Mail tunnel

10, 12 and


I use ssh for everything, even for e-mail, and file transfers.


In a VPS (Virtual Private Server), along with web server nginx for my website, I also have an e-mail server.

On my laptop, I retrieve and archive e-mails using the legacy program Eudora My laptop runs Linux and Eudora is for Windows, so I have to use wine.

I also send e-mails from Eudora, via the e-mail server on the VPS. The e-mail server has the components postfix, dovecot, spamassassin, spamc, spamd, sa-update, and dkim. Quite complicated, but now that it works, it works.

In this day and age, encryption is a must. So to fetch mail under the POP3 protocol, use port 993 instead of 110. To send mail over SMTP (Simple Mail Transport Protocol) use port 587, not 25. My old Eudora can probably do that, it has settings for it, but when I tried them in the past, it often didn’t work, if ever.

To keep things simple, I now just use the unencrypted ports. Isn’t that unsafe? No, because traffic is to and from localhost, that is, within my own laptop. How? Thanks to ssh port redirection.


I made a little shell script, which I called mailtunnel, that contains this:

cd $HOME
sudo -P ssh -L 110:localhost:110 -L 25:localhost:25 -Nf

Options -L tell ssh that this is about port forwarding. Otherwise in the remote session (that is, on my e-mail server, on my VPS), there is nothing to do, as indicated by option -N. What option -f is for I can’t remember, it solved some problem, see man ssh.

For security, executing this command requires root rights, hence sudo, which if not used before recently, will require me to type my user password. Next, ssh will ask for the password (unless I arranged for keys, which is better) of e-mail user ruudh om my server

Once all of that is settled satisfactorily, the effect is this: When I have my e-mail program Eudora send an outgoing e-mail to local port 25, ssh provides for a tunnel, so that the message is really sent to port 25 of the remote! I use an unencrypted port, but ssh encrypts tunnel traffic, so this is safe to go over the public internet. The e-mail server thinks the traffic comes from a local port, so it will allow relays, and I can send e-mails to any destination around the globe.

Likewise, when I have Eudora listen on encrypted port 110, to look for any unreceived e-mails waiting in the post office, ssh really listens on port 110 on the remote, and fetches messages from the mail server there, through its encrypted tunnel.

Myself I don’t use IMAP, but it can be done in the same way, with port 143.

I have no e-mail server on my laptop or anywhere else in my LAN (Local Area Network), and that’s better because most Internet Access Providers will deem any mail coming from a personal or small business connection to be spam, even when it isn’t.

I don’t know why, but my impression is that as an added advantage, this way of doing things is somehow even faster than using the encrypted e-mail ports.

(The reason for doing cd $HOME is to avoid that port forwarding could accidentally keep a directory busy, that is on an ejectable device, or on an encrypted container I might want to unmount later.)

Note: For the mail tunnel to work, on my server I needed to add these settings in openssh’s configuration file /etc/ssh/sshd_config :

AllowTcpForwarding yes
PermitOpen any

Well, those are probably the defaults anyway. But just to be sure.

File transfers

For file transfers I don’t use the unsafe FTP of the early days of Internet, and I also don’t use a more modern, safer FTP replacement.

Everything I want to do is efficiently possible using rsync via ssh. Occasionally I also use sshfs. That too is based on an ssh tunnel.


The above means that on my VPS web and e-mail server, the firewall needs to open up very few incoming ports. (I use nftables, but iptables, with or without ufw, will also do the job.) Open ports:

Seems quite safe to me.