# imap(s) over ssh port forwarding [SOLVED]

## alex.blackbit

hi,

i am trying to do something nasty, access my private emails from work.

the environment is a bit complicated, i'll try to explain as good as i can.

connections from my work pc have to go through a http proxy. allowed protocols are http,https,ftp,ssh.

imap(s) was allowed in the past, but is now no more.

so, i establish a ssh connection to my router at home, where a squid is running and forward the local port 3128 to the port 3128 on the router at home.

the thunderbird on the work pc is configured to use localhost:3128 as proxy, for all protocols.

in thunderbird i read some rss/atom feeds, those work as expected.

the imap(s) accounts don't.

in my squid config at home i added the following

```
acl Safe_ports port 143     # imap

acl Safe_ports port 993     # imaps
```

and restarted squid. no change.

btw, the rest of the squid config are factory settings.

i do not really know what to do.

any ideas?Last edited by alex.blackbit on Fri Jun 19, 2009 12:11 pm; edited 1 time in total

----------

## malern

afaik squid is only a http and ftp proxy, it doesn't support imap. You probably need a more general proxy server.

----------

## Rooney

I used to do somthing simular I found i need to define the ports twice for ssl

e.g.

acl SSL_ports port 993 # all ssl ports

acl Safe_ports port 143 993 # imap, imaps

hope this helps

 *alex.blackbit wrote:*   

> hi,
> 
> i am trying to do something nasty, access my private emails from work.
> 
> the environment is a bit complicated, i'll try to explain as good as i can.
> ...

 

----------

## alex.blackbit

thanks for the hint.

i tried that.

does not change anything.

any other ideas?

EDIT: this reads like squid is not able to do what i want.

are you sure you had that running, Rooney?

http://www.nabble.com/IMAP-support-td20460884.html

----------

## Rooney

i have done imap(143), SSH(22-ssl) and Webmin(10000-ssl) allthough a proxy forward to the local desktop, as you are trying to to i worked somewhere where i had to use there proxy to get home and then back out again, 

an alternative i used to do was forward local:993 to remote host e.g. imap.google.com:993 so i dident use squid in that setup.

Are you using putty? 

 *alex.blackbit wrote:*   

> thanks for the hint.
> 
> i tried that.
> 
> does not change anything.
> ...

 

----------

## alex.blackbit

yes, i am using putty, better said plink.

i cannot use ssh directly, but have to use a http proxy for that.

according to the docs not even that may work, but it definitely does.

and if that would make no sense, putty would not have an option to use a http proxy, right?

i am a bit confused.

so, port forwarding over a ssh connection through a http proxy to my home box, into a proxy that connects to the mail server. not really a straight connection.

if i do not manage to configure squid to do what i want i will try to set up dante.

i am still open for any ideas.

----------

## think4urs11

It's simply not possible with squid to access imap servers (unless that imap server can unpack imap-in-http-traffic which normally isn't the case).

Why don't you use something like imapproxy?

----------

## alex.blackbit

thanks for your reply, Think4UrS11. i'll consider imapproxy.

can you explain why it is possible to use ssh over a http proxy? maybe that clears things up a bit for me.

well, and, ... what are the pros/cons of imapproxy/socks like dante?

----------

## think4urs11

 *alex.blackbit wrote:*   

> can you explain why it is possible to use ssh over a http proxy?

 

I can't because it isn't (without further measures like http/proxy-tunnel)  :Wink: 

Are you really sure that in your case the ssh traffic is utilizing a squid instance? I'd guessing that your work-fw simply allows port 22 outgoing instead.

dante is a general proxy based on socks protocol - more or less a protocol-agnostic tunnel from the proxy to the external system.

Many applications can use socks (but not http/https) to wrap their traffic.

And if you have a socks-capable app you don't need dante - use the ssh-internal socks proxy (parameter -D)

----------

## alex.blackbit

no, i don't know whether this proxy is a squid.

i only know what i have to tell putty to get out, and that's

```
proxy type: http

port: 3128
```

i have no clue what is running behind the scenes, since i am not working in the IT department there.

do you have any idea what they could be using?

again, running ssh over a http proxy cannot be something unusual, otherwise it wouldn't be a simple option in putty.

please see this screenshot i found with google images:

http://www.engfers.com/wp-content/uploads/2008/08/putty_proxy_config.png

what i want to run on my home machine is some kind of service that i can let my thunderbird at work connect to (through the ssh tunnel) to get mails from a imap(s) server.

at first i thought squid should be the right tool for that. it seems i was wrong. that's okay.

you say i do not need dante to let my thunderbird connect over socks? how exactly do i do that? i have putty at work and opensshd at home.

EDIT:

i think i found something interesting in the putty documentation:

http://the.earth.li/~sgtatham/putty/0.60/htmldoc/Chapter4.html#config-proxy

```
4.15.1 Setting the proxy type

The ‘Proxy type’ radio buttons allow you to configure what type of proxy you want PuTTY to use for its network connections. The default setting is ‘None’; in this mode no proxy is used for any connection.

    * Selecting ‘HTTP’ allows you to proxy your connections through a web server supporting the HTTP CONNECT command, as documented in RFC 2817.

...
```

----------

## cach0rr0

 *alex.blackbit wrote:*   

> i have no clue what is running behind the scenes, since i am not working in the IT department there.

 

tried good ol banner grabbing via telnet? 

e.g. telnet hostname 8080, GET / HTTP/1.1 <CRLF><CRLF>

the vendor should be found in the response headers

----------

## alex.blackbit

telnet discovery did not work, server closed port without outputting anything.

nmap says "Ironport AsyncOS http config (glass 1.0; Python 2.5.1-IronPort)"

----------

## think4urs11

 *alex.blackbit wrote:*   

> again, running ssh over a http proxy cannot be something unusual, otherwise it wouldn't be a simple option in putty.

 

It is an additional feature of putty which utilizes an http proxy but it is not a feature of SSH itself. When using e.g. OpenSSH you'd need proxytunnel to make this work.

 *alex.blackbit wrote:*   

> you say i do not need dante to let my thunderbird connect over socks? how exactly do i do that? i have putty at work and opensshd at home.

 

Putty is afaik not able to become socks-proxy by itself - openssh can.

So you'd need to have putty configured with a port forward towards openssh on your home system which 'plays' socks-proxy.

A bit more details e.g. here (in german) http://www.jfranken.de/homepages/johannes/vortraege/ssh3.de.html

Just as a sidenote i'd _really_ reccommend that you ask your IT guys first before tunneling the security measures in place - otherwise you can get into serious trouble, in worst case get fired.

----------

## alex.blackbit

i am aware of the risks. but thanks for the warning.

according to the putty documentation, it provides a socks server.

i configured such a "dynamic port forwarding" on port 1080, and told my thunderbird to use localhost:1080 as socks proxy.

interestingly, this did not work.

i tried at home again, under linux, here it works as expected. thunderbird connects through the openssh socks proxy.

after removing the tunnel, not any more.

tomorrow i'll try again at work. i must have gotten something wrong.

EDIT: i tried with putty under linux too. working like a charm.

----------

## alex.blackbit

i am currently at work. it works.

yesterday i must have forgotten to save the session profile or something.

it is all very easy when you have understood how everything works.

summary:

```
if

* you are on a network with a restrictive internet access policy

* you are able to open a ssh connection to a machine outside of that network

* the application you want to use can use a SOCKS proxy for the desired protocol.

then

* open a ssh connection with

+   -D 1080 with openssh

+   Tunnel: Dynamic, Source port 1080 with PuTTY

and

* let the application use the SOCKS proxy "localhost:1080".

port 1080 is just an example, every port should work.

that's it.
```

i always wondered what those "Dynamic Tunnels" in PuTTY are, a word about SOCKS would be nice here.

imho it is quite stunning that you need no additional software on the box you are sshing to.

the PuTTY utility plink is quite nice for that purpose, especially in combination with a saved session profile.

i am currently trying to create a windows service to establish that connection.

everybody, thanks for the help.

problem solved.

----------

