Thanks, Robert. I did use the keytool as documented here in creating your own certificate keystore:
http://james.apache.org/server/3/config-ssl-tls.html -- which I realize is for version 3 presume it holds to 2.3 keytool -genkey -alias james -keyalg RSA -keystore your_keystore_filename ...and I remember entering the passwords and entered them in the config.xml file for ssl configuration. I got this wrong initially and james wouldn't even start up. It starts up with no problem and indicates ssl is configured on the proper port. I'm wondering if this is a tls version thing. When I connected originally I tried openssl s_client -connect ip:port -state Here's the results of openssl connection attempt: [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 -state -tls1 CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert read:fatal:internal error SSL_connect:failed in SSLv3 read server hello A 140461473093448:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1197:SSL alert number 80 140461473093448:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:594: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1381886891 Timeout : 7200 (sec) Verify return code: 0 (ok) --- [root@ip-10-167-12-205 SAR-INF]# Without TLS1 I get: [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 -state CONNECTED(00000003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:internal error SSL_connect:error in SSLv2/v3 read server hello A 139934735300424:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:674: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 112 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Any help would be greatly appreciated... On a crunch here. Jan On 10/15/13 6:15 PM, "Robert Munn" <[email protected]> wrote: >This is a guess but I bet the private key is not in the keystore. Did you >generate the cert request using keytool? If not, you will need to generate >pfx file with the public and private key in it, then transform the pfx >file >into the keystore format, specifying that keystore as the store for James. >That should do it. > >Here is a discussion on Stack Overflow about the transform process. > >http://stackoverflow.com/questions/4217107/how-to-convert-pfx-file-to-keys >tore-with-private-key > > >On Tue, Oct 15, 2013 at 4:06 PM, Jan Drake <[email protected]> wrote: > >> Not sure if I should expect to get posts that I send to this list >>returned >> to me by the list? It seems to filter them out so I can't be sure they >> made the list. >> >> Anyway, original message below, with some additional information from >>the >> smtpserver log: >> >> 5/10/13 21:55:04 INFO smtpserver: Connection from >> ip-10-144-83-143.ec2.internal (10.144.83.143) >> 15/10/13 22:05:04 ERROR smtpserver: Socket to >>ip-10-144-83-143.ec2.internal >> (10.144.83.143) timeout. >> java.net.SocketTimeoutException: Read timed out >> at java.net.SocketInputStream.socketRead0(Native Method) >> at java.net.SocketInputStream.read(SocketInputStream.java:152) >> at java.net.SocketInputStream.read(SocketInputStream.java:122) >> at sun.security.ssl.InputRecord.readFully(InputRecord.java:442) >> at sun.security.ssl.InputRecord.read(InputRecord.java:480) >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927) >> at >> >> >>sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java >>:1312) >> at >> sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882) >> at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) >> at java.io.BufferedInputStream.fill(BufferedInputStream.java:235) >> at java.io.BufferedInputStream.read(BufferedInputStream.java:254) >> at >> >> >>org.apache.james.util.CRLFTerminatedReader.read(CRLFTerminatedReader.java >>:153) >> at >> >> >>org.apache.james.util.CRLFTerminatedReader.readLine(CRLFTerminatedReader. >>java:113) >> at >> >> >>org.apache.james.smtpserver.SMTPHandler.readCommandLine(SMTPHandler.java: >>751) >> at >> >> >>org.apache.james.smtpserver.SMTPHandler.handleConnection(SMTPHandler.java >>:372) >> at >> >> >>org.apache.james.util.connection.ServerConnection$ClientConnectionRunner. >>run(ServerConnection.java:432) >> at >> >> >>org.apache.excalibur.thread.impl.ExecutableRunnable.execute(ExecutableRun >>nable.java:55) >> at >> org.apache.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:116) >> >> >> Additionally... the exchange server attempting to connect is showing no >> errors in the protocol log just continuous attempts to connect. >> >> Any thoughts? >> >> Jan >> >> ---------- Forwarded message ---------- >> From: Jan Drake <[email protected]> >> Date: Tue, Oct 15, 2013 at 8:17 AM >> Subject: James 2.3 - TLS Connection Problem/Questions >> To: James Users List <[email protected]> >> >> >> After following the instructions I could find on generating a key and >> configuring TLS/SSL for SMTP in James 2.3, I encountered no >>configuration >> errors in logs; however, every time I try to connect to the port >>securely >> the connection hangs and, eventually, the server log shows an error and >> claims connection termination from the client. I'm wondering if I've >> missed something. Firewalls are totally open... the connection >>establishes >> but hangs. >> >> And, the other question I have is... given a CSR for a cert for a >>domain, >> in this case wildcard, what's the best type of cert to request for use >>with >> James 2.3? >> >> Apache2 >> Apache+OpenSSL >> Apache+ApacheSSL >> ... or? >> >> Thanks, >> >> >> Jan >> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
