Well, one problem down, one to go?
TLS Connectivity now checks out at the openssl and nmap levels. I even
get:
No client certificate CA names sent
---
SSL handshake has read 1666 bytes and written 278 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID:
525F1A02D89EB34BC3AC815A21677F7EB41C16132E1515FFA02C8E2997E0BA81
Session-ID-ctx:
Master-Key:
F520C4BC8AF662AB996444D90A16058C3A8D3DA9F0DB6BF4F1F5D490D333D69C60D93ED63DA
D61B140BE1ED90AE1F68E
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1381964290
Timeout : 7200 (sec)
Verify return code: 18 (self signed certificate)
---
220 ip-10-167-12-205 SMTP Server (JAMES SMTP Server 2.3.2) ready Wed, 16
Oct 2013 22:58:10 +0000 (UTC)
EHLO
ehlo test.me
...but then it just hangs... No response. Anybody seen this?
Jan
On 10/16/13 9:55 AM, "Jan Drake" <[email protected]> wrote:
>Thanks, Robert. I'm a bit leary about stability of V3 yet and haven't
>done any testing to see if my custom mailets will operate the same way
>they do in V2.3 -- any insight there would be helpful.
>
>I will take your advice and regenerate the certificates. I'm currently
>testing with a self-signed certificate. I'm not aware of what validation
>checking may be done on the values I provided when generating the
>certificate -- wondering if there's something there it might not like. I
>thought with a self-signed there was very little actual validation
>happening (certainly no upstream certificate validation but maybe there
>is
>something else).
>
>Appreciate your help and everyone else who is offering suggestions.
>
>
>Jan
>
>On 10/16/13 9:44 AM, "Robert Munn" <[email protected]> wrote:
>
>>Hmm. You alluded to the keytool command in the install docs holding for
>>James v 2.3, which I take it is what you are running. Maybe the server
>>doesn't like the wildcard cert. If this is a self-signed cert, try
>>generating a new one for just the domain you need for the mail server and
>>see if the server likes that.
>>
>>As an alternative, I would suggest upgrading to James Server 3 beta 5:
>>
>>https://repository.apache.org/content/repositories/snapshots/org/apache/j
>>a
>>mes/james-server-app/3.0.0-beta5-SNAPSHOT/james-server-app-3.0.0-beta5-20
>>1
>>31015.104349-220-app.zip
>>
>>Make sure to install the unlimited JCE per Johnny's link and the JAXB 2.1
>>jar per the install instructions on the James web site.
>>
>>I am running beta 5 now and to my view it is much improved over beta 4.
>>
>>Robert
>>
>>
>>On Wed, Oct 16, 2013 at 8:38 AM, Jan Drake <[email protected]> wrote:
>>
>>> Thanks for this. No dice. -showcerts doesn't display any certs
>>> associated with the connection. How very odd...
>>>
>>>
>>> Jan
>>>
>>> On 10/15/13 11:09 PM, "Johnny Minty" <[email protected]> wrote:
>>>
>>> >Hi Jan,
>>> >
>>> >I would check to make sure the unlimited strength policy files are
>>> >installed.
>>> >
>>> >Link to Java 7 policy files below:
>>> >
>>> >
>>>
>>>http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-4
>>>3
>>>2
>>> >124.html
>>> >
>>> >
>>> >Kind regards,
>>> >
>>> >Johnny Minty
>>> >
>>> >Sent from my Windows Phone
>>> >________________________________
>>> >From: Jan Drake<mailto:[email protected]>
>>> >Sent: ?16/?10/?2013 6:05 p.m.
>>> >To: James Users List<mailto:[email protected]>
>>> >Subject: Re: James 2.3 - TLS Connection Problem/Questions
>>> >
>>> >Yeh, I get Connected(00000003) -- then no response from server,
>>>nothing in
>>> >log files until I close the connection.
>>> >
>>> >Pulling my hair out here... I never get the 250 message from the mail
>>> >server.
>>> >
>>> >The logs don't give any indication of issues until the client cuts the
>>> >connection, then it fails mid handshake.
>>> >
>>> >After a lot of reading it seems like it might be a failure to select a
>>> >cipher in the handshake but...
>>> >
>>> >Not sure.
>>> >
>>> >
>>> >Any and all help is greatly appreciated. Rapidly approaching a
>>>deadline.
>>> >
>>> >
>>> >Jan
>>> >
>>> >P.S. It is a self-signed certificate -- I assume the details on the
>>>cert
>>> >aren't really relevant or checked.
>>> >
>>> >
>>> >
>>> >On 10/15/13 7:30 PM, "Robert Munn" <[email protected]> wrote:
>>> >
>>> >>I am using starttls in James, here is my command:
>>> >>
>>> >>openssl s_client -connect localhost:25
>>> >>-state -starttls smtp
>>> >>
>>> >>This works for me to connect with starttls=true specified in James
>>>3.04.
>>> >>
>>> >>Robert
>>> >>
>>> >>
>>> >>
>>> >>On Tue, Oct 15, 2013 at 6:29 PM, Jan Drake <[email protected]>
>>> wrote:
>>> >>
>>> >>> Thanks, Robert.
>>> >>>
>>> >>> I did use the keytool as documented here in creating your own
>>> >>>certificate
>>> >>> keystore:
>>> >>>
>>> >>> http://james.apache.org/server/3/config-ssl-tls.html
>>> >>>
>>> >>> -- which I realize is for version 3 presume it holds to 2.3
>>> >>>
>>> >>> keytool -genkey -alias james -keyalg RSA -keystore
>>> >>>your_keystore_filename
>>> >>>
>>> >>>
>>> >>> ...and I remember entering the passwords and entered them in the
>>> >>> config.xml file for ssl configuration. I got this wrong initially
>>>and
>>> >>> james wouldn't even start up.
>>> >>>
>>> >>> It starts up with no problem and indicates ssl is configured on the
>>> >>>proper
>>> >>> port.
>>> >>>
>>> >>> I'm wondering if this is a tls version thing.
>>> >>>
>>> >>> When I connected originally I tried openssl s_client -connect
>>>ip:port
>>> >>> -state
>>> >>>
>>> >>> Here's the results of openssl connection attempt:
>>> >>>
>>> >>> [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect
>>> localhost:25
>>> >>> -state -tls1
>>> >>> CONNECTED(00000003)
>>> >>> SSL_connect:before/connect initialization
>>> >>> SSL_connect:SSLv3 write client hello A
>>> >>> SSL3 alert read:fatal:internal error
>>> >>> SSL_connect:failed in SSLv3 read server hello A
>>> >>> 140461473093448:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1
>>>alert
>>> >>> internal error:s3_pkt.c:1197:SSL alert number 80
>>> >>> 140461473093448:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl
>>> >>>handshake
>>> >>> failure:s3_pkt.c:594:
>>> >>> ---
>>> >>> no peer certificate available
>>> >>> ---
>>> >>> No client certificate CA names sent
>>> >>> ---
>>> >>> SSL handshake has read 7 bytes and written 0 bytes
>>> >>> ---
>>> >>> New, (NONE), Cipher is (NONE)
>>> >>> Secure Renegotiation IS NOT supported
>>> >>> Compression: NONE
>>> >>> Expansion: NONE
>>> >>> SSL-Session:
>>> >>> Protocol : TLSv1
>>> >>> Cipher : 0000
>>> >>> Session-ID:
>>> >>> Session-ID-ctx:
>>> >>> Master-Key:
>>> >>> Key-Arg : None
>>> >>> Krb5 Principal: None
>>> >>> PSK identity: None
>>> >>> PSK identity hint: None
>>> >>> Start Time: 1381886891
>>> >>> Timeout : 7200 (sec)
>>> >>> Verify return code: 0 (ok)
>>> >>> ---
>>> >>> [root@ip-10-167-12-205 SAR-INF]#
>>> >>>
>>> >>>
>>> >>> Without TLS1 I get:
>>> >>>
>>> >>> [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect
>>> localhost:25
>>> >>> -state
>>> >>> CONNECTED(00000003)
>>> >>> SSL_connect:before/connect initialization
>>> >>> SSL_connect:SSLv2/v3 write client hello A
>>> >>> SSL3 alert read:fatal:internal error
>>> >>> SSL_connect:error in SSLv2/v3 read server hello A
>>> >>> 139934735300424:error:14077438:SSL
>>> >>>routines:SSL23_GET_SERVER_HELLO:tlsv1
>>> >>> alert internal error:s23_clnt.c:674:
>>> >>> ---
>>> >>> no peer certificate available
>>> >>> ---
>>> >>> No client certificate CA names sent
>>> >>> ---
>>> >>> SSL handshake has read 7 bytes and written 112 bytes
>>> >>> ---
>>> >>> New, (NONE), Cipher is (NONE)
>>> >>> Secure Renegotiation IS NOT supported
>>> >>> Compression: NONE
>>> >>> Expansion: NONE
>>> >>> ---
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>> >>> Any help would be greatly appreciated... On a crunch here.
>>> >>>
>>> >>>
>>> >>>
>>> >>> Jan
>>> >>>
>>> >>>
>>> >>>
>>> >>> On 10/15/13 6:15 PM, "Robert Munn" <[email protected]> wrote:
>>> >>>
>>> >>> >This is a guess but I bet the private key is not in the keystore.
>>>Did
>>> >>>you
>>> >>> >generate the cert request using keytool? If not, you will need to
>>> >>>generate
>>> >>> >pfx file with the public and private key in it, then transform
>>>the
>>>pfx
>>> >>> >file
>>> >>> >into the keystore format, specifying that keystore as the store
>>>for
>>> >>>James.
>>> >>> >That should do it.
>>> >>> >
>>> >>> >Here is a discussion on Stack Overflow about the transform
>>>process.
>>> >>> >
>>> >>> >
>>> >>>
>>> >>>
>>>
>>>http://stackoverflow.com/questions/4217107/how-to-convert-pfx-file-to-ke
>>> >>>y
>>> >>>s
>>> >>> >tore-with-private-key
>>> >>> >
>>> >>> >
>>> >>> >On Tue, Oct 15, 2013 at 4:06 PM, Jan Drake <[email protected]>
>>> >>>wrote:
>>> >>> >
>>> >>> >> Not sure if I should expect to get posts that I send to this
>>>list
>>> >>> >>returned
>>> >>> >> to me by the list? It seems to filter them out so I can't be
>>>sure
>>> >>>they
>>> >>> >> made the list.
>>> >>> >>
>>> >>> >> Anyway, original message below, with some additional information
>>> >>>from
>>> >>> >>the
>>> >>> >> smtpserver log:
>>> >>> >>
>>> >>> >> 5/10/13 21:55:04 INFO smtpserver: Connection from
>>> >>> >> ip-10-144-83-143.ec2.internal (10.144.83.143)
>>> >>> >> 15/10/13 22:05:04 ERROR smtpserver: Socket to
>>> >>> >>ip-10-144-83-143.ec2.internal
>>> >>> >> (10.144.83.143) timeout.
>>> >>> >> java.net.SocketTimeoutException: Read timed out
>>> >>> >> at java.net.SocketInputStream.socketRead0(Native Method)
>>> >>> >> at
>>>java.net.SocketInputStream.read(SocketInputStream.java:152)
>>> >>> >> at
>>>java.net.SocketInputStream.read(SocketInputStream.java:122)
>>> >>> >> at
>>>sun.security.ssl.InputRecord.readFully(InputRecord.java:442)
>>> >>> >> at sun.security.ssl.InputRecord.read(InputRecord.java:480)
>>> >>> >> at
>>> >>>sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927)
>>> >>> >> at
>>> >>> >>
>>> >>> >>
>>> >>>
>>>
>>>>>>>>sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImp
>>>>>>>>l
>>>>>>>>.j
>>> >>>>>a
>>> >>>>>va
>>> >>> >>:1312)
>>> >>> >> at
>>> >>> >>
>>>
>>>>>>sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882)
>>> >>> >> at
>>>sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
>>> >>> >> at
>>> >>>java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
>>> >>> >> at
>>> >>>java.io.BufferedInputStream.read(BufferedInputStream.java:254)
>>> >>> >> at
>>> >>> >>
>>> >>> >>
>>> >>>
>>>
>>>>>>>>org.apache.james.util.CRLFTerminatedReader.read(CRLFTerminatedReade
>>>>>>>>r
>>>>>>>>.j
>>> >>>>>a
>>> >>>>>va
>>> >>> >>:153)
>>> >>> >> at
>>> >>> >>
>>> >>> >>
>>> >>>
>>>
>>>>>>>>org.apache.james.util.CRLFTerminatedReader.readLine(CRLFTerminatedR
>>>>>>>>e
>>>>>>>>ad
>>> >>>>>e
>>> >>>>>r.
>>> >>> >>java:113)
>>> >>> >> at
>>> >>> >>
>>> >>> >>
>>> >>>
>>>
>>>>>>>>org.apache.james.smtpserver.SMTPHandler.readCommandLine(SMTPHandler
>>>>>>>>.
>>>>>>>>ja
>>> >>>>>v
>>> >>>>>a:
>>> >>> >>751)
>>> >>> >> at
>>> >>> >>
>>> >>> >>
>>> >>>
>>>
>>>>>>>>org.apache.james.smtpserver.SMTPHandler.handleConnection(SMTPHandle
>>>>>>>>r
>>>>>>>>.j
>>> >>>>>a
>>> >>>>>va
>>> >>> >>:372)
>>> >>> >> at
>>> >>> >>
>>> >>> >>
>>> >>>
>>>
>>>>>>>>org.apache.james.util.connection.ServerConnection$ClientConnectionR
>>>>>>>>u
>>>>>>>>nn
>>> >>>>>e
>>> >>>>>r.
>>> >>> >>run(ServerConnection.java:432)
>>> >>> >> at
>>> >>> >>
>>> >>> >>
>>> >>>
>>>
>>>>>>>>org.apache.excalibur.thread.impl.ExecutableRunnable.execute(Executa
>>>>>>>>b
>>>>>>>>le
>>> >>>>>R
>>> >>>>>un
>>> >>> >>nable.java:55)
>>> >>> >> at
>>> >>> >>
>>>
>>>>>>org.apache.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:1
>>>>>>1
>>>>>>6)
>>> >>> >>
>>> >>> >>
>>> >>> >> Additionally... the exchange server attempting to connect is
>>>showing
>>> >>>no
>>> >>> >> errors in the protocol log just continuous attempts to connect.
>>> >>> >>
>>> >>> >> Any thoughts?
>>> >>> >>
>>> >>> >> Jan
>>> >>> >>
>>> >>> >> ---------- Forwarded message ----------
>>> >>> >> From: Jan Drake <[email protected]>
>>> >>> >> Date: Tue, Oct 15, 2013 at 8:17 AM
>>> >>> >> Subject: James 2.3 - TLS Connection Problem/Questions
>>> >>> >> To: James Users List <[email protected]>
>>> >>> >>
>>> >>> >>
>>> >>> >> After following the instructions I could find on generating a
>>>key
>>> >>>and
>>> >>> >> configuring TLS/SSL for SMTP in James 2.3, I encountered no
>>> >>> >>configuration
>>> >>> >> errors in logs; however, every time I try to connect to the port
>>> >>> >>securely
>>> >>> >> the connection hangs and, eventually, the server log shows an
>>>error
>>> >>>and
>>> >>> >> claims connection termination from the client. I'm wondering if
>>> >>>I've
>>> >>> >> missed something. Firewalls are totally open... the connection
>>> >>> >>establishes
>>> >>> >> but hangs.
>>> >>> >>
>>> >>> >> And, the other question I have is... given a CSR for a cert for
>>>a
>>> >>> >>domain,
>>> >>> >> in this case wildcard, what's the best type of cert to request
>>>for
>>> >>>use
>>> >>> >>with
>>> >>> >> James 2.3?
>>> >>> >>
>>> >>> >> Apache2
>>> >>> >> Apache+OpenSSL
>>> >>> >> Apache+ApacheSSL
>>> >>> >> ... or?
>>> >>> >>
>>> >>> >> Thanks,
>>> >>> >>
>>> >>> >>
>>> >>> >> Jan
>>> >>> >>
>>> >>>
>>> >>>
>>> >>>
>>> >>>
>>>---------------------------------------------------------------------
>>> >>> To unsubscribe, e-mail: [email protected]
>>> >>> For additional commands, e-mail: [email protected]
>>> >>>
>>> >>>
>>> >
>>> >
>>> >
>>> >---------------------------------------------------------------------
>>> >To unsubscribe, e-mail: [email protected]
>>> >For additional commands, e-mail: [email protected]
>>> >
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: [email protected]
>>> For additional commands, e-mail: [email protected]
>>>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
