Subject: Re: ssh - are you nuts?!?
To: Warner Losh <>
From: Michael Richardson <>
List: tech-security
Date: 12/19/2000 20:34:02
>>>>> "Warner" == Warner Losh <> writes:
    Warner> It allows you to have a secure connection between two endpoints on the
    Warner> internet that might not otherwise be able to connect.  I use it to
    Warner> grab my pop mail from a heavily firewalled server when I'm on the
    Warner> road.  Just crank up my ssh session to the main machine (with a tunnel
    Warner> from port 119 on the local machine to port 119 on, then
    Warner> tell my pop client to go to localhost instead of  ssh can
    Warner> be configured to disallow connections to that port from outside of my
    Warner> machine, so I have a high degree of confidence that no one else is
    Warner> using that connection if I'm the only one on the machine.

  I have patches to inc (in process of going into nmh) and spopd (alas, no
longer in nmh) which causes inc to do:

       popen("ssh mailhost spopd -stdin") 

  and then does "RPOP" over SSH. Actually, the RPOP phase is just to avoid
messing up the entire protocol. I've been using this for years. Yes, doesn't
work when you can't SSH into the mailhost, and thus doesn't scale well, but
works great in small groups.

  Due to spam/rbl/anti-relaying, I was sending smtp via localhost:4025 to my
mailhost via SSH tunnelling. I now am using STARTTLS. I will be writing a
"howto" for NetBSD on setting this up. Only thing missing is that our
sendmail is not built against openssl by default, but I hope we will fix that 
for 1.5.1. 

] Train travel features AC outlets with no take-off restrictions|gigabit is no[
]   Michael Richardson, Solidum Systems   Oh where, oh where has|problem  with[
]   the little fishy gone?|PAX.port 1100[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [