enigmail, key-retrieve and http-proxy
Heiko Teichmeier
heiko.teichmeier@sw-meerane.de
Tue Apr 15 15:56:02 2003
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi list,
my "auto-key-retrieve" with enigmail 0.71.0 and gnupg 1.2.1 over a
http-proxy (Squid) works now!
I would give a help to users with nearly problem:
- - first you must set following enviroment-variables (Win9x -
'autoexec.bat', WinNT/2000 - 'enviroment' or 'Umgebungsvariablen'):
http_proxy=3Dhttp://your-local-net-proxy-adress:proxy-port
(*:3128 if you use squid)
ENIGMAIL_PASS_ENV=3Dhttp_proxy
- - after this you must restart to activate the enivroment-variables!
- - in 'gpg.conf' must set:
keyserver x-hkp://blackhole.pca.dfn.de
keyserver-options honor-http-proxy
keyserver-options auto-key-retrieve
- - in 'engimail->advanced' it must set:
keyserver: x-hkp://blackhole.pca.dfn.de
- - next you must configure your proxy to accept connections from your
localnet *without authentication*! This whas my problem, because we use
http-proxy with authentication.
In 'squid.conf' you must set the destination-domain-names that can
access without authentication *before* the authentication-allow-line:
Accesslist:
acl xhkp-server-1 dest_domain_regex blackhole.pca.dfn.de
At the access-allow section it must follow:
http_access allow xhkp-server-1
*
*
http_access allow authent-user
If you would save your proxy against extern users you must add a acl
that allow only user from your net:
acl xhkp-server-1 dest_domain_regex blackhole.pca.dfn.de
acl my_net src 192.168.0.0/255.255.255.0
# allow IP's from 192.168.0.0 - 192.168.0.255
than you combine the acls ('and' combination):
http_access allow my_net xhkp-server-1
*
*
http_access allow authent-user
I has test the access with enigmail and everytime I has looked with one
eye to the squid-access-logfile. So I can see the 'TCP_DENIED'-message
and I know, that my enigmail would have a connection to the proxy, but
it get no access from http-proxy.
At your firewall you *don't must allow the port 11371* to get access to
the key-server - the www-port is enough. The request I see in the
squid-access-logfile looks so:
Get http://blackhole.pca.dfn.de:11371/pks/lookup?
I hope that now more user can access with 'auto-key-retrieve' over a
http-proxy to a keyserver.
- --
Mit freundlichen Gr=FC=DFen
Stadtwerke Meerane GmbH
Teichmeier
Netzmeister NB Elt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
heiko.teichmeier@sw-meerane.de
Tel: +49 3764 791720
Fax: +49 3764 791719
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.sw-meerane.de
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1-nr1 (Windows 98)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE+nA8RD371SiWcNJkRAhL3AJ9AS1qGJ0bvxXbaRieokq98l2UbuwCeIviL
zoCI7pyFZRGCIHlzDvsCGGo=3D
=3DI3hl
-----END PGP SIGNATURE-----