IMAP proxying help needed
November 5, 2007 12:01 PM Subscribe
My work's firewall recently began blocking outbound traffic that isn't on ports 22, 80, and 443, and I'd like to use my home router (running openwrt) to proxy my personal IMAP email so I can read it from work.
I'm pretty network and linux-savvy, but I haven't really tried this out before, so I thought I'd solicit some advice. What I figure is that I'll point to my home address via dyndns or the like and then, for requests originating from my work subnet, forward the requests on to my ISP's imap server. Here's some k-R4d ascii art to illustrate what I'm going for:
I'm running the latest version of Thunderbird as an email client. At home I have OpenWRT running on a Linksys WRT54G (it's running the release before kamikaze, IIRC, but I can upgrade it easily enough if I need to). I'd like to run whatever software I need to on the router itself, so I don't need to keep a machine in my home network on all the time and poke a hole in my home firewall.
Has anyone had experience with doing this? In particular I'm wondering if the IMAP protocol itself involves my client sending out its own IP address (pc.work.com) and then confusing the IMAP server at imap.isp.net, which should actually be talking to myrouter.dyndns.org.
My iptables skills are a little rusty, so if anyone has specific examples of the commands to use, I'd be grateful.
Also, could someone tell me if there's a better solution than just forwarding the raw TCP traffic? Is this something setting up a SOCKs server on myrouter.dnydns.org could solve? I do have one other IMAP account I'd like to access if I could, and I wouldn't mind getting around my workplace's HTTP content filters if I can do so easily. Neither one of these concerns is a big deal, though - mostly I just want to be able to access my personal email account. And now that I'm thinking about it, I'd like to be able to send SMTP mail from pc.work.com through my ISP if I can, too, without letting spammers use my router for nefarious purposes.
I've also seen some linux software out there specifically for proxing imap (called "imapproxy" or something?), but I didn't see a version compiled for openwrt specifically - I'm not adverse to setting up a wrt toolchain if I need to, but I'd rather not spend time on that if there's an easier way.
I'm pretty network and linux-savvy, but I haven't really tried this out before, so I thought I'd solicit some advice. What I figure is that I'll point to my home address via dyndns or the like and then, for requests originating from my work subnet, forward the requests on to my ISP's imap server. Here's some k-R4d ascii art to illustrate what I'm going for:
[work PC] ----> [work firewall] ---> [home router] ---> [isp] pc.work.com fw.work.com myrouter.dyndns.org imap.isp.netSo on my router, I want to forward requests for router.dyndns.org:443 to imap.isp.net:143.
I'm running the latest version of Thunderbird as an email client. At home I have OpenWRT running on a Linksys WRT54G (it's running the release before kamikaze, IIRC, but I can upgrade it easily enough if I need to). I'd like to run whatever software I need to on the router itself, so I don't need to keep a machine in my home network on all the time and poke a hole in my home firewall.
Has anyone had experience with doing this? In particular I'm wondering if the IMAP protocol itself involves my client sending out its own IP address (pc.work.com) and then confusing the IMAP server at imap.isp.net, which should actually be talking to myrouter.dyndns.org.
My iptables skills are a little rusty, so if anyone has specific examples of the commands to use, I'd be grateful.
Also, could someone tell me if there's a better solution than just forwarding the raw TCP traffic? Is this something setting up a SOCKs server on myrouter.dnydns.org could solve? I do have one other IMAP account I'd like to access if I could, and I wouldn't mind getting around my workplace's HTTP content filters if I can do so easily. Neither one of these concerns is a big deal, though - mostly I just want to be able to access my personal email account. And now that I'm thinking about it, I'd like to be able to send SMTP mail from pc.work.com through my ISP if I can, too, without letting spammers use my router for nefarious purposes.
I've also seen some linux software out there specifically for proxing imap (called "imapproxy" or something?), but I didn't see a version compiled for openwrt specifically - I'm not adverse to setting up a wrt toolchain if I need to, but I'd rather not spend time on that if there's an easier way.
you could set up something like Squirrelmail on your home box, and just keep a browser window up
posted by Oktober at 12:10 PM on November 5, 2007
posted by Oktober at 12:10 PM on November 5, 2007
Best answer: So on my router, I want to forward requests for router.dyndns.org:443 to imap.isp.net:143.
No you dont. Run ssh on that router (or a computer at home). Now use port fowarding so you can access your isp. In short you forward local port 443 to your isp tunneled through 22 (ssh).
posted by damn dirty ape at 12:34 PM on November 5, 2007
No you dont. Run ssh on that router (or a computer at home). Now use port fowarding so you can access your isp. In short you forward local port 443 to your isp tunneled through 22 (ssh).
posted by damn dirty ape at 12:34 PM on November 5, 2007
And you would set your mail client to use localhost:443 and localhost:25 after you set up the forwards.
posted by damn dirty ape at 12:36 PM on November 5, 2007
posted by damn dirty ape at 12:36 PM on November 5, 2007
Best answer: damn dirty ape nails it, though rather than just forwarding IMAP (and SMTP, if you want to send outbound mail), why not do something more flexible, with dynamic tunnels...
Make sure sshd is running on your router, and that it's reachable on port 22 on the internet side (or at least reachable from your employer's network blocks).
Then, on your work machine, with openssh installed, issue this command:
ssh -f -N -D localhost:2500 username@your.router.address
Then, configure your personal mail program to use the SOCKS Proxy that's located at localhost, port 2500. Any traffic that is sent through this proxy will be sent across the ssh connection to your router, which will then route it to the Internet.
You can also configure your browser to use the same SOCKS proxy and get around most content-filtering firewalls, too -- if that's something that's useful to you. I hear that it works with some IM clients, too.
posted by toxic at 12:53 PM on November 5, 2007
Make sure sshd is running on your router, and that it's reachable on port 22 on the internet side (or at least reachable from your employer's network blocks).
Then, on your work machine, with openssh installed, issue this command:
ssh -f -N -D localhost:2500 username@your.router.address
Then, configure your personal mail program to use the SOCKS Proxy that's located at localhost, port 2500. Any traffic that is sent through this proxy will be sent across the ssh connection to your router, which will then route it to the Internet.
You can also configure your browser to use the same SOCKS proxy and get around most content-filtering firewalls, too -- if that's something that's useful to you. I hear that it works with some IM clients, too.
posted by toxic at 12:53 PM on November 5, 2007
Best answer: Nthing that ssh tunnels are probably the easier way to do this. (Plus, your employer will have a harder time snooping your IMAP traffic that way.)
To answer your other question, no, IMAP doesn't try to transfer any information about the IP addresses of either end; it'll have no problems being forwarded like that. I've done it a time or two when staying at a hotel with heavily filtered net access and wanting to check on my home email.
posted by hattifattener at 7:52 PM on November 5, 2007
To answer your other question, no, IMAP doesn't try to transfer any information about the IP addresses of either end; it'll have no problems being forwarded like that. I've done it a time or two when staying at a hotel with heavily filtered net access and wanting to check on my home email.
posted by hattifattener at 7:52 PM on November 5, 2007
Response by poster: Thanks everyone. I was briefly able to get this working - I used Putty to forward localhost:14300 to imap.isp.net:143, and was then able to access my mail.
Following that I got a little overambitious and spent some time trying to get just generic any-port tunneling working. OpenWRT runs dropbear rather than openssh, and it doesn't seem to support the same agent-forwarding protocol that makes SOCKS proxying work. Googling around I found this message on the OpenWRT boards and proceeded to install the openssh client.
Unfortunately after having done so I'm locked out of my router - I'm guessing that the openssh client is looking in a different directory to find its authorized_keys. Fortunately, paranoiac that I am, I have another instance of sshd running which allows password authentication from inside the firewall, so hopefully I haven't bricked the thing. I'll post back tomorrow with a status update in case anyone is interested. Thanks!
posted by whir at 11:22 AM on November 6, 2007
Following that I got a little overambitious and spent some time trying to get just generic any-port tunneling working. OpenWRT runs dropbear rather than openssh, and it doesn't seem to support the same agent-forwarding protocol that makes SOCKS proxying work. Googling around I found this message on the OpenWRT boards and proceeded to install the openssh client.
Unfortunately after having done so I'm locked out of my router - I'm guessing that the openssh client is looking in a different directory to find its authorized_keys. Fortunately, paranoiac that I am, I have another instance of sshd running which allows password authentication from inside the firewall, so hopefully I haven't bricked the thing. I'll post back tomorrow with a status update in case anyone is interested. Thanks!
posted by whir at 11:22 AM on November 6, 2007
I found this message on the OpenWRT boards and proceeded to install the openssh client
You're going to need to install the openssh-server. That message had to do with ssh authentication agent forwarding, and while it's useful in that it tells you that OpenWRT uses dropbear for both client and server, it isn't the dropbear client that's lacking the feature you need -- it's the server. You don't run the client on the router unless you're logged into the router and trying to use ssh to log in somewhere else.
posted by toxic at 4:17 PM on November 6, 2007
You're going to need to install the openssh-server. That message had to do with ssh authentication agent forwarding, and while it's useful in that it tells you that OpenWRT uses dropbear for both client and server, it isn't the dropbear client that's lacking the feature you need -- it's the server. You don't run the client on the router unless you're logged into the router and trying to use ssh to log in somewhere else.
posted by toxic at 4:17 PM on November 6, 2007
Response by poster: Ok, everything is groovy now, thanks for your help everyone. Just for the record, here's the steps I took to get stuff working with SOCKS proxying:
1. Installed OpenSSH on the wrt54g.
2. Linked the authorized_keys file on the wrt from /etc/dropbear into /etc/ssh (this contains a key I generated via PuTTYkeygen on my laptop).
3. Set up openssh to disallow password auth access and poked a whole in the firewall from the work.com subnet to router.dyndns.org port 22.
4. Verified I could ssh into the router with my private key
5. Set up PuTTY to do dynamic forwarding on localhost:666
6. Modifed Thunderbird to use a SOCKS proxy on localhost:666.
The PuTTY equivalent of "openssh -D" is to go to the SSH / Tunnels option screen, use 666 as the "source port," and select the "Dynamic" radio button. My various IMAP and POP accoutns are working, I can send mail via SMTP, and if I need to get around the content firewall I can set firefox to use the same port for a proxy. Thanks!
posted by whir at 12:23 PM on November 8, 2007
1. Installed OpenSSH on the wrt54g.
2. Linked the authorized_keys file on the wrt from /etc/dropbear into /etc/ssh (this contains a key I generated via PuTTYkeygen on my laptop).
3. Set up openssh to disallow password auth access and poked a whole in the firewall from the work.com subnet to router.dyndns.org port 22.
4. Verified I could ssh into the router with my private key
5. Set up PuTTY to do dynamic forwarding on localhost:666
6. Modifed Thunderbird to use a SOCKS proxy on localhost:666.
The PuTTY equivalent of "openssh -D" is to go to the SSH / Tunnels option screen, use 666 as the "source port," and select the "Dynamic" radio button. My various IMAP and POP accoutns are working, I can send mail via SMTP, and if I need to get around the content firewall I can set firefox to use the same port for a proxy. Thanks!
posted by whir at 12:23 PM on November 8, 2007
This thread is closed to new comments.
posted by mikeh at 12:08 PM on November 5, 2007