Enigmail leaks IP Addresses
If you want to send and receive GnuPG-encrypted emails in Thunderbird, there is no way around the Enigmail encryption plugin. We have recently become aware of a potential problem in Enigmail, whereby the user's IP address is revealed to the recipient of an email. It affects Enigmail 2.0 and later.
As soon as you compose a new email and enter a valid email address in the To: field, Enigmail automatically sends an unsolicited HTTPS request to the recipient's email domain to check whether the public PGP key is available. The same happens if you click on "reply" in an existing mail - so you effectively send a notice of receipt, because the composed email or reply does not need to be sent. The HTTP request happens as soon as a valid address is found in the sender field.
The called URL is formed according to a standardized IETF draft scheme [1]. For example, for the email address john.doe@example.com, the URL would look like this:
https://www.example.com/.well-known/openpgpkey/hu/<HASH>For the Enigmail developer this is not a problem, but a desired feature: GnuPG has introduced in version 2.1.16 "Web Key service for Enigmail" [2], [3], which provides this feature.
Workaround
However, the Enigmail developer points out the possibility to disable this behavior. Go to the Thunderbird settings and navigate via "Advanced" to "Config Editor" and search for "extensions.enigmail.autoWkdLookup". There set the value to 0.
Perfect privacy users protected from IP leak
Whoever uses a VPN such as Perfect Privacy is at least protected from the IP leak, since not his own IP but that of the VPN server is transmitted.However, the problem with the notice of receipt remains. If you do not want unsolicited packets to be sent to the recipient domain, you should apply the workaround mentioned above.
[1] https://datatracker.ietf.org/doc/draft-koch-openpgp-webkey-service/ [2] https://gnupg.org/blog/20170803-web-key-in-enigmail.html [3] https://sourceforge.net/p/enigmail/bugs/889/