Tuesday, 8 April 2008

Adventures with Ubuntu: tunneling into my IMAP server

Having setup dovecot on my home server, the next step was to enable remote access to it so that I could connect my laptop when I was out and about. As my laptop uses all manner of public networks of unproven security, I figured that using a secure tunnel was the way to do it.

Install openssh-server on the server
sudo apt-get install openssh-server
Install openssh-client on the laptop

sudo apt-get install openssh-client
On the laptop, generate ssh keys
ssh-keygen
Enter the defaults.

This will create, among other things, a file ~/.ssh/id_rsa.pub. This data needs to be put in a file .ssh/authorized_keys on the server. For a more detailed explanation of SSH key generation, I found this to be a clear and concise reminder.

Install the laptop's public key on the server
cat id_rsa.pub >> ~/.ssh/authorized_keys
where id_rsa.pub is the copy of the file from the laptop.

That's got the ssh gubbins sorted out and you should now be able to ssh to your server from your laptop without being prompted for a password. The next thing I needed to arrange was a dynamic DNS entry for my home server. Having created a free account with DynDNS, I needed to install ddclient on the server.

Installing ddclient on the server

If you have a fixed IP address, or your router can talk to dyndns, ignore this section.
sudo apt-get install ddclient
Configuring ddclient

Edit the contents of /etc/ddclient.conf using sudo

The contents of my file looks something like this:
daemon=600
cache=/tmp/ddclient.cache
pid=/var/run/ddclient.pid
use=web, web=checkip.dyndns.com/, web-skip='IP Address'
login=my_dyndns_account_name
password=my_dyndns_password
protocol=dyndns2
server=members.dyndns.org
wildcard=YES
my.dyndns.domain

It is worth checking file /etc/default/ddclient to see if ddclient is run as a daemon.
# Configuration for ddclient scripts
# generated from debconf on Tue Oct 14 15:19:15 BST 2008
#
# /etc/default/ddclient

# Set to "true" if ddclient should be run every time a
# new ppp connection is
# established. This might be useful, if you are using
# dial-on-demand
run_ipup="false"

# Set to "true" if ddclient should run in daemon mode
run_daemon="true"

# Set the time interval between the updates of the
# dynamic DNS name in seconds.
# This option only takes effect if the ddclient runs in
# daemon mode.
daemon_interval="300"

Creating the tunnel
On the laptop, create a tunnel to your home server.
ssh -f -N -q -L 1143:localhost:143 \
my_server_user_id@my.dyndns.domain

What this command does is create a tunnel for port 1143 on localhost (the laptop) and forwards it to the IMAP port (143) on the server (my.dyndns.domain). The reason why I selected the local port number 1143 is that it is greater than 1023 and 1000 more than the standard IMAP port (making it easy for me to remember) and only root can forward port numbers less than 1024. I have this command in a script file and fire it up ad-hoc whenever I am out and need to use it.

To test the connection on the laptop, type:
telnet localhost 1143
You should get a response along these lines:
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
* OK Dovecot ready.

So, although you are using the laptop's local port 1143, you are, in fact, accessing the server's port 143 through the SSH tunnel.

Configuring your e-mail client

Having gone through all that, just configure your laptop mail client's IMAP server to be localhost port 1143, set the user id to be your local/server user id and off you go.

Tunneling at work

You may find that using tunnels contravenes your employer's AUP. If that is the case, don't do it, OK?

No comments: