Curiouser and curiouser... Openssl connection testing works and I can ehlo and send email to the server using that. Exchange server connects to james and then hangs no matter what I do.
Anybody ever gotten an exchange 2010 server to communicate via tls and basic auth with james 2.3? Jan On 10/16/13 9:44 AM, "Robert Munn" <[email protected]> wrote: >Hmm. You alluded to the keytool command in the install docs holding for >James v 2.3, which I take it is what you are running. Maybe the server >doesn't like the wildcard cert. If this is a self-signed cert, try >generating a new one for just the domain you need for the mail server and >see if the server likes that. > >As an alternative, I would suggest upgrading to James Server 3 beta 5: > >https://repository.apache.org/content/repositories/snapshots/org/apache/ja >mes/james-server-app/3.0.0-beta5-SNAPSHOT/james-server-app-3.0.0-beta5-201 >31015.104349-220-app.zip > >Make sure to install the unlimited JCE per Johnny's link and the JAXB 2.1 >jar per the install instructions on the James web site. > >I am running beta 5 now and to my view it is much improved over beta 4. > >Robert > > >On Wed, Oct 16, 2013 at 8:38 AM, Jan Drake <[email protected]> wrote: > >> Thanks for this. No dice. -showcerts doesn't display any certs >> associated with the connection. How very odd... >> >> >> Jan >> >> On 10/15/13 11:09 PM, "Johnny Minty" <[email protected]> wrote: >> >> >Hi Jan, >> > >> >I would check to make sure the unlimited strength policy files are >> >installed. >> > >> >Link to Java 7 policy files below: >> > >> > >> >>http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-43 >>2 >> >124.html >> > >> > >> >Kind regards, >> > >> >Johnny Minty >> > >> >Sent from my Windows Phone >> >________________________________ >> >From: Jan Drake<mailto:[email protected]> >> >Sent: ?16/?10/?2013 6:05 p.m. >> >To: James Users List<mailto:[email protected]> >> >Subject: Re: James 2.3 - TLS Connection Problem/Questions >> > >> >Yeh, I get Connected(00000003) -- then no response from server, >>nothing in >> >log files until I close the connection. >> > >> >Pulling my hair out here... I never get the 250 message from the mail >> >server. >> > >> >The logs don't give any indication of issues until the client cuts the >> >connection, then it fails mid handshake. >> > >> >After a lot of reading it seems like it might be a failure to select a >> >cipher in the handshake but... >> > >> >Not sure. >> > >> > >> >Any and all help is greatly appreciated. Rapidly approaching a >>deadline. >> > >> > >> >Jan >> > >> >P.S. It is a self-signed certificate -- I assume the details on the >>cert >> >aren't really relevant or checked. >> > >> > >> > >> >On 10/15/13 7:30 PM, "Robert Munn" <[email protected]> wrote: >> > >> >>I am using starttls in James, here is my command: >> >> >> >>openssl s_client -connect localhost:25 >> >>-state -starttls smtp >> >> >> >>This works for me to connect with starttls=true specified in James >>3.04. >> >> >> >>Robert >> >> >> >> >> >> >> >>On Tue, Oct 15, 2013 at 6:29 PM, Jan Drake <[email protected]> >> wrote: >> >> >> >>> Thanks, Robert. >> >>> >> >>> I did use the keytool as documented here in creating your own >> >>>certificate >> >>> keystore: >> >>> >> >>> http://james.apache.org/server/3/config-ssl-tls.html >> >>> >> >>> -- which I realize is for version 3 presume it holds to 2.3 >> >>> >> >>> keytool -genkey -alias james -keyalg RSA -keystore >> >>>your_keystore_filename >> >>> >> >>> >> >>> ...and I remember entering the passwords and entered them in the >> >>> config.xml file for ssl configuration. I got this wrong initially >>and >> >>> james wouldn't even start up. >> >>> >> >>> It starts up with no problem and indicates ssl is configured on the >> >>>proper >> >>> port. >> >>> >> >>> I'm wondering if this is a tls version thing. >> >>> >> >>> When I connected originally I tried openssl s_client -connect >>ip:port >> >>> -state >> >>> >> >>> Here's the results of openssl connection attempt: >> >>> >> >>> [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect >> localhost:25 >> >>> -state -tls1 >> >>> CONNECTED(00000003) >> >>> SSL_connect:before/connect initialization >> >>> SSL_connect:SSLv3 write client hello A >> >>> SSL3 alert read:fatal:internal error >> >>> SSL_connect:failed in SSLv3 read server hello A >> >>> 140461473093448:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 >>alert >> >>> internal error:s3_pkt.c:1197:SSL alert number 80 >> >>> 140461473093448:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl >> >>>handshake >> >>> failure:s3_pkt.c:594: >> >>> --- >> >>> no peer certificate available >> >>> --- >> >>> No client certificate CA names sent >> >>> --- >> >>> SSL handshake has read 7 bytes and written 0 bytes >> >>> --- >> >>> New, (NONE), Cipher is (NONE) >> >>> Secure Renegotiation IS NOT supported >> >>> Compression: NONE >> >>> Expansion: NONE >> >>> SSL-Session: >> >>> Protocol : TLSv1 >> >>> Cipher : 0000 >> >>> Session-ID: >> >>> Session-ID-ctx: >> >>> Master-Key: >> >>> Key-Arg : None >> >>> Krb5 Principal: None >> >>> PSK identity: None >> >>> PSK identity hint: None >> >>> Start Time: 1381886891 >> >>> Timeout : 7200 (sec) >> >>> Verify return code: 0 (ok) >> >>> --- >> >>> [root@ip-10-167-12-205 SAR-INF]# >> >>> >> >>> >> >>> Without TLS1 I get: >> >>> >> >>> [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect >> localhost:25 >> >>> -state >> >>> CONNECTED(00000003) >> >>> SSL_connect:before/connect initialization >> >>> SSL_connect:SSLv2/v3 write client hello A >> >>> SSL3 alert read:fatal:internal error >> >>> SSL_connect:error in SSLv2/v3 read server hello A >> >>> 139934735300424:error:14077438:SSL >> >>>routines:SSL23_GET_SERVER_HELLO:tlsv1 >> >>> alert internal error:s23_clnt.c:674: >> >>> --- >> >>> no peer certificate available >> >>> --- >> >>> No client certificate CA names sent >> >>> --- >> >>> SSL handshake has read 7 bytes and written 112 bytes >> >>> --- >> >>> New, (NONE), Cipher is (NONE) >> >>> Secure Renegotiation IS NOT supported >> >>> Compression: NONE >> >>> Expansion: NONE >> >>> --- >> >>> >> >>> >> >>> >> >>> >> >>> >> >>> Any help would be greatly appreciated... On a crunch here. >> >>> >> >>> >> >>> >> >>> Jan >> >>> >> >>> >> >>> >> >>> On 10/15/13 6:15 PM, "Robert Munn" <[email protected]> wrote: >> >>> >> >>> >This is a guess but I bet the private key is not in the keystore. >>Did >> >>>you >> >>> >generate the cert request using keytool? If not, you will need to >> >>>generate >> >>> >pfx file with the public and private key in it, then transform the >>pfx >> >>> >file >> >>> >into the keystore format, specifying that keystore as the store for >> >>>James. >> >>> >That should do it. >> >>> > >> >>> >Here is a discussion on Stack Overflow about the transform process. >> >>> > >> >>> > >> >>> >> >>> >> http://stackoverflow.com/questions/4217107/how-to-convert-pfx-file-to-ke >> >>>y >> >>>s >> >>> >tore-with-private-key >> >>> > >> >>> > >> >>> >On Tue, Oct 15, 2013 at 4:06 PM, Jan Drake <[email protected]> >> >>>wrote: >> >>> > >> >>> >> Not sure if I should expect to get posts that I send to this list >> >>> >>returned >> >>> >> to me by the list? It seems to filter them out so I can't be >>sure >> >>>they >> >>> >> made the list. >> >>> >> >> >>> >> Anyway, original message below, with some additional information >> >>>from >> >>> >>the >> >>> >> smtpserver log: >> >>> >> >> >>> >> 5/10/13 21:55:04 INFO smtpserver: Connection from >> >>> >> ip-10-144-83-143.ec2.internal (10.144.83.143) >> >>> >> 15/10/13 22:05:04 ERROR smtpserver: Socket to >> >>> >>ip-10-144-83-143.ec2.internal >> >>> >> (10.144.83.143) timeout. >> >>> >> java.net.SocketTimeoutException: Read timed out >> >>> >> at java.net.SocketInputStream.socketRead0(Native Method) >> >>> >> at >>java.net.SocketInputStream.read(SocketInputStream.java:152) >> >>> >> at >>java.net.SocketInputStream.read(SocketInputStream.java:122) >> >>> >> at >>sun.security.ssl.InputRecord.readFully(InputRecord.java:442) >> >>> >> at sun.security.ssl.InputRecord.read(InputRecord.java:480) >> >>> >> at >> >>>sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927) >> >>> >> at >> >>> >> >> >>> >> >> >>> >> >>>>>>>sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl >>>>>>>.j >> >>>>>a >> >>>>>va >> >>> >>:1312) >> >>> >> at >> >>> >> >> >>>sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882) >> >>> >> at >>sun.security.ssl.AppInputStream.read(AppInputStream.java:102) >> >>> >> at >> >>>java.io.BufferedInputStream.fill(BufferedInputStream.java:235) >> >>> >> at >> >>>java.io.BufferedInputStream.read(BufferedInputStream.java:254) >> >>> >> at >> >>> >> >> >>> >> >> >>> >> >>>>>>>org.apache.james.util.CRLFTerminatedReader.read(CRLFTerminatedReader >>>>>>>.j >> >>>>>a >> >>>>>va >> >>> >>:153) >> >>> >> at >> >>> >> >> >>> >> >> >>> >> >>>>>>>org.apache.james.util.CRLFTerminatedReader.readLine(CRLFTerminatedRe >>>>>>>ad >> >>>>>e >> >>>>>r. >> >>> >>java:113) >> >>> >> at >> >>> >> >> >>> >> >> >>> >> >>>>>>>org.apache.james.smtpserver.SMTPHandler.readCommandLine(SMTPHandler. >>>>>>>ja >> >>>>>v >> >>>>>a: >> >>> >>751) >> >>> >> at >> >>> >> >> >>> >> >> >>> >> >>>>>>>org.apache.james.smtpserver.SMTPHandler.handleConnection(SMTPHandler >>>>>>>.j >> >>>>>a >> >>>>>va >> >>> >>:372) >> >>> >> at >> >>> >> >> >>> >> >> >>> >> >>>>>>>org.apache.james.util.connection.ServerConnection$ClientConnectionRu >>>>>>>nn >> >>>>>e >> >>>>>r. >> >>> >>run(ServerConnection.java:432) >> >>> >> at >> >>> >> >> >>> >> >> >>> >> >>>>>>>org.apache.excalibur.thread.impl.ExecutableRunnable.execute(Executab >>>>>>>le >> >>>>>R >> >>>>>un >> >>> >>nable.java:55) >> >>> >> at >> >>> >> >> >>>>>org.apache.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:11 >>>>>6) >> >>> >> >> >>> >> >> >>> >> Additionally... the exchange server attempting to connect is >>showing >> >>>no >> >>> >> errors in the protocol log just continuous attempts to connect. >> >>> >> >> >>> >> Any thoughts? >> >>> >> >> >>> >> Jan >> >>> >> >> >>> >> ---------- Forwarded message ---------- >> >>> >> From: Jan Drake <[email protected]> >> >>> >> Date: Tue, Oct 15, 2013 at 8:17 AM >> >>> >> Subject: James 2.3 - TLS Connection Problem/Questions >> >>> >> To: James Users List <[email protected]> >> >>> >> >> >>> >> >> >>> >> After following the instructions I could find on generating a key >> >>>and >> >>> >> configuring TLS/SSL for SMTP in James 2.3, I encountered no >> >>> >>configuration >> >>> >> errors in logs; however, every time I try to connect to the port >> >>> >>securely >> >>> >> the connection hangs and, eventually, the server log shows an >>error >> >>>and >> >>> >> claims connection termination from the client. I'm wondering if >> >>>I've >> >>> >> missed something. Firewalls are totally open... the connection >> >>> >>establishes >> >>> >> but hangs. >> >>> >> >> >>> >> And, the other question I have is... given a CSR for a cert for a >> >>> >>domain, >> >>> >> in this case wildcard, what's the best type of cert to request >>for >> >>>use >> >>> >>with >> >>> >> James 2.3? >> >>> >> >> >>> >> Apache2 >> >>> >> Apache+OpenSSL >> >>> >> Apache+ApacheSSL >> >>> >> ... or? >> >>> >> >> >>> >> Thanks, >> >>> >> >> >>> >> >> >>> >> Jan >> >>> >> >> >>> >> >>> >> >>> >> >>> >>--------------------------------------------------------------------- >> >>> To unsubscribe, e-mail: [email protected] >> >>> For additional commands, e-mail: [email protected] >> >>> >> >>> >> > >> > >> > >> >--------------------------------------------------------------------- >> >To unsubscribe, e-mail: [email protected] >> >For additional commands, e-mail: [email protected] >> > >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
