Suppose you need to send/receive your GMail using POP3 and Microsoft Outlook. Easy. Suppose you're behind a firewall that permits only HTTP and HTTPS. Harder, but still possible if you have a server that you control that is outside the firewall.

I'll start by defining some terms:

  • Client - the computer where you run Outlook.
  • Middleman - the server that you control that is outside the firewall.
  • GMail - (needs no definition).

You'll need ssh and proxytunnel on the client. Install Cygwin and use its ssh. You may have to hunt for proxytunnel. You'll need stunnel on the middleman. The client has to be running an edition of Windows. The middleman can run Windows or Linux or other UNIX variant.

At a high level, you'll use proxytunnel to open a tunnel through the proxy, you'll use ssh to redirect client ports to ports on the middleman, and you'll use stunnel on the middleman to make the SSL connection to GMail. The amazing thing is that it actually works.

On the Client:

Insert the following lines into ~/.ssh/config:

Host middleman.you.com
ProxyCommand proxytunnel -p proxy.example.com:8080 -d middleman.you.com:22

This tells ssh that whenever you enter "ssh middleman.you.com" it should ask proxytunnel to connect through the HTTPS proxy on port 8080 on proxy.example.com to port 22 on middleman.you.com. This example assumes that you've set up sshd on port 22 on middleman.you.com. If your proxy/firewall won't connect to anything but ports 80 and 443, you may need to run sshd on one of those ports.

In case you're wondering, whenever your web browser connects to a web site using https via a proxy, it says to the proxy "CONNECT www.example.com". The proxy opens a TCP connection to www.example.com, and your web browser then tunnels its traffic through the proxy. The only difference with ssh+proxytunnel is that proxytunnel does the CONNECT and ssh tunnels its traffic through the proxy.

Create a shell script that resembles:

ssh -C \
-L 25:middleman.example.com:1025 \
-L 110:middleman.example.com:995 \
-p 22 your-user-id@middleman.example.com
stty sane
stty erase ^?

This tells ssh to forward client port 25 to middleman port 1025, and to forward client port 110 to middleman port 995. The "-C" tells ssh to compress the data stream. "-p 22" tells ssh to connect to sshd on port 22 on middleman; you'll need to change this if you've moved sshd to another port.

I added the stty lines after ssh completes, because every once in a while ssh will quit without putting /dev/tty back to normal mode.

Configure Outlook to use SMTP on port 25 on 127.0.0.1 without SSL, and to use POP3 on port 110 on 127.0.0.1 without SSL.

We have to handle the SSL on middleman instead of the client, because GMail's SMTP won't accept SSL from client when the TCP connection comes from middleman.

If you've not already done so, you may want to set up ssh to use public/private keys to connect to middleman without prompting for a password (details not explained in this article.)

On middleman:

Here's how to set up stunnel on middleman, assuming you're running Red Hat or Centos. If you're running Windows, you'll have to read the stunnel doc.

Create /etc/init.d/ssmtp (or call it stunnel if you prefer) containing:

 #!/bin/bash
. /etc/rc.d/init.d/functions
RETVAL=0
prog="ssmtp"

start()
{
echo -n $"Starting $prog: "
/usr/sbin/stunnel && success || failure
RETVAL=$?
echo
}

stop()
{
echo -n $"Stopping $prog: "
killproc stunnel -TERM
RETVAL=$?
echo
}

case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo $"Usage: $0 {start|stop|restart}"
RETVAL=1
esac
exit $RETVAL

Then, in /etc/rc.d/rc3.d (and also in rc5.d, if your server runs X-windows) enter:

ln -s ../init.d/ssmtp S99ssmtp

Edit (or create) /etc/stunnel/stunnel.conf to contain:

socket = l:TCP_NODELAY=1
socket = r:TCP_NODELAY=1
client = yes
foreground = no
[ssmtp]
accept = 1025
connect = smtp.gmail.com:465

[spop3]
accept = 995
connect = pop.gmail.com:995

This tells stunnel to unwrap SMTP over SSL from smtp.gmail.com on port 465 as plain old SMTP on port 1025 on middleman, and likewise for POP.

Since you don't want to provide SMTP access to the entire planet (it will get you listed as an open relay -- very bad), add the following lines to /etc/hosts.deny:

ssmtp: ALL
spop3: ALL

and add the following lines to hosts.allow:

ssmtp: localhost middleman.com 
spop3: localhost middleman.com

(You might prefer to use middleman's IP address instead of its DNS name.)

Finally, to get stunnel running, enter:

sudo service ssmtp start

Finally:

To actually send/receive email:

  1. Run your ssh-starting shell script
  2. Click Send/Receive in Outlook

Note that if you use Thunderbird, you could do things this way, but I recommend that you set up ssh to create a SOCKS proxy (e.g. "ssh -D 8888") and tell Thunderbird to proxy its traffic via SOCKS.  Then you can dispense with stunnel.