Last updated on May 5, 2021
Desktop email clients, such as Thunderbird and Claws Mail, are preferred over their web counterparts by many professionals and power users due to their additional convenience and security. However, one big downside is that they often expose the sender's IP address to the receivers, since many SMTP servers record the sender's IP address and put it in the header, something similar to
Received: from [xxx.xxx.xxx.xxx] (my.example.com. [xxx.xxx.xxx.xxx]). This, unfortunately, puts the sender's privacy in great jeopardy, as an IP address can reveal so much information including location, ISP, and institution names.
To address this issue, one simple solution is to let the email client connect via a proxy. While a system-widely available proxy works for many users, some of us just want our email clients, but not other programs, to go through a specific proxy. In this post, I'll demonstrate how to use an email client automatically via SSH tunneling. The instructions are specifically tailored for GNU/Linux and MacOS users, as it involves some uses of UNIX commands and bash scripts; if you are on Windows, you can still follow the instructions with the help of Cygwin.
Before we start, I'll assume that you have
- bash 4+ installed. (For MacOS users, look into here.)
- an SSH server, referred to as
ssh.example.com, with public key authentication set up. If you don't have one, you can easily get one by purchasing a VPS on DigitalOcean, Linode, or interserver.net.
Configure Proxy Settings in the Email Client
First, you need to configure your email client to use a SOCKS proxy. For example, in Thunderbird, it is in Menu → Preferences → Advanced → Netowrk & Disk Space → [Connection] Settings..., and fill in something similar to the follows:
You are free to change the port number to a different number. In the rest of the post, I'll assume 22222 is the port used.
Symbiotize the Email Client and an SSH Tunnel
Save the following lines to a script e.g.,
email.sh, and give it executable permission (Replace
thunderbird with the command to your favorite email client):
#!/bin/bash # https://www.topbug.net/blog/2018/11/17/automatically-conceal-senders-ip-address-in-email-clients-via-ssh-tunneling/ ssh -S none -C -N -D localhost:22222 ssh.example.com & thunderbird & wait -n pkill -P $$
For the impatient, in the future, simply run this script to start your email client, and the proxy will be automatically set up and you are all set!
Here's an explanation for the curious:
ssh -S none -C -N -D localhost:22222 ssh.example.com &: This line starts SSH tunneling.
-S none: Disable SSH connection sharing. Since this connection is dedicated for the email client, we want it to be more stable and do not want other SSH connections to interfere.
-C: Enable compression. You can remove this for better performance if your connection is really fast.
-N: Do not execute remote command. We only use SSH for proxy and nothing else.
-D localhost:22222: Enable SOCKS proxy.
thunderbird &: Start the email client.
pkill -P $$: Wait until either ssh or the email client exits, and then kill the other process. In other words, when you quit the email client, the SSH tunnel also terminates. These two lines effectively symbiotize the email client and the SSH tunnel and make them act like a single application. (This trick is borrowed from here.)