.tSCc. // GPGrelay

GPGrelay
[ GPGrelay ]	[ Download ]	[ Localisation ]	[ Development ]	[ FAQ ]

Page-Navigation

	Little notes			Aliases...
	Relay sockets to servers...			Global SMTP-/POP3-Relay behaviour...
	Relay sockets to servers (XP)			Logging
	Setting up your Email-Client			System-Menu
	Instructions for Email-Client-Setup			Using GPGrelay/Troubleshooting
	Specify Keyrules...			eMail
	Specify Profiles...

Little notes
Micael Valeri was so kind to translate this page into italian: http://www.ecn.org/crypto/crypto/tutorial/gpgrelay/ For the german folks, Markus Reuß did a translation as well: http://www.reuzzli.de/gpgrelay/setup.htm

Relay sockets to servers...
First you have to enter the relay-server-sockets on you machine. both, for smtp- and pop3-relaying! Then start the Servers! Some little words about sockets: Sockets are the Endpoints of Internet-Communication. This endpoint can also be completely local (and GPGrelay takes advantage of this fact to do it's work, look at Setting up your Email-Client !), so it doesn't require the internet to be between these endpoints. Each Endpoint is specified by it's IP-Address and Port, and thus it needs to be uniquely identified to get routable. Keep in mind that any multiuser-environment normally shares one IP-Address, so you cannot setup the same port for multiple users at once (this addresses mainly Windows XP where multiple users can be logged in at the same time -- although it's not recommended to use GPGrelay in such an environment). Maybe your POP3-Server allows connecting using the alternative authentification-command "APOP" (used instead of the two standard POP3-Commandos USER/PASS), and maybe your Mail-Client (eg. Outlook Express) doesn't know that commando, so you can give GPGrelay a little hint so USER/PASS will be transformed in the background into a single APOP-Commando. Note: Not all POP3-Servers know that commando (eg. the one of my provider; they answered lapidarily: it's not stringent neccessary...), but you should give it a try, as the Password isn't sent in Plain-Text with this kind of authentification (another bit of additional security).

Relay sockets to servers...

First you have to enter the relay-server-sockets on you machine.
both, for smtp- and pop3-relaying!
Then start the Servers!

Some little words about sockets: Sockets are the Endpoints of Internet-Communication. This endpoint can also be completely local (and GPGrelay takes advantage of this fact to do it's work, look at Setting up your Email-Client !), so it doesn't require the internet to be between these endpoints.
Each Endpoint is specified by it's IP-Address and Port, and thus it needs to be uniquely identified to get routable.
Keep in mind that any multiuser-environment normally shares one IP-Address, so you cannot setup the same port for multiple users at once (this addresses mainly Windows XP where multiple users can be logged in at the same time -- although it's not recommended to use GPGrelay in such an environment).

GPGrelay RelayServer-Page

Maybe your POP3-Server allows connecting using the alternative authentification-command "APOP" (used instead of the two standard POP3-Commandos USER/PASS), and maybe your Mail-Client (eg. Outlook Express) doesn't know that commando, so you can give GPGrelay a little hint so USER/PASS will be transformed in the background into a single APOP-Commando.

Note: Not all POP3-Servers know that commando (eg. the one of my provider; they answered lapidarily: it's not stringent neccessary...), but you should give it a try, as the Password isn't sent in Plain-Text with this kind of authentification (another bit of additional security).

GPGrelay Relay-Dialog

Relay sockets to servers (XP)
Thanks to Per Tunedal for providing this information: If you have a multiple user environment eg Windows XP it is important to use different ports for different users. It is not possible to share a port although the users might have the same e-mail provider. eg. If your e-mailprovider is PROVIDER, you might set up a POP3-server for the user ADAM called PROVIDER RECEIVE ADAM with the local port 32110 and an SMTP-server called PROVIDER SEND FOR ADAM with the local port 32025. When finished log in as user BERT and set up new servers. A POP3-server called PROVIDER RECEIVE BERT with the local port 33110 and an SMTP-server called PROVIDER SEND FOR BERT with the local port 33025.

Relay sockets to servers (XP)

Thanks to Per Tunedal for providing this information:

If you have a multiple user environment eg Windows XP it is important to use different ports for different users. It is not possible to share a port although the users might have the same e-mail provider.

eg. If your e-mailprovider is PROVIDER, you might set up a POP3-server for the user ADAM called PROVIDER RECEIVE ADAM with the local port 32110 and an SMTP-server called PROVIDER SEND FOR ADAM with the local port 32025.

When finished log in as user BERT and set up new servers. A POP3-server called PROVIDER RECEIVE BERT with the local port 33110 and an SMTP-server called PROVIDER SEND FOR BERT with the local port 33025.

Setting up your Email-Client

GPGrelay is listening on those local ports you specify for the servers (see screenshots above).
It waits there until your email-client connects to it, and then GPGrelay connects to the real SMTP- or POP3-Servers, to complete the required bridge to deliver the emails

This requires that your email-client doesn't connect to the SMTP- and POP3-Servers directly! It has to connect to GPGrelay on the local ports instead.

So you have to enter 127.0.0.1:32025 for SMTP-Server in your client and 127.0.0.1:32110 for the POP3-Server in your client. But only use these exact numbers if GPGrelay is really listening on local port 32025 for SMTP-Connections and on local port 32110 for POP3 (like my example in the screenshots show); this entirely depends on your settings!

Maybe some email-clients have special boxes where you have to enter the ports (eg. Outlook Express has a Extended-Tab where you can enter the port), so your servers are both 127.0.0.1 and they have the ports as specified in the GPGrelay-Servers.

There may be some poorly written email-clients in use that require SMTP to be on Port 25 and POP3 on Port 110; if this is the case with your email-client, you can only have one forwarding relay-server on your local port 25 (SMTP) and one on local port 110 (POP3).

And to finally make this as clear as possible:
The real SMTP- and POP3-Servernames shouldn't appear anymore in your Email-Client, except you want to bypass GPGrelay.

Instructions for Email-Client-Setup

Thanks to the contributors of these step-by-step-tutorials!
(Hope there are more to come..!)

Setting up Eudora	by Christopher Eykamp
Setting up Outlook Express	by Andreas John

Specify Keyrules...
Then you must specify what to do with the relayed mails, this has to be independently set for each email leading to a key (say each known recipient). <Default-Profile> is a special profile which you cannot delete! It specifies the default-behaviour that is used to send mails to anyone you don't have a key for - that's also the reason why you can only sign outgoing mails with this profile. And this also means that you have to create at least one new Profile if you want to encrypt something for any user. Secret Keys also need a passphrase, this can be entered in plain-text here (and it's also saved in plaintext in the Registry!) or you can let GPGrelay ask you a passphrase and remember it for a special amount of seconds... And it's now also possible to let GPGrelay ask you the passphrases whenever it starts instead of when the passphrase is actually required. With this option it surely does not make much sense to have a short remember-time! It's now also possible to directly specify which Subkey to use for encryption and if secret keys are available you can also specify which subkey to use for creating signatures! The "Purge cache"-button will erase all entered passphrases for all keys immediately (except the "Always-Use"-Passphrases) - so you can tell GPGrelay when it's time to forget the passphrases without having to restart GPGrelay... The "Passphrase"-button allows you to change the passphrase of the secret key For secret keys there is an advanced options dialog, which allows to add special header-fields when sending out an email.

Specify Keyrules...

Then you must specify what to do with the relayed mails, this has to be independently set for each email leading to a key (say each known recipient).

GPGrelay Rules-Pages

<Default-Profile> is a special profile which you cannot delete!
It specifies the default-behaviour that is used to send mails to anyone you don't have a key for - that's also the reason why you can only sign outgoing mails with this profile.
And this also means that you have to create at least one new Profile if you want to encrypt something for any user.

Secret Keys also need a passphrase, this can be entered in plain-text here (and it's also saved in plaintext in the Registry!) or you can let GPGrelay ask you a passphrase and remember it for a special amount of seconds...
And it's now also possible to let GPGrelay ask you the passphrases whenever it starts instead of when the passphrase is actually required. With this option it surely does not make much sense to have a short remember-time!

GPGrelay Rule-Dialog

It's now also possible to directly specify which Subkey to use for encryption and if secret keys are available you can also specify which subkey to use for creating signatures!

The "Purge cache"-button will erase all entered passphrases for all keys immediately (except the "Always-Use"-Passphrases) - so you can tell GPGrelay when it's time to forget the passphrases without having to restart GPGrelay...

The "Passphrase"-button allows you to change the passphrase of the secret key

GPGrelay Rule-Dialog (Advanced)

For secret keys there is an advanced options dialog, which allows to add special header-fields when sending out an email.

Specify Profiles (completing the Keyrules)...
With the profiles you can select how mails to a recipient should be handled. The Default-Profile is also used for anybody who is not inside your keyring, so only signing is possible with it and you need at least one new profile if you want to send something encrypted. I think, best choice is to choose Prefix-Controlled; you can also leave one Prefix-Field blank meaning, this is the default if the others don't match (Actually always the longest match wins, which means, you can also have concurrent Prefixes (whether or not this makes sense...)) Some explainations about the "No PGP-MIME"-Checkbox If your email-partner uses the PGP-Plugin and cannot handle PGP-MIME (eg. when the recipient uses Outlook Express), you can tell GPGrelay to simply put the encrypted mail into the normal mailbody (just like the PGP-Plugin does). It's best to stay with PGP-MIME unless your email-partner really can not handle this at all! The prefix-control became kind of redundant now, but anyway... If no prefix match then the default will take place. Also any empty prefix-field overrides the default! Special note about the "Can attach alias"-Checkbox: Whenever a profile has this one checked, it will only allow to sign outgoing and it will also become visible in the Alias-Tab, allowing to attach aliases there. This is useful for Mailinglists where you don't have any public-key to hook up a keyrule. Former GPGrelay-Versions offered special predefined Alias-Profiles for this purpose, now it uses this a lot more flexible and really configurable profile-approach.

Specify Profiles (completing the Keyrules)...

With the profiles you can select how mails to a recipient should be handled.

The Default-Profile is also used for anybody who is not inside your keyring, so only signing is possible with it and you need at least one new profile if you want to send something encrypted.

I think, best choice is to choose Prefix-Controlled; you can also leave one Prefix-Field blank meaning, this is the default if the others don't match (Actually always the longest match wins, which means, you can also have concurrent Prefixes (whether or not this makes sense...))

Some explainations about the "No PGP-MIME"-Checkbox

If your email-partner uses the PGP-Plugin and cannot handle PGP-MIME (eg. when the recipient uses Outlook Express), you can tell GPGrelay to simply put the encrypted mail into the normal mailbody (just like the PGP-Plugin does).
It's best to stay with PGP-MIME unless your email-partner really can not handle this at all!

GPGrelay Profile-Dialog

The prefix-control became kind of redundant now, but anyway...
If no prefix match then the default will take place. Also any empty prefix-field overrides the default!

Special note about the "Can attach alias"-Checkbox: Whenever a profile has this one checked, it will only allow to sign outgoing and it will also become visible in the Alias-Tab, allowing to attach aliases there.
This is useful for Mailinglists where you don't have any public-key to hook up a keyrule. Former GPGrelay-Versions offered special predefined Alias-Profiles for this purpose, now it uses this a lot more flexible and really configurable profile-approach.

Aliases...
As GPGrelay identifies key-rules by matching their email-addresses, it is possible that you may want to send somebody a mail to an account, which is on another host than specified inside the public-key by it's UserIDs. To let this be known in GPGrelay you have to enter the appr. aliases for the concerning keys... "Learn from POP3" means, that good signatures of incoming mails will be matched against the key-/alias-database, and if they don't match an existing key or alias then the email-address of the sender will become a new alias for the key used for signing... There is a problem with keys that have multiple UserIDs assigned: There it becomes more or less a semi-automatic Alias-Lerning as you have to explicitely select which UserID should be the one the new Alias should lead to. If this becomes too annoying for you, simply uncheck it.

Aliases...

As GPGrelay identifies key-rules by matching their email-addresses, it is possible that you may want to send somebody a mail to an account, which is on another host than specified inside the public-key by it's UserIDs.
To let this be known in GPGrelay you have to enter the appr. aliases for the concerning keys...

GPGrelay Aliases-Page

"Learn from POP3" means, that good signatures of incoming mails will be matched against the key-/alias-database, and if they don't match an existing key or alias then the email-address of the sender will become a new alias for the key used for signing...
There is a problem with keys that have multiple UserIDs assigned: There it becomes more or less a semi-automatic Alias-Lerning as you have to explicitely select which UserID should be the one the new Alias should lead to.

If this becomes too annoying for you, simply uncheck it.

GPGrelay Alias-Dialog

Special SMTP-/POP3-Relay behaviour...
You can setup some global features, depending on your personal favour... "Always trust keys" will encrypt always, no matter which trust-value is calculated for a key (otherwise you'll be prompted to confirm). "X-Keep-Alive" is kind of a ping to your email-client to eliminate timeouts when receiving large mails on a slow line (due to the fact that GPGrelay must buffer emails completely to do it's work). Some email-clients (eg. Outlook Express) measure the timeout as the delay between two complete lines, others simply use socket-timeouts, so it is enough to ping with single chars (which produces smaller overhead). And then there are some very uncritical clients that don't have timeouts at all.

Special SMTP-/POP3-Relay behaviour...

You can setup some global features, depending on your personal favour...

"Always trust keys" will encrypt always, no matter which trust-value is calculated for a key (otherwise you'll be prompted to confirm).

"X-Keep-Alive" is kind of a ping to your email-client to eliminate timeouts when receiving large mails on a slow line (due to the fact that GPGrelay must buffer emails completely to do it's work).
Some email-clients (eg. Outlook Express) measure the timeout as the delay between two complete lines, others simply use socket-timeouts, so it is enough to ping with single chars (which produces smaller overhead). And then there are some very uncritical clients that don't have timeouts at all.

GPGrelay SMTP/POP3-Page

Logging
All logging is done inside, this means, no logfile required! You can get a copy of the log on the clipboard in the config-dialog. And there is now also an option (push the Config-Button) to log to a file, but this is really meant to be used for debugging only as anything you see in the log-window is also written to that file!

System-Menu
GPGrelay adds a few options to the system-menu (left-click on the GPGrelay-Icon in the Window-Captionbar) which might be interesting for you too. GPGrelay saves it's settings whenever it shuts down normally, but you can save settings immediately using the system-menu. And you can always restore last settings! This is the main reason why GPGrelay doesn't save it's settings whenever they're changed, as this will give you some (very limited) Undo-Possibility. There is also an option to manually remove the keyring-cache-file (so GPGrelay has to reload the keys the next time it starts up, in case you don't want to do a reload-keys immediately), and finally there is an option to export the settings from the Registry to a .reg-File for easier backup of GPGrelay- Settings (this option simply calls RegEdit.exe to do the export, so it's in fact like a batch-file).

System-Menu

GPGrelay adds a few options to the system-menu (left-click on the GPGrelay-Icon in the Window-Captionbar) which might be interesting for you too.

GPGrelay System-Menu

GPGrelay saves it's settings whenever it shuts down normally, but you can save settings immediately using the system-menu.
And you can always restore last settings! This is the main reason why GPGrelay doesn't save it's settings whenever they're changed, as this will give you some (very limited) Undo-Possibility.
There is also an option to manually remove the keyring-cache-file (so GPGrelay has to reload the keys the next time it starts up, in case you don't want to do a reload-keys immediately), and finally there is an option to export the settings from the Registry to a .reg-File for easier backup of GPGrelay- Settings (this option simply calls RegEdit.exe to do the export, so it's in fact like a batch-file).

Using GPGrelay/Troubleshooting

If you have set anything up correctly, GPGrelay will be ready!

There are nevertheless some things to be aware of:

GPGrelay only relays for localhost (127.0.0.1), this means, if you enter your real IP-Address in your Email-Client it will not work!
Signatures will only be created on SMTP-Relay if sender-email-addr. lead to a secret key known to GPGrelay (maybe you need to do a manual Reload-Keys if it's a brand-new key).
GPGrelay can only encrypt on SMTP-Relay when recipient-email-address lead to keys. This means, that any "its_me@NOSPAM.real.server.dom" will fail the matching.
So you could either create another UserID for that key (not that beautiful in this case, because you won't be reachable by this invalid address and as UserIDs are exported with the key they might be spread over keyservers) or use an GPGrelay-Alias which is only locally known.
Don't sign every key you receive (at least not without verifying the fingerprint on another way than email)! Use either "always-trust" or sign them locally -- it doesn't help others much if your Key cannot be used with full ownertrust (be aware of what Web-Of-Trust means!).
If you set the GnuPG-Option <keyserver-options "auto-key-retrieve"> in the gpg.conf then GPGrelay will also know when GPG retrieved an unknown key to verify a signature and then GPGrelay will automatically reload the keys.
GPGrelay now features keyring-caching for quicker startup. This might require to do manual key-reloads if Keyring is changed from outside of GPGrelay!
If you think your keyring is loaded fast enough, you can turn of caching by setting the registry-key "HKEY_CURRENT_USER\Software\.tSCc.\GPGrelay\PermanentCacheUsed" to "0"

For further information you may try the forums at

sourceforge.net

You can also join the GPGrelay-Mailinglist to get support from experienced users
SourceForge-Mailinglist : GPGrelay-talk

GPGrelay
[ GPGrelay ]	[ Download ]	[ Localisation ]	[ Development ]	[ FAQ ]

Contact

tscc.atari.org


dynaCore		andreas_john@tesla.inka.de

andreas john
schulzenstr. 36
76771 hördt