E-Mail Configuration for Usage of the DFN PKI LDAP Directory Service
Table of contents
The DFN PKI provieds a public LDAP (Lightweight Directory Access Protocol) directory service, which holds all user certificates of the DFN PKI (this includes certificates of the TU Dresden). You can include the LDAP directory service in your e-mail client. That is a comfortable way to find people and their according certificates within the PKI. Please mind: the LDAP directory service only provides certificates of persons which confirmed the publication.
You can search in the DFN PKI directory service via an LDAP browser directly:
- Hostname: ldap.pca.dfn.de
- Port: 389 (also with SSL) respectively with LDAPS: 636
- Base-DN: o=DFN-Verein, c=DE
In the following you'll find a description of how to configure e-mail clients for the integration of the DFN PKI LDAP:
MOZILLA Thunderbird
Configure the DFN PKI directory service as a new address book. Therefor open the address book via Tools-->Address Book, go to File-->New-->LDAP Directory. Please, fill in the fields as follows:
Confirm with OK.
Name: DFN PKI LDAP
Hostname: ldap.pca.dfn.de
Base DN: O=DFN-Verein,c=DE
Port Number: 636
Use secure connection (SSL)
all the other options can remain unchanged
Now you can search for persons and e-mail addresses in the LDAP address book. You can also tranfser the search results in your personal address books.
In order to use the DFN PKI LDAP directory service with certificates, please open Tools-->Options, go to head menu Composition and choose the tab Addressing. Check Directory Server and select the newly created DFN PKI LDAP in the option box. Für die Verwendung des DFN PKI LDAP Verzeichnisservers mit Zertifikaten öffnen Sie bitte Extras->Einstellungen.
Now open Tools-->Account Settings. Choose Composition and Addressing and check Use my global LDAP server preferences for this account. If you have multiple LDAP directory services you can check Use a different LDAP server instead. Confirm with OK.
While writing a new e-mail, please click on Security and choose the option Encrypt This Message in order to send an encryptet e-mail.
Thunderbird searches for the according certificate from the DFN PKI LDAP directory service and stores it in the Thunderbird certificate memory automatically. E-mails will be encrypted with this certificate. You can request information of this certificate by clicking the Security symbol.
Microsoft Outlook 2007
Choose File-->Info, click on Account Settings and change to tab Address Books. Now click on New....
Select Internet Directory Service (LDAP) and click Next.
Fill in ldap.pca.dfn.de as Server Name and click on More Settings. Outlook advices you to close and restart.
In the tab Connection please enter "ldap.pca.dfn.de" as display name
and 636 as port number. Please tick the "Use Secure Socket Layer" option box.
Change to tab Search and under Search Base fill in the Custom field with O=DFN-Verein,C=DE. Click on OK.
You are back to the LDAP settings. Click on Next and Finish to end the account creation.
You can find your newly created LDAP directory in the Address Book tab of the Account Settings. Close the window and restart Outlook.
You can now search in the LDAP directory for persons and e-mail addresses via the Address Book. Outlook provides a variety of search options, especially when you use Advanced Find.
If you want to send an encrypted e-mail, please click on the blue lock symbol in the New E-mail window. While sending, Outlook searches in the DFN PKI LDAP directory service for the appropriate certificate (if exists) and encrypt the message with the public key of the receiver.
Mac OS X 10.6 Mail
Mac OS X Mail stores all certificates via the application Keychain Manager. Until now, Apple Mail has not been able to access the certificates from the LDAP directory automatically. Thus, let your e-mail partner only send you signed e-mails. This way certificates will be stored automatically via the Keychain Manager. You can use the DFN PKI LDAP as address book, though.
Therefor open the Address Book and go to the Settings. Click on the LDAP button. To save the entry, please click on Save.
In order to create a new entry click on the +-symbol. Fill in the opening window with the following entries:
Name: DFN PKI LDAP
Server: ldap.pca.dfn.de
Port: 636
use SSL
accept auto-signed certificates
search domain: o=DFN-Verein, c=DE
domain: section beam
idetification: none
Save these settings.
You can find the new LDAP server entry in the menu LDAP. If you want the contact data in your LDAP address book to be updated automatically, check the option Update Automatically.
In the address book's main menu you can select the DFN PKI LDAP and search for persons. You can paste the search results in your local address book. A single click on a contact will create a new e-mail dialogue. In case, the receiver's certificate also exists in the Keychain Manager, it will be encrypted automatically. In the address book a check-symbol next to the contact induces an existing certificate.
You can activate an auto-search for e-mail addresses from the LDAP directory under Settings-->Composition-->Address Auto-Complete.
