Sunday, February 6, 2011

Connecting to my Hover IMAP email from work which blocks ports


My work blocks ports so I cannot access my personal email except through my provider's ridiculous webmail. Specifically I use Thunderbird and want all the features such as nostalgy to easily move my email to folders.

  1. Well there is the major "work blocks ports" issue. You need to setup an ssh tunnel to a trusted server that forwards traffic to the IMAP (or POP3 if that's your thing) ports. That trusted server for me was my home server. In the example below its my home server and I'm super aware of security threats which may not be an issue with an external server.
  2. Hover, my domain name and email provider uses a mechanism where you point your IMAP client to with the login being user@domain and it redirects to mail.<domain>. This prevents easily setting up SSH tunnels as I don't know how to setup an ssh tunnel that handles this redirection. Looking through Hover's management console for my domain, I found that the forwarded to address is mail.<domain>.com.cust.<secret>.com

  1. Open external ports on home network that map to port 22 ssh (internal). Typically do not use 22 as your external port as it is a security hole, but use a port in the thousands such as 5555. You may actually want to decide on the ports and not open them until you've determined your work's gateway IP address and configured your network to restrict (only ssh) traffic to be from there. You open ports through your modem and router.
  2. Find out your home WAN static ip address (if you have dynamic IP I haven't thought about the solution for this as I believe your work network admins need to be able to specify an IP address rather than a DNS. If it is the latter then you could use Dynamic DNS).
  3. Request work to open their network to allow connections to your WAN IP and the ports you have opened (or will open). Tell them you run ssh servers at home. Request from them the work gateway IP address you will be connecting from.
  4. As security measures at home, update your hosts.allow, hosts.deny and sshd_config (unix, linux, macosx - don't know about Windows) to only allow:
  1. At work open an ssh tunnel for your IMAP traffic - you'll need to type your home ssh login password. Use a *nix/Mac OS X terminal or Putty under Windows:
  2. ssh -T -N -L 3993:mail.<domain>.com.cust.<secret>.com:993 @ -oPort=5555
  3. This is saying to connect to <home wan ip>:5555. The local port at your local site (work) is 3993 and it maps to the remote port 993 at mail.<domain>.com.cust.<secret>.com. This local (3993) to provider's port 993 is done via your ssh server at home (ie. ssh tunnel).
  4. Set your email client (I use Thunderbird) to use the local port you setup as your IMAP (or POP3) port - I used 3993 in my example.
Comments and questions welcome.