Should gpg try to connect to TCP/993?

Mikhail Morfikov mmorfikov at gmail.com
Wed Oct 23 11:51:10 CEST 2019


I'm filtering OUTPUT traffic on my Debian via
nftables+cgroups(net_cls)+cgrulesengd, and all apps, which want to connect to
the network, I have to assign some cgroups class and add a rule in the FW.
The gpg binary wants TCP/443 to speak with keyservers (optionally TCP/80).
I thought that's all what gpg wants to connect to the network, but it looks like
it wants also TCP/993 (IMAPS). This happens when I use Thunderbird as a mail
clinet + Enigmail extension, which make some use of gpg. Basically when I start
Thunderbird, only it wants to connect to the TCP/993 port, but when I clear the
conntrack table via `conntrack -F`, then also gpg wants to connect to that port.
This is not always the case though -- it only happens when the clearing of the
conntrack table is issued some time after Thunderbird has been stared (an hour
or so). So it looks like the keepalive packets can play some role here. When
I `lsof -i :993`, I can see some entries pointing to Thunderbird. Also nftables
reports some NEW-notSYN packets destined to my machine (which is understood
because the conntrack mechanism doesn't know about the established connections 
now,and everything that comes from the mail servers is in this NEW-notSYN state). 
I can see some blocked OUTPUT packets as well, and when compared src/dst ports/ips
I can tell that the packets were sent by Thunderbird (they match to the `lsof`
output). Also `lsof` doesn't show anything that points to gpg. When I prevent
gpg from connecting to this port, I can't access my mail account in
Thunderbird -- it just tries to refresh the inbox, but it just stalls. When I
restart Thunderbird at this point, then everything backs to normal, and I don't
see any drops in OUTPUT traffic. Could anyone explain what's going on here?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: OpenPGP digital signature
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20191023/04d609be/attachment.sig>


More information about the Gnupg-users mailing list