Let's talk about secure mail and how to enable it on Mac OS X.
You must be logged in to the O'Reilly Network to post a talkback.

Showing messages 1 through 33 of 33.

• Mail server SSH compatible?
  2004-08-07 03:24:18  zzen [Reply | View]
  
  
  I never really understood the hype around SSH tunnels. What are they actually good for? Pardon me if I get this wrong - but to enable the SSH tunnel, you need a SSH account (or better said a shell account) on the $mailserver, don't you?
  
  a) virtually none of the public mail server accounts come with SSH access. No administrator wants the headache of thousands of users freely roaming in shell on his server.
  
  b) if you have SSH access to your server, you can usually read the mail locally (using pine, elm, mutt etc.), albeit not in GUI.
  
  Somebody please correct me if I'm wrong.

• problem getting perl script to run
  2004-06-01 10:50:55  girlchick [Reply | View]
  
  
  I set up the SSH tunnel just fine, but when I tried to set up the perl script, everything went wrong. Basically, I can't get the script to run. AppleScript Menu is installed and all, but when I click on the script, it just launches the editor with the script text inside it, not the script itself. Help!
  
• problem getting perl script to run
  2004-06-05 20:32:39  johnkonrad [Reply | View]
  
  
  I still can't get it to work either but I did figure out that you need to do the following:
  1) It must go in the AppleScript Menu directory (/Library/Scripts/securemail.txt)
  
  2) You must launch it from the menu bar (don't click on it from the folder or your mac won't know it's a perl script)
  
  3) Read this article if you are having permission problems ( http://www.macdevcenter.com/pub/a/mac/2003/11/07/scripting_osx.html )
  
  I hope this helps.

• a little addendum
  2004-05-11 05:46:10  chanezon1 [Reply | View]
  
  
  Thanks for this excellent article.
  It did not work for me initially and after 2 hours of debugging I finally found out why.
  The problem was on the server side, red Hat 9.
  I bumped into the problem described in the Openssh FAQ
  3.14 - I copied my public key to authorized_keys but public-key authentication still doesn't work.
  

  Following the FAQ remedy solved the problem. I hope this will avoid trouble for others ;-)

  
  

  
  Typically this is caused by the file permissions on $HOME, $HOME/.ssh or $HOME/.ssh/authorized_keys being more permissive than sshd allows by default.
  
  In this case, it can be solved by executing the following on the server.
  
  $ chmod go-w $HOME $HOME/.ssh
  $ chmod 600 $HOME/.ssh/authorized_keys
  
  If this is not possible for some reason, an alternative is to set StrictModes no in sshd_config, however this is not recommended.
  

  
  

• Outgoing Mail problems in Mail -
  2004-01-16 20:06:21  anonymous2 [Reply | View]
  
  
  I am so not new to Mac, and I am soooooo not close to being a techie. I am also losing hair. I ended up here through a desperate google search. Neither my husband nor I can make any secondary mail accounts work in Mail for 10.2.whatever. No outgoing will go. Now, we can't get the dang thing to check all the accounts for incoming. SECURE mail reading? How about NORMAL mail? Does anybody know how to make this really frustrating client work??????
• Outgoing Mail problems in Mail -
  2004-04-20 21:00:04  kernelkonfusion [Reply | View]
  
  
  I have 4 mail accounts configured and they all work fine. I had 6 at one point so there is no question that Mail works fine. It is somewhat finicky about multiple accounts using the same userid at the same outgoing server. What combinations of userid and outgoing server do you have? And what is the error you get?

• one other small nit
  2003-03-29 15:47:08  louabill [Reply | View]
  
  
  To check that the ssh tunnel is working correctly after altering the public key, be sure to use the name of the key file for the identity. If the key was made in the file tunnel (as in the tutorial), then the check would be run with
  ssh -i tunnel user@remotehost.org
  
  ? Bill

• Tunnel Drop
  2002-11-01 20:18:59  cochella [Reply | View]
  
  
  I have using a very similar setup to that in this article such that there are no fundamental differences.
  
  I establish an SSH local tunnel (port forwarding) to a POP server (port 110).
  
  I can watch the clear text in a tcpflow window for port 110 and watch the concurrent session in another tcpflow window for port 22.
  
  The strangeness occurs when over time the tunnel or the connection is dropped for some reason--network interruption, whatever.
  
  Thus, the tunnel is now gone. But, I still get mail. I simulated this by dropping the tunnel myself and watching the tcpflow windows. Lo and behold there was nothing going on in the port 22 window meaning that my whole session was in the clear. Thus, when the tunnel drops and I am unaware of it the session reverts to being in the clear.
  
  Is there any way around this? Would KeepAlive on the client work?
  
  Is there a way to shutdown this unencrypted access when the tunnel drops?
  
  Thanks,
  chris

• POP/SSL times out
  2002-09-22 01:42:42  anonymous2 [Reply | View]
  
  
  Hi-
  
  I run a secure mail server and have succesfully configured Outlook Express running on a Win32 box to connect to it and retrieve mail securely.
  
  I recently bought an iBook and so far have been unable to retrieve mail using POP over SSL. I enabled the SSL option and set the port to the port I use (non-standard).
  
  Using tcpdump, i can see the connection attempt succeed, but after the three-way tcp handshake, the Mail client never sends any more data, and eventually times out.
  
  I am wondering if anyone else has had this problem and might be able to recommend a solution? I am running the most recent update of Jaguar (10.2.x).
  
  Thanks,
  Clay
  

• SMTP authentication
  2002-05-31 11:03:47  snax [Reply | View]
  
  
  You say:
  
  > (If your mail host insists on using SMTP
  > authentication, well, that's a good excuse for
  > you to set up Sendmail locally, isn't it?)
  
  That's a bit harsh, don't you think?
  
  We use a common server for our business and
  our users travel, using various ISPs and so
  forth. In order for our outgoing mail to
  appear consistent we have a central mail
  server (SMTP host). In order for our host
  to avoid being used as a spam generator, we
  require user authentication. This is *not*
  a security risk since the SMTP RFC allows for TSL
  (SSL) and our (*gasp*) Microsoft email clients
  will allow for SSL connections when sending
  mail. I've sniffed these transactions and
  they are indeed secure.
  
  What I would like to see is Mail.app support
  SSL connections for sending, too, so that
  I don't have to resort to SSL tunneling as I
  do now. I am pleased that I don't have to
  tunnel both parts of my communications with
  my mail server (with the introduction of SPOP
  as you mention above).
  
  I am relatively new to the Mac; is there a
  recognized process for requesting new features?
  
  Thanks for a good article.

• SSH syntax
  2002-04-02 01:26:30  cp21yos [Reply | View]
  
  
  The easiest syntax I have found to work on OS X for SSH is of the form "ssh name@host.com" that way you don't need to worry about flags etc...
  Of course I'm lazy so I have the same user on most machines.

• Apple NOT great on encryption
  2002-03-24 16:02:29  foobar124 [Reply | View]
  
  
• Apple NOT great on encryption
  2002-03-24 16:10:48  foobar124 [Reply | View]
  
  
  imaps has been around for a LONG time in most mail clients. The fact that they've caught up to the state of the art from 3 years ago is no cause for joy.
  
  Plus, mail-savvy users will know that authentication can take place on *sending* mail, not just *receiving* mailboxes. The mail app doesn't support encrypted SMTP, either on the traditional port 465, or using the STARTTLS command. This feature is present in ALL real mail clients out there today except Mail.app. It is foolish to assure users that their passwords are safe this may not be the case.
  
  On a broader note, I have to emphatically disagree with the statement that apple is warm to encryption technologies. If apple were serious about encryption, as the author suggests, then they would be supporting transport level encryption options like IPsec, a standard part of the IPv6 networking stack which is conspicuously absent from MacOS X. IPsec supports host-to-host and gateway-to-gateway encryption (VPNs), which many favour as the long-term solution for encryption on the net.
  
  For heaven's sakes, you can't even mount a webdav fileserver using https on this operating system.
  
  While I'm enjoying having NEXTSTEP back, I for one won't be doing any encryption dances until IPsec is standard in the operating system.
  
  Colin Henein
• Apple NOT great on encryption
  2003-06-11 11:17:38  anonymous2 [Reply | View]
  
  
  OSX has support for IPSec, it just doesn't yet have a GUI to configure it. There are however third party apps that allow you to take advantage of the built-in IPSec.
  Further OSX has PPTP client support, for those with MS centric infrastructure....
• Apple NOT great on encryption
  2002-04-20 16:17:11  dasper [Reply | View]
  
  
  I just talked to support staff at worldnet.att.net after trying to turn SSL on for my account there. They informed me that mail.app support is not fully implemented, agreeing with the previous message.

• Using ssh keys without empty passphrase
  2002-03-23 08:10:22  steveloranz [Reply | View]
  
  
  You don't have to create ssh keys with empty passphrases. Download SSHPassKey.app from CodeFab and it will store your passphrase in your KeyChain. If you unlock your keychain when you log in, it's just as convenient as an empty password, but more secure.
  
  -steve

• Using ssh keys without empty passphrase
  2002-03-23 08:07:36  steveloranz [Reply | View]
  
  

• APOP Authentication
  2002-03-22 07:12:07  mrprofessor [Reply | View]
  
  
  Among the secure authentication methods supported by Mail.app, the article failed to mention the widely deployed combination of POP3 with APOP authentication.
  
  Unlike some other clients, there is no special setting for enabling APOP authentication. If you are using POP3, Mail.app tried APOP first and only falls back to cleartext passwords your server does not support APOP.
  
  JD
• APOP Authentication
  2002-03-22 09:48:02  frankie1969 [Reply | View]
  
  
  Of course, APOP only encrypts the initial connection. Message contents (and headers I think) are sent in the clear.

• mail.mac.com does not support SSL
  2002-03-21 12:59:12  markds [Reply | View]
  
  
  I think this is important to mention for those useing mail.app with a mac.com account and relying on SSL. I received a reply to an email message on this topic from Paul Marcos of the mail.app development team at Apple. Although mail.app supports SSL over POP3 and IMAP4, the mail.mac.com servers do not support SSL at this time. Mail.app is in fact falling back to a non-SSL connection but failing to inform the user.
• mail.mac.com does not support SSL
  2002-03-21 18:02:44  Jason McIntosh | [Reply | View]
  
  
  Hmm. After reading your note I tried another test mailfetch from my (otherwise unused) mac.com mail account, and observed that, after connecting, the "Use SSL" checkbox stays checked, but the port number goes back to 143, the ordinary IMAP4 default. It's unclear exactly what's going on, here.
  
  It does seems rather cheeky of them, doesn't it... OTOH, if you use iTools account for anything else, your password for it probably gets sent in the raw for these other activities.
  
  Thanks for the note.
• mail.mac.com does not support SSL
  2003-05-16 04:19:58  anonymous2 [Reply | View]
  
  
  There's a possibility that it uses TLS which (simplified) means that they use SSL on port 143.
  
  You could check using tcpdump (or ethereal) in order to see whether the communication is encrypted.
• mail.mac.com does not support SSL
  2003-05-16 04:24:24  anonymous2 [Reply | View]
  
  
  (replying to my own anonymous post)
  
  mail.mac.com supports TLS on their imap-port:
  
  * CAPABILITY STARTTLS IMAP4 IMAP4rev1 LITERAL+ AUTH=LOGIN AUTH=PLAIN AUTH=EXTERNAL STARTTLS
  
  

• pops / imaps: bad port number
  2002-03-21 02:30:06  ingvarn [Reply | View]
  
  
  pops and imaps are not defined as services on my machine (10.1.3), so I had to use the port numbers rather than the service names in the telnet commands.
  
  Does anyone else have these services (if you look in NetInfo Manager)?
• pops / imaps: bad port number
  2002-03-21 06:01:04  pmccann [Reply | View]
  
  
  Nope: nothing doing in netinfo for imaps or pops in Netinfo Manager. It's a very strange (and *small*) list in there! You could probably just load the flat file /etc/services into net info using niload if it'll make life easier.
  
  That is, something like:
  
  % niload services . < /etc/services
  
  should cure that ailment.
  
  Cheers,
  Paul
• pops / imaps: bad port number
  2002-03-21 06:03:08  pmccann [Reply | View]
  
  
  Pardon the pollution: you will of course have to authenticate yourself before running such a command. Just preface it with "sudo" in case that wasn't obvious...

• am i missing something?
  2002-03-20 16:37:07  gurujee [Reply | View]
  
  
  When i go into my prefrences and click on to edit account i don't get the option of ssl. i'm running 10.1.3. am i missing something
  
  shahid
• am i missing something?
  2002-03-21 17:32:53  Jason McIntosh | [Reply | View]
  
  
  You might not be exploring deeply enough. After getting to the account-editing box (or the account-creation one), you have to click the 'Account Options' tab. This brings you to the dialog with the 'Use SSL' checkbox, next to the server's port number.

• Unsuccessful attempt
  2002-03-20 14:09:46  markjamesn [Reply | View]
  
  
  In trying your suggestions for clicking SSL in Mail--the port numbers did change, but I was then unable to retrieve any mail at all.
  
  This is a dial up connection via Earthlink.
  Two Earthlink emails and one Mac.com one.
  
  Mail works fine when I unclick the SSL options for each account.
  
  Wonder what went wrong?
  
  Mark
• Unsuccessful attempt
  2002-03-21 18:08:33  Jason McIntosh | [Reply | View]
  
  
  It might depend on whether these servers support connections over SSL. The error messages you got may have some clues for you?
  
  I had thought mac.com supported SSL it when I wrote the article, as Mail.app certainly implies that it does. However, this post calls it into question. It's kind of strange.

• Grooming the nits
  2002-03-20 05:02:08  pmccann [Reply | View]
  
  
  Thanks for the article: I hope people appreciate the forest through all those trees!
  
  Just a bit of preening for page 2:
  
  % ssh my-mailhost.net
  
  will of course only be successful (after entering your password) if your local and remote (ie mail host) usernames are the same: if that's not the case then
  
  % ssh -l username my-mailhost.net
  
  may well work (where username is the *remote* username). The perl script will also require this "-l username" to be inserted into the appropriate place in the line that begins "my $ssh_cmd".
  
  [Re: SSH] "they might be running it on a different port than the default one (port 23) for some reason."
  
  That should be "(port 22)".
  
  Cheers,
  Paul
• Grooming the nits
  2002-04-01 21:37:56  colinmadere [Reply | View]
  
  
  This works and looks a bit more familiar to most folks:
  
  % ssh bob@mailhost.net
  
  
• Grooming the nits
  2002-03-21 17:47:56  Jason McIntosh | [Reply | View]
  
  
  Thanks for the clarifications. (And oops about the port number... I'll see if I can't have that bit of the column decremented appropriately.)