Stealth E-Mail to the Rescue

How to use stealth e-mail with dynamic DNS and a Treo 650 smart phone.

Since the early days of e-mail, maintaining my own e-mail server was a sort of indication of being in charge and staying technically fit. The technology involved in a project like this usually includes components that can be reused elsewhere and force one to stay abreast with commonly used communications media.

In the beginning, it was a simple task of connecting a modem, finding a community UUCP server, configuring modem dial-up, uucico and Sendmail. This was sort of the Model T of e-mail. And, it usually included configuration of a Usenet feed with C-News to collect the UUCP addresses of all computers on the relatively small Internet at that time.

With the advent of the real Internet, the scenario is becoming more complex. You have to overcome a number of obstacles created by people trying to break in to your server, snoop the transmission of e-mail packets on the wire and deal with those who want to send you tons of unwanted e-mail. As if this were not enough, workplaces have become so secure that it is sometimes impossible to access your personal e-mail server over the Internet from work during the day.

I used to maintain a Linux server with a static IP on a DSL line running DNS, a firewall (netfilter) with my MTA of choice (Postfix) and the addition of SpamAssassin for spam filtering. I read e-mail on my laptop using IMAP with Netscape Communicator. I use Communicator filters to sort all my incoming mail into various IMAP folders.

This simplistic architecture became history this summer after moving out of the San Francisco Bay Area to Denver, Colorado. The luxury of a static-IP DSL vendor disappeared, and a Nazi-style ISP with a monopoly in the area became a reality. Static IP is not available here (at least for me), and the ISP uses aggressive filtering of the commonly used IP ports. My new workplace is so secure that I had forgotten about carrying my laptop with me or using my work Internet connection to get to my e-mail server. All this is understandable, as ISPs protect themselves from spammers and employers need better security. But, I still want to read my e-mail during the day.

I took it as a personal challenge to overcome these obstacles. The direction I went was to use the smart phone Treo 650 as a personal e-mail reader to bypass the workplace security. I configured my home e-mail server to use new stealth-mode ISPs that allow for dynamic DNS and mail relays to ports of choice.

Here is a summary of the configuration components that I cover in step-by-step configuration details below:

  • The e-mail server is running stable Gentoo Linux connected to the Internet via VDSL (very high-speed DSL from Qwest), using DHCP-assigned dynamic-IP address. My DNS domain registrar is No-IP.com. This registrar uses a custom dynamic DNS setup that detects IP address changes on my side. This is done by running a custom client program on my server—noip2 client connects to the No-IP.com registrar DNS server and updates my DNS records in as often as one-minute intervals. This is called Plus Managed DNS.

  • Because my ISP blocks incoming IP port 25, I use the Mail Reflector No-IP.com service that sets an MX record for my domain to its own server and delivers the mail to a custom port on my server.

  • My ISP also lists my DHCP addresses with the Internet spam blacklists, so any attempt to deliver e-mail directly from my server is doomed to failure. To overcome this, I use the No-IP.com service called Alternate-Port SMTP, which acts as an outgoing mail relay. I punt all mail to a No-IP.com server using SSL authentication and also a custom port in case my ISP blocks outgoing SMTP.

  • My MTA is Postfix, which is quite handy for the stealth configuration with alternate incoming and outgoing ports.

  • I use SpamAssassin to filter spam. It is easy to configure and works very well. In brief, its function is limited to processing mail messages and attaching a custom mail header field—an X-Spam-Level rating to each message as spam candidates. The level of spam likelihood is measured by the number of asterisks this field contains. A single * is usually a good indication of spam.

  • I could not count on storing e-mail on my smart phone and filtering it there. The phone couldn't handle that much e-mail. So I replaced the client-side Netscape Communicator filter function (to sort incoming mail into IMAP folders) with Procmail. I created a .procmailrc file implementing all spam and mailing-list rules to file messages in the folder hierarchy on the server. This proved to be quite useful and opened the access to my archived e-mail from any location.

  • The IMAP server was quite a problem for me. I prefer traditional mailboxes where multiple messages are stored in a single file per folder. Most modern IMAP servers, like Courier or Cyrus, use modern maildir or MH formats, which store each message in its own file. This consumes an insane amount of i-nodes. Unfortunately, the only open-source IMAP server I could find that uses traditional folders is the uw-imap. (CommuniGate Pro uses single files, but it's a commercial server.) The uw-imap server has a number of drawbacks, especially when it comes to SSL-protocol implementation. My tests of uw-imap with the SSL IMAP client that I had in mind for this project (PalmOS VersaMail) showed failed connections or flat failures to connect. To get what I want—the single file mail folders and working SSL—I split the function of IMAP and SSL over two separate servers: stunnel and uw-imap. Stunnel proved to be quite sophisticated in the SSL configuration and level of logging and diagnostic messages.

  • The client side of my e-mail configuration originally included stock PalmOS VersaMail shipped with the Treo 650 and part of a Sprint plan. The key factor in this decision was availability of unlimited use of Internet connectivity for a flat $15 US per month fee. The VersaMail IMAP support is quite good, and integration with the Blazer Web browser made the sale for me. Unfortunately, a more-intense use of the VersaMail uncovered problems with its operation. The whole setup depends on a reliable mail server polling for new mail. Unfortunately, VersaMail has a bug that impacts scheduling of the polling, and this makes it rather ineffective. I ended up using the SnapperMail mail client for PalmOS, which is a good example of how nine guys in New Zealand can outrun a big corporation like Palm Software. SnapperMail is one of the best PalmOS applications I have used so far.

There are quite a number of moving parts here, and a diagram is in order (Figure 1).

Figure 1. The Layout of the Complete E-Mail Solution

As you can see from Figure 1, there are three main areas of configuration: Linux server, No-IP.com services and the Treo 650 mail client.

______________________

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

IMAP Server

slot0k's picture

You may want to take a look at dovecot instead of UW-imap.

http://www.dovecot.org

Re: IMAP Server

pzi123's picture

Looking at the http://www.dovecot.org/...

Looks like quality software. Thanks for the info.

-Peter

--
Peter Ziobrzynski mailto:pzi@pzi.net

Peter Ziobrzynski mailto:pzi@pzi.net

Other ways too

andrewheald's picture

Thanks for some great Treo 650 information. I've just recently acquired one and will be getting it hooked up with Linux soon.

I thought I'd also put in a mention for the excellent combination of Apache, OpenSSL and SquirrelMail. I've worked behind some very security conscious firewall/proxy combos recently. These have always so far at least allowed access to my home webmail directly from the office PC's browser. Owning a domain name and having a fixed IP address also helps with this I'm sure.

Andrew.

Webinar
One Click, Universal Protection: Implementing Centralized Security Policies on Linux Systems

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Learn More

Sponsored by Bit9

Webinar
Linux Backup and Recovery Webinar

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.

Learn More

Sponsored by Storix