enigmail, key-retrieve and http-proxy

Heiko Teichmeier heiko.teichmeier@sw-meerane.de
Tue Apr 15 15:56:02 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi list,

my "auto-key-retrieve" with enigmail 0.71.0 and gnupg 1.2.1 over a
http-proxy (Squid) works now!

I would give a help to users with nearly problem:

- - first you must set following enviroment-variables (Win9x -
'autoexec.bat', WinNT/2000 - 'enviroment' or 'Umgebungsvariablen'):
    http_proxy=3Dhttp://your-local-net-proxy-adress:proxy-port
                                               (*:3128 if you use squid)
    ENIGMAIL_PASS_ENV=3Dhttp_proxy

- - after this you must restart to activate the enivroment-variables!

- - in 'gpg.conf' must set:
    keyserver x-hkp://blackhole.pca.dfn.de
    keyserver-options honor-http-proxy
    keyserver-options auto-key-retrieve

- - in 'engimail->advanced' it must set:
    keyserver: x-hkp://blackhole.pca.dfn.de

- - next you must configure your proxy to accept connections from your
localnet *without authentication*! This whas my problem, because we use
http-proxy with authentication.
In 'squid.conf' you must set the destination-domain-names that can
access without authentication *before* the authentication-allow-line:
    Accesslist:
    acl xhkp-server-1 dest_domain_regex blackhole.pca.dfn.de

At the access-allow section it must follow:
    http_access allow xhkp-server-1
    *
    *
    http_access allow authent-user

If you would save your proxy against extern users you must add a acl
that allow only user from your net:
    acl xhkp-server-1 dest_domain_regex blackhole.pca.dfn.de
    acl my_net src 192.168.0.0/255.255.255.0
    # allow IP's from 192.168.0.0 - 192.168.0.255

than you combine the acls ('and' combination):
    http_access allow my_net xhkp-server-1
    *
    *
    http_access allow authent-user

I has test the access with enigmail and everytime I has looked with one
eye to the squid-access-logfile. So I can see the 'TCP_DENIED'-message
and I know, that my enigmail would have a connection to the proxy, but
it get no access from http-proxy.

At your firewall you *don't must allow the port 11371* to get access to
the key-server - the www-port is enough. The request I see in the
squid-access-logfile looks so:
    Get http://blackhole.pca.dfn.de:11371/pks/lookup?

I hope that now more user can access with 'auto-key-retrieve' over a
http-proxy to a keyserver.

- --

Mit freundlichen Gr=FC=DFen
Stadtwerke Meerane GmbH

Teichmeier
Netzmeister NB Elt
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
heiko.teichmeier@sw-meerane.de
Tel: +49 3764 791720
Fax: +49 3764 791719
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.sw-meerane.de
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1-nr1 (Windows 98)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+nA8RD371SiWcNJkRAhL3AJ9AS1qGJ0bvxXbaRieokq98l2UbuwCeIviL
zoCI7pyFZRGCIHlzDvsCGGo=3D
=3DI3hl
-----END PGP SIGNATURE-----