this is necessary for inetd to be able to connect the tunnel.
> ssh-copy-id -i /root/.ssh/tunnel-identity.pub <username>@<mail-server>
  • Add the following line to /etc/inetd.conf, restart inetd afterwards:
27 stream tcp nowait root /usr/sbin/tcpd /usr/bin/ssh -i /root/.ssh/tunnel-identity -q -e none -l <user> <mailserver> socket localhost 25
109 stream tcp nowait root /usr/sbin/tcpd /usr/bin/ssh -i /root/.ssh/tunnel-identity -q -e none -l <user> <mailserver> socket localhost 110
  • And now, for the finishing touch. Add the following rules to your iptables:
iptables -t nat -A PREROUTING -p tcp -d <mailserver> --dport 25 -j REDIRECT --to-ports 27
iptables -t nat -A OUTPUT -p tcp -d <mailserver --dport 25 -j REDIRECT --to-ports 27
iptables -t nat -A PREROUTING -p tcp -d <mailserver> --dport 110 -j REDIRECT --to-ports 109
iptables -t nat -A OUTPUT -p tcp -d <mailserver --dport 110 -j REDIRECT --to-ports 109

You don't need the PREROUTING lines unless you are setting this up on your local router to tunnel the connections for the whole subnet.

  • No you can use your normal exim configuration with the smarthost. Exim won't even know, that it is actually sending the data to a local port...
  • To fetch your mail, you can use fetchmail with the same configuration as before. If you tunnel to an IMAP server, you have to change some ports.
Page last modified on April 06, 2012, at 10:34 PM
Edit Page - Page History - Printable View - Recent Changes - WikiHelp - SearchWiki