Secure Email using SSH
Believe it or not, your IMAP password is sent over the Internet with no security or privacy whatsoever!  This document describes how to set up an ssh tunnel to protect your IMAP session from prying eyes.

All users of email accounts on sites hosted by LXVI's systems are required to use this method to safeguard their IMAP session not only for their own privacy, but also to preserve the integrity of the systems' security.  We don't want to give hackers or spammers any opportunity to take advantage of our resources.  Folow these simple steps, and you will be safe and secure in no time!  These instructions are tailored for users of LXVI systems and assume the email client is Outlook Express -- other clients have similar functionality -- check their Help menus for such topics as configuration, options, preferences, or settings.

The instructions are organized into three sections.  In the SETUP section, we cover obtaining ssh, creating a profile in ssh, and creating a mail account in Outlook Express (OE).  In the USE section, we cover establishing the ssh tunnel and connecting to your mail server. In the MULTIPLE TUNNELS section, we cover the extra steps involved in setting up multiple simultaneous ssh connections.
Obtaining ssh
If you do not already have ssh, you can obtain it from SSH Communications Security.  There are other ssh clients available from various other organizations.  It comes already installed on Mac OS-X and linux.  Once it is installed on your system, you can configure a profile for use with your email client.
Creating a profile in ssh
Start up ssh
Click the Profiles button on the toolbar
Click Add Profile...
Type a name for the profile, such as username@domain into the text box.  It will not allow you to use a period, so leave off the .com or whatever tld your domain is under.
Click the Add to Profiles button

Click the Profiles button again
Click Edit Profiles...
If necessary, select the username@domain profile from the list on the left and the Connection tab at the top
Change the fields as follows:
Host name: domain.tld
User name: username@domain.tld
Port number: 22
Encryption algorithm: <Default>
MAC algorithm: <Default>
Compression: zlib
Terminal answerback: vt100
[  ] Connect through firewall
[x] Request tunnels only (disable terminal) -- unless you will be using the shell as well.
Click OK -- you will lose your changes if you merely switch to the Tunneling tab!!! (maybe if enough of us complain to ssh.com they will fix this)

Click the Profiles button yet again
Click Edit Profiles...
If necessary, select the username@domain profile
Select the Tunneling tab at the top and then the Outgoing tab in the middle of the panel. Note: even though OE refers to "incoming" mail, the tunnel you use to talk to the server is outgoing from your machine's point of view.
Click the Add... button a little further down from the middle
Fill out the dialog as follows:
Display Name: SMTP
Type: TCP
Listen Port: 25 (note: if you need to run more than one ssh tunnel at a time, each tunnel needs to listen at a different port.  Refer to the Multiple Tunnels section)
[x] Allow Local Connections Only
Destination Host: localhost
Destination Port: 25 (this never changes)
Click OK
Click the Add... button again
Fill out the dialog a little differently this time:
Display Name: IMAP
Type: TCP
Listen Port: 143 (note: multiple tunnels apply here too)
[x] Allow Local Connections Only
Destination Host: localhost
Destination Port: 143 (this never changes)
Click OK
Click OK again
Congratulations, your ssh profile is ready to use!
Creating a mail account in OE
Launch OE
Click the Tools menu
Select Accounts...
Click the Add> popup
Select Mail...
If desired, edit the Display name: field and click Next>
Edit the E-mail address: field to read username@domain.tld and click Next>
Select IMAP from the popup
Enter localhost into both of the text boxes, and click Next>
Enter username@domain.tld into the Account name: field
For maximum security, do not enter your password; uncheck the Remember password box
Leave Log on using Secure Password Authentication (SPA) unchecked, and click Next>
Click Finish
Click Close
Do not download your folders yet -- click No on the dialog.
Right-click the localhost item in the Folders pane
Click Properties
Select the General tab
change Mail Account from localhost to something like username@domain.tld_ssh (note: if you need to run more than one ssh tunnel at the same time, the port settings on the Advanced tab also need to be changed.  See the Multiple Tunnels section.)
Click OK
Congratulations, your mail account is ready to use!
Establishing the ssh tunnel
If ssh is not running, start it.
Click the Profiles button
Select username@domain
The first time you use the profile, you will get a dialog about the RSA key; click Yes
The status line at the very bottom of the window will say Connecting to domain.tld...
Enter your password in the dialog
If login succeeds, the status line will say Connected to domain.tld - Terminal disabled. You may minimize the window, or you may click on the folder-with-blue-dots button to manage the files and/or web pages on your account.
If login fails, you will get the password dialog again
If login fails three times, you get a warning dialog; click OK and press Enter if you want to keep trying. After n failures in a row, the account will be disabled, and you will have to contact the Site Administrator.
Connecting to your mail server
If OE is not running, start it.
If necessary, click on the Inbox under the username@domain.tld_ssh item in the Folders pane.
Enter your password. For maximum security leave Remember password unchecked!
If you get a dialog with several ugly looking errors, it means you forgot to launch your ssh profile, or it could mean that your ssh connection timed out (this happens to cable modem users if the connection has been idle for a while).
This section is for users who need to run multiple ssh tunnels at the same time; for instance, members of a family who all use the same computer to read their email, or a power user who wants to access multiple email accounts simultaneously.  If you have one ssh profile running and you launch a different profile and get dialogs that say Failed to create an outgoing tunnel named "SMTP" and Failed to create an outgoing tunnel named "IMAP" then you have a multiple tunnel situation, and you need to change the port numbers on one of the tunnels so they don't conflict.
Selecting unique ports in ssh
A useful strategy is to increase the port numbers by a thousand for each additional connection. However, I have found that using 1025 results in a Failed to create an outgoing tunnel named "SMTP" message, so skip to 2025 for SMTP and 2143 for IMAP. As a reminder, we're talking about the Listen Port: field in the Edit Outgoing Tunnel dialogs that you get from the Tunneling tab, Outgoing sub-tab, in the Edit Profiles window of each successive profile.
Referring OE accounts to the corresponding tunneled ports
Right-click the username@domain.tld_ssh item (or whatever you renamed it from "localhost") in the Folders pane
Click Properties
Select the Advanced tab.
Change Outgoing mail (SMTP): to 2025 (adjusting the thousands value to whatever you selected for the corresponding ssh profile).
Change Incoming mail (IMAP): to 2143 (adjusting the thousands value to whatever you selected for the corresponding ssh profile).
Click OK.