Automatic ssh tunnel
Sunday, 27 January 2008 14:32

The drawback of high security guidelines and policies against spam is that access to an SMTP server may only be granted from inside a company's or university's intranet. If you want to use this server from the outside, the easiest solution is to set up an ssh tunnel to a computer available inside the company's intranet:

ssh -L localport:mailserver:25 computer.in.the.intranet

This tunnel has to be set up always before sending emails. For automation the xinetd (or inetd) can be used. Xinetd will be configured to listen at a local port (which will be our local SMTP port) and relay the traffic to/from stdin/stdout of an ssh tunnel. ssh, in turn, relays the traffic to a netcat (or nc) instance, running on the trusted computer, finally forwarding everything to the mailserver. For security on our side, xinetd will only listen for local connections, but the system can be used in principle as a replacement for a VPN where only few ports are of interest.

All that is needed is a proper configuration of xinetd. Here an example for an automatic tunnel, listening on localhost:25 (/etc/xinetd.d/mailtunnel):

service smtp
{
  port        = 25
  socket_type = stream
  protocol    = tcp
  only_from   = localhost
  interface   = 127.0.0.1
  wait        = no
  user        = local_user_with_appropriate_ssh_key
  group       = the_users_group
  flags       = REUSE
  server      = /usr/bin/ssh
  server_args = -x -a -q -T computer.in.the.intranet netcat mailserver 25
}