dealing with mail for root
May 4, 2009

The root user can receive a lot of email, and if left unchecked, this can accumulate into a very large file, which could potentially fill /var. However, emptying this mailbox can be a pain, especially if the machine is at a remote location, behind a firewall.

This page details a method to securely obtain root's email, via the internet, without using POP3S and without reconfiguring the router. The process below tunnels the POP3 connection via SSH, this keeps things nice and simple, does not expose the POP3 server to the internet, and does not open any extra ports on the firewall. The process below also redirects root's email to another user, this means that root's password does not need to be stored in the POP3 client used to check the mail.

redirecting root's mail

  1. ensure your SSH server is installed and working
  2. ensure your POP server is installed and working
  3. allocate a username and password for the user to receive root's mail, then note these down in a secure location
  4. login to the server as root
  5. create a new user (eg. rootmail) with no special group memberships: type adduser and follow the prompts - set the shell to nologin, use the password allocated earlier
  6. cd /etc/mail
  7. vi aliases
  8. uncomment root line and redirect to our new user - eg. the line should read root:rootmail (spacing is unimportant)
  9. save and exit the editor
  10. cd /etc/mail/
  11. make
  12. copy all of root's existing mail to our new user's mailbox:
    cat /var/mail/root >> /var/mail/rootmail
  13. empty root's mailbox:
    cat /dev/null > /var/mail/root
  14. test the redirection:
    echo "test mail" | mailx -s "test mail" root

    The mail should be written to /var/mail/rootmail, while /var/mail/root should remain empty.

Now, root's mail is available for download via POP3, using the unprivileged account "rootmail".

securing the POP3 connection

The above account could be checked as-is, across the internet, if port-forwarding was set up, however we want to use SSH, this saves us from having to configure SSL support in our POP3 server and client, and having to set up port-forwarding on the router.

Create the SSH tunnel with PuTTY as follows:

  1. open PuTTY
  2. select the correct session, then click the Load button
  3. go to Connections.. SSH.. Tunnels
  4. enter a local port number (eg. 5110) into the source port box
  5. enter localhost:110 into the destination box
  6. click the Add button
  7. click Session.. Save
  8. close PuTTY

Open your POP3 client software (eg. Thunderbird) and create a new POP3 account with the following settings:

This done, the rootmail account can be checked with POP3 whenever the SSH tunnel is open.