Hmm. You alluded to the keytool command in the install docs holding for James v 2.3, which I take it is what you are running. Maybe the server doesn't like the wildcard cert. If this is a self-signed cert, try generating a new one for just the domain you need for the mail server and see if the server likes that.
As an alternative, I would suggest upgrading to James Server 3 beta 5: https://repository.apache.org/content/repositories/snapshots/org/apache/james/james-server-app/3.0.0-beta5-SNAPSHOT/james-server-app-3.0.0-beta5-20131015.104349-220-app.zip Make sure to install the unlimited JCE per Johnny's link and the JAXB 2.1 jar per the install instructions on the James web site. I am running beta 5 now and to my view it is much improved over beta 4. Robert On Wed, Oct 16, 2013 at 8:38 AM, Jan Drake <[email protected]> wrote: > Thanks for this. No dice. -showcerts doesn't display any certs > associated with the connection. How very odd... > > > Jan > > On 10/15/13 11:09 PM, "Johnny Minty" <[email protected]> wrote: > > >Hi Jan, > > > >I would check to make sure the unlimited strength policy files are > >installed. > > > >Link to Java 7 policy files below: > > > > > http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432 > >124.html > > > > > >Kind regards, > > > >Johnny Minty > > > >Sent from my Windows Phone > >________________________________ > >From: Jan Drake<mailto:[email protected]> > >Sent: ?16/?10/?2013 6:05 p.m. > >To: James Users List<mailto:[email protected]> > >Subject: Re: James 2.3 - TLS Connection Problem/Questions > > > >Yeh, I get Connected(00000003) -- then no response from server, nothing in > >log files until I close the connection. > > > >Pulling my hair out here... I never get the 250 message from the mail > >server. > > > >The logs don't give any indication of issues until the client cuts the > >connection, then it fails mid handshake. > > > >After a lot of reading it seems like it might be a failure to select a > >cipher in the handshake but... > > > >Not sure. > > > > > >Any and all help is greatly appreciated. Rapidly approaching a deadline. > > > > > >Jan > > > >P.S. It is a self-signed certificate -- I assume the details on the cert > >aren't really relevant or checked. > > > > > > > >On 10/15/13 7:30 PM, "Robert Munn" <[email protected]> wrote: > > > >>I am using starttls in James, here is my command: > >> > >>openssl s_client -connect localhost:25 > >>-state -starttls smtp > >> > >>This works for me to connect with starttls=true specified in James 3.04. > >> > >>Robert > >> > >> > >> > >>On Tue, Oct 15, 2013 at 6:29 PM, Jan Drake <[email protected]> > wrote: > >> > >>> Thanks, Robert. > >>> > >>> I did use the keytool as documented here in creating your own > >>>certificate > >>> keystore: > >>> > >>> http://james.apache.org/server/3/config-ssl-tls.html > >>> > >>> -- which I realize is for version 3 presume it holds to 2.3 > >>> > >>> keytool -genkey -alias james -keyalg RSA -keystore > >>>your_keystore_filename > >>> > >>> > >>> ...and I remember entering the passwords and entered them in the > >>> config.xml file for ssl configuration. I got this wrong initially and > >>> james wouldn't even start up. > >>> > >>> It starts up with no problem and indicates ssl is configured on the > >>>proper > >>> port. > >>> > >>> I'm wondering if this is a tls version thing. > >>> > >>> When I connected originally I tried openssl s_client -connect ip:port > >>> -state > >>> > >>> Here's the results of openssl connection attempt: > >>> > >>> [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect > localhost:25 > >>> -state -tls1 > >>> CONNECTED(00000003) > >>> SSL_connect:before/connect initialization > >>> SSL_connect:SSLv3 write client hello A > >>> SSL3 alert read:fatal:internal error > >>> SSL_connect:failed in SSLv3 read server hello A > >>> 140461473093448:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert > >>> internal error:s3_pkt.c:1197:SSL alert number 80 > >>> 140461473093448:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl > >>>handshake > >>> failure:s3_pkt.c:594: > >>> --- > >>> no peer certificate available > >>> --- > >>> No client certificate CA names sent > >>> --- > >>> SSL handshake has read 7 bytes and written 0 bytes > >>> --- > >>> New, (NONE), Cipher is (NONE) > >>> Secure Renegotiation IS NOT supported > >>> Compression: NONE > >>> Expansion: NONE > >>> SSL-Session: > >>> Protocol : TLSv1 > >>> Cipher : 0000 > >>> Session-ID: > >>> Session-ID-ctx: > >>> Master-Key: > >>> Key-Arg : None > >>> Krb5 Principal: None > >>> PSK identity: None > >>> PSK identity hint: None > >>> Start Time: 1381886891 > >>> Timeout : 7200 (sec) > >>> Verify return code: 0 (ok) > >>> --- > >>> [root@ip-10-167-12-205 SAR-INF]# > >>> > >>> > >>> Without TLS1 I get: > >>> > >>> [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect > localhost:25 > >>> -state > >>> CONNECTED(00000003) > >>> SSL_connect:before/connect initialization > >>> SSL_connect:SSLv2/v3 write client hello A > >>> SSL3 alert read:fatal:internal error > >>> SSL_connect:error in SSLv2/v3 read server hello A > >>> 139934735300424:error:14077438:SSL > >>>routines:SSL23_GET_SERVER_HELLO:tlsv1 > >>> alert internal error:s23_clnt.c:674: > >>> --- > >>> no peer certificate available > >>> --- > >>> No client certificate CA names sent > >>> --- > >>> SSL handshake has read 7 bytes and written 112 bytes > >>> --- > >>> New, (NONE), Cipher is (NONE) > >>> Secure Renegotiation IS NOT supported > >>> Compression: NONE > >>> Expansion: NONE > >>> --- > >>> > >>> > >>> > >>> > >>> > >>> Any help would be greatly appreciated... On a crunch here. > >>> > >>> > >>> > >>> Jan > >>> > >>> > >>> > >>> On 10/15/13 6:15 PM, "Robert Munn" <[email protected]> wrote: > >>> > >>> >This is a guess but I bet the private key is not in the keystore. Did > >>>you > >>> >generate the cert request using keytool? If not, you will need to > >>>generate > >>> >pfx file with the public and private key in it, then transform the pfx > >>> >file > >>> >into the keystore format, specifying that keystore as the store for > >>>James. > >>> >That should do it. > >>> > > >>> >Here is a discussion on Stack Overflow about the transform process. > >>> > > >>> > > >>> > >>> > http://stackoverflow.com/questions/4217107/how-to-convert-pfx-file-to-ke > >>>y > >>>s > >>> >tore-with-private-key > >>> > > >>> > > >>> >On Tue, Oct 15, 2013 at 4:06 PM, Jan Drake <[email protected]> > >>>wrote: > >>> > > >>> >> Not sure if I should expect to get posts that I send to this list > >>> >>returned > >>> >> to me by the list? It seems to filter them out so I can't be sure > >>>they > >>> >> made the list. > >>> >> > >>> >> Anyway, original message below, with some additional information > >>>from > >>> >>the > >>> >> smtpserver log: > >>> >> > >>> >> 5/10/13 21:55:04 INFO smtpserver: Connection from > >>> >> ip-10-144-83-143.ec2.internal (10.144.83.143) > >>> >> 15/10/13 22:05:04 ERROR smtpserver: Socket to > >>> >>ip-10-144-83-143.ec2.internal > >>> >> (10.144.83.143) timeout. > >>> >> java.net.SocketTimeoutException: Read timed out > >>> >> at java.net.SocketInputStream.socketRead0(Native Method) > >>> >> at java.net.SocketInputStream.read(SocketInputStream.java:152) > >>> >> at java.net.SocketInputStream.read(SocketInputStream.java:122) > >>> >> at sun.security.ssl.InputRecord.readFully(InputRecord.java:442) > >>> >> at sun.security.ssl.InputRecord.read(InputRecord.java:480) > >>> >> at > >>>sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927) > >>> >> at > >>> >> > >>> >> > >>> > >>>>>sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.j > >>>>>a > >>>>>va > >>> >>:1312) > >>> >> at > >>> >> > >>>sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882) > >>> >> at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) > >>> >> at > >>>java.io.BufferedInputStream.fill(BufferedInputStream.java:235) > >>> >> at > >>>java.io.BufferedInputStream.read(BufferedInputStream.java:254) > >>> >> at > >>> >> > >>> >> > >>> > >>>>>org.apache.james.util.CRLFTerminatedReader.read(CRLFTerminatedReader.j > >>>>>a > >>>>>va > >>> >>:153) > >>> >> at > >>> >> > >>> >> > >>> > >>>>>org.apache.james.util.CRLFTerminatedReader.readLine(CRLFTerminatedRead > >>>>>e > >>>>>r. > >>> >>java:113) > >>> >> at > >>> >> > >>> >> > >>> > >>>>>org.apache.james.smtpserver.SMTPHandler.readCommandLine(SMTPHandler.ja > >>>>>v > >>>>>a: > >>> >>751) > >>> >> at > >>> >> > >>> >> > >>> > >>>>>org.apache.james.smtpserver.SMTPHandler.handleConnection(SMTPHandler.j > >>>>>a > >>>>>va > >>> >>:372) > >>> >> at > >>> >> > >>> >> > >>> > >>>>>org.apache.james.util.connection.ServerConnection$ClientConnectionRunn > >>>>>e > >>>>>r. > >>> >>run(ServerConnection.java:432) > >>> >> at > >>> >> > >>> >> > >>> > >>>>>org.apache.excalibur.thread.impl.ExecutableRunnable.execute(Executable > >>>>>R > >>>>>un > >>> >>nable.java:55) > >>> >> at > >>> >> > >>>org.apache.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:116) > >>> >> > >>> >> > >>> >> Additionally... the exchange server attempting to connect is showing > >>>no > >>> >> errors in the protocol log just continuous attempts to connect. > >>> >> > >>> >> Any thoughts? > >>> >> > >>> >> Jan > >>> >> > >>> >> ---------- Forwarded message ---------- > >>> >> From: Jan Drake <[email protected]> > >>> >> Date: Tue, Oct 15, 2013 at 8:17 AM > >>> >> Subject: James 2.3 - TLS Connection Problem/Questions > >>> >> To: James Users List <[email protected]> > >>> >> > >>> >> > >>> >> After following the instructions I could find on generating a key > >>>and > >>> >> configuring TLS/SSL for SMTP in James 2.3, I encountered no > >>> >>configuration > >>> >> errors in logs; however, every time I try to connect to the port > >>> >>securely > >>> >> the connection hangs and, eventually, the server log shows an error > >>>and > >>> >> claims connection termination from the client. I'm wondering if > >>>I've > >>> >> missed something. Firewalls are totally open... the connection > >>> >>establishes > >>> >> but hangs. > >>> >> > >>> >> And, the other question I have is... given a CSR for a cert for a > >>> >>domain, > >>> >> in this case wildcard, what's the best type of cert to request for > >>>use > >>> >>with > >>> >> James 2.3? > >>> >> > >>> >> Apache2 > >>> >> Apache+OpenSSL > >>> >> Apache+ApacheSSL > >>> >> ... or? > >>> >> > >>> >> Thanks, > >>> >> > >>> >> > >>> >> Jan > >>> >> > >>> > >>> > >>> > >>> --------------------------------------------------------------------- > >>> To unsubscribe, e-mail: [email protected] > >>> For additional commands, e-mail: [email protected] > >>> > >>> > > > > > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [email protected] > >For additional commands, e-mail: [email protected] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
