Re: Book on how to run your own mail server
>Hi, > >There is an ongoing campain for a book about self hosting an email server. I suggest have a look at https://dmatthews.org/email_server/perfect_email.html Much more exim4, but some very out of date James Also dovecot and stuff of peripheral interest such as fail2ban. The author has been running own mail exchanger for 15years, so he should know hat he's on abut.I should admit though it's me ;-0, but no real commercial interest at stake. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Migrating database -- James 3.3.0 to 3.8.1
>Hello -- > >I'd like to upgrade a James instance (Spring wiring) from 3.3.0 to 3.8.1. >The 3.3.0 instance uses the standard embedded Derby database. To migrate >the data, can I simply copy the existing Derby database to the new 3.8.1 >directory? If not, what is the procedure for upgrading? I think so; I'm basing this on experience with Derby and another application (ie James not involved). But I believe my experience is backed up by the Derby mission statement, claiming that the database directory can be simply coy/pasted as required. That is my experience anyway. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Configure SpamAssassin
hi Pierre I'm the author of https://dmatthews.org/email_server/perfect_email.html and also https://dmatthews.org/email_server/james.html That second article is way out of date as I don't use James in production, but may be helpful still. I've recently moved away from spamassassin despite what I say in that first article, freeing up a lot of RAM in the process and it's made hardly any difference to the amount of spam, which is close to nil anyway. I'd suggest consider outsourcing spam filtering to Spamhaus, creating a free account with them first. In that first article, which I may revise again soon, I suggest diverting anything they identify into a spam box, but I may go back to just dropping it. I'm a bit surprised that you get a lot of spam these days to be honest as I view it (in some ways) as a problem solved by the online blocklists. Sure there are still people sending out voluminous amounts of spam - there's one guy who tries to relay it through my machine on a steady basis. But how much of it finds it's way to an inbox? My take is that the idiots who want this crap read are being ripped off by the commercial spammers who know very well there's hardly such thing as an open relay these days and that all the ip addresses they've hacked are on blocklists very quickly. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: DKIM -- crashes at James startup with error: malformed sequence in RSA private key
hi Giberto This is not up to date (James 3.3.0), but maybe nothing has changed in this area? i had no problem getting outgoing email DKIM signed (not checking incoming mail). How I did it is described at https://dmatthews.org/email_server/java_email.html -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Unable to send messages, relay denied. IMAP does work ok.
hi Marc I'm not a james expert, but as a generic observation, since any mail exchanger should allow local users to send mail (but indeed prevent relaying from other sources unless explicitly deciding to allow them), I suggest reverting to standard config and starting from there. There is a write up of an even more ancient James version here (using maildir) https://dmatthews.org/java_email.html where I did have configs with everything working. If you don't get more specific help from someone else, that may be worth a look. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: SPF record: not found for host
hi Gunter >And yes, by other domains all works fine. Google sucks :-) -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: SPF record: not found for host
>I'm using the spf-mailet now and test it. I found this warning in the log file: >"No SPF record found for host: googlemail.com" > >So I checked "googlemail.com" by mxtoolbox.com >DNS-Record: v=spf1 redirect=_spf.google.com Obvious things first - does your setup deal with SPF records for other domains without problem? If so join the gmail sucks club. I use gmail as a test sender/recipient for my mail server. I go back a couple of years now - I noticed that gmail was failing my SPF record, despite it definitely being correct. Since it was still delivering my test mails to Inbox rather than junk, I just left it. Then it started to put mail in junk folders - good job I noticed. It did not like my SPFv6 record, despite it being correct, despite mxtoolbox saying it was correct, despite the authoritative DNS server saying it was correct and every other DNS server I thought to check. Even the gmail DNS servers thought it was correct. Go figure that one :-) Since I have a /64, I pragmatically brought up the v6 address gmail thought I should have and adjusted my records - just to make gmail happy and stop binning test mails and email to friends unfortunate enough to be relying on gmail. It has solved the problem, but you seem to have a different one. To complete my story, it's likely that the record gmail wanted to see (and now does) had been in use before. For most people DNS changes update in lets say 24 hours, but for gmail it seems to take a couple of years :-) -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Attack on the James Server
hi Gunter I'm not a James expert; I don't even use it in production, I did look at it a while back, because I'm a java programmer, but I decided that the devil you know (exim4 in my case) is better than the devil you don't. In my book, all mailexchangers being complicated beastly devils. I still think your problem sounds like the necessity to create a regex that will match those 100 failed attempts to logon as recorded in your logs. If you can do that then fail2ban can be set to drop the connection after say 3 failed attempts. I believe I've recently seen the same problem as you. Maybe around April this year, before which there was only the trickle of spammers trying to route spam through my mailer, suddenly a huge volume of different addresses doing strange things. They just as suddenly it stopped about a week ago and I think it was thanks to fail2ban,that there were no memory issues - even my small VM managed to shrug it off. My suspicion is it's part of a drive to end internet anonymity. I only host my own mail, but I could easily be, as other people on this list do, running a little email business, without demanding real world ID of customers. So little people like you and I, offering an alternative to gmail, outlook etc, become a target - that's how I see it anyway. :-) -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Attack on the James Server
hi Gunter >The best way I think would be if James could handle this internally. Until >then, fail2ban is a good alternative. I think you are misunderstanding. Neither james or any other mail exchanger or imap server can take over the work fail2ban can do. Fail2ban can provide a dynamic firewall, by blocking ip addresses that misbehave on the fly. This blocking happens at network level rather than application level so is much more efficient and safer than james/exim4/postfix alone can achieve with even the finest configuration tweaks. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Attack on the James Server
>Hello Paul, >Do you think you would be able to share your experience with others? I'll chip in here as the proponent of fail2ban to watch all the services provided by your server, not just ssh as is most commonly used. The most useful thing for james users will be a working regex, which probably should be in /etc/fail2ban/filter.d/james.local to make sure it doesn't get removed in an upgrade. Also details of any customization made to your logging setup. I presume you made a /etc/fail2ban/jail.local file with your james config (again to prevent an upgrade removing settings). So that would also be helpful to james users. Other james users (with logging matching yours) would just need to copy those files, make them owned root.root and restart fail2ban -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Attack on the James Server
>To chip-in. It should be possible to configure logback to: output only log >entries for failing >connections (e.g. for >org.apache.james.protocols.smtp.core.esmtp.AuthCmdHandler.doAuthTest) and with >simplified entry (e.g. only the error message) that should make writing regexp >simpler. > yes, that would help With my exim4 setup, fail2ban is only looking at the rejectlog. You can't just ban everything though as you'd lock yourself out next time you fat fingered the password. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Attack on the James Server
>Hello David, > >thanks for your information. Maybe fail2ban is a solution. I would prefer to >solve the problem with board funds from James. > With fail2ban, once you come up with a working regex, you're solving the problem at a pre James level - in affect you would be operating an automatic and dynamic firewall block. I think that's a deal more efficient than anything James or any other mail exchanger can do. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Attack on the James Server
>I run a James mail server (james-server-spring-app-3.8.0). The log file shows >that the server is constantly being attacked. This is normal, the server is on >the Internet. My experience is that there is a sharp increase on attacks on small mail servers since maybe April. This is not a James issue - I run exim/dovecot in production setup. I'd strongly suggest looking at fail2ban and this may give a pointer:- https://dmatthews.org/webmail.html#fail2ban Fortunately for me fail2ban's regex for exim is ok as is; writing regex is one of my least favourite tasks. Using James, you'll have some work to do there. As an aside, it seems more or less concurrent to this large increase in attacks, free email providers are all tying to get a phone number from you. Gmail, not so forcefully, but another foreign provider (I have these legacy accounts for testing purposes) told me there had been a hacked entry into my account and to do a password reset I now have to supply a phone number. For sure they are lying and there is no way they'll get a phone number from me :-) Online attack on anonymity? -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Hupa or Alternative
hi Jerry If you add code which is going to make jwma useful more widely than just yourself there's no reason why you'd need to do it privately. My main interest is that the arty black + shades of grey is kept, which was never my work. I think it's a bit of a pity that the jakarta/java email stuff is not more widely used, in particular for webmail access. Seems like a easy solution to me. I also despair at email being handed over entirely to big interests; more people should run their own mail exchangers. My private email is on the jwma site at sourcforge and this is not a James issue - please use that if you want to chat more -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Hupa or Alternative
hi Jerry >Thanks again. I'm not really concerned about it working properly. >Totally trust you there... :-) :-) total? Not sure I can recommend that! As for your requirements, I just run a few tomcat apps on a subdomain, including jwma. I've written up how to do that also incidentally and wire up tomacat to apache. If that's adequate for your customers, all other things being equal, it should be straightforward enough. Not sure I like "embedded" - well I don't dislike it, but I think that would require some coding that I'm probably not interested in doing. Best wishes with it anyway; I'd be delighted if it works out. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Hupa or Alternative
>David, thanks for the quick response. JWMA didn't show up in my >original google search. It looks like it will definitely meet my >needs. Is there a forum for tech discussions for JWMA? hi Jerry Any questions - ask me - after you've ready the doc, which is pretty good; it's my project these days. I got onto it around 2012 or something like; I thought it looked very pretty, but it worked like ... no I don't want to be rude. Problem was the original people had rolled their own instead of using a framework and the code was pretty pasta like - the long thin stuff. I rewrote it all using the stripes framework, which was excellent - very sad that it seems to be slipping to oblivion. I wrote the view stuff for small screen clients, but the desktop view code and appearance is pretty mush as the original guys did it. I tried to rewrite it in "modern" html - doing away with tables, but came to the opinion it wasn't possible. I also extended it a bit by making maildir storage format an option - it was mbox only originally. I don't use maildir, so it's not had a lot of testing, but I think it's ok. You'll need maildir of course if james is your imap server as I don't think it does mbox?. mail exchanger, imap server (james acts as both of course) and webmail client must all use same storage format. TBH it's unlikely I'll do much more with it as it works perfectly and does exactly what I need. the code is a bit clunking in places where I bolted on stuff I didn't appreciate would be necessary at original design stage, but :-) it's not so bad! -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Hupa or Alternative
>I realize that Hupa project has been retired. However, I need to embed >a webMail client into my web site, and Hupa appears to be able to do >what I need. But all of the source and binary download links on the >Apache Hupa page are dead. > >Is there a new/better alternative to Hupa now? If not, is there some >place I can download the binary for Hupa? hi Jerry consider jwma? https://jwma.sourceforge.net/ I anyway doubt running unsupported software would be a great idea. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Apache James necessary documents seem to be hidden
>I apologize to James community for my ASF-code-non-compliant email. I hope >everything is just confused. Not up to me to accept this, but it's surely overdue. Do you actually contribute any code/documentation/positive feedback to a free software project? We all know there are alternative mail exchangers and IMAP servers out there. If Jmaes isn't for you just go away quietly. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: DDoS and DoS protection
>Does Apache James provide any best practice for DDoS/DoS protection? I mean >it is at application level. > fail2ban can be very effective with a mail exchanger. There are some notes here https://dmatthews.org/webmail.html#fail2ban but there it's being used with exim4. So you would have to study your log file, decide what you want to keep out and then write a fail2ban filter to suit, so you'd have a fair bit of work to do to get it operational. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Spam
hi Serge Without even looking at your logs, if you want to send emails these days, you must implement SPF, DKIM and DMARC. If you haven't done that I think you can get yourself on an online block list without even having your machine compromised. There's some info at https://dmatthews.org/perfect_email.html although the james specific stuff is rather out of date now -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: How to get TLS working
I can't find anything in the docs about it. Am I missing >something obvious here? > That jar is not a Bouncy Castle thing - they do provide an alternative I believe, but you won't find the sun version there. https://www.oracle.com/java/technologies/ I imagine that you need to choose the correct version to match your java version ie 11 or 17, I would guess go for 11 for any version below 17. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Sending Unencrypted E-mails
>https://dmatthews.org/java_email.html is out of date with James, but probably still ok DKIM wise also https://dmatthews.org/email_auth.html My confident guess is if you do "Show original" on the message in the gmail spam box, it will complain about SPF and/or DKIM. These days that's simply an essential extra tech hurdle if you want to run an email server. While you're at it, you may as well fix DMARC as well, although I seem no merit in it an d nobody has explained to me why I'm wrong. When I last looked gmail *would* deliver mail to inboxes without a DMARC pass, although that would be noted in the "Show original" view. Maybe hotmail or some other mega provider will insist on it though. Incidentally, only DKIM is a James issue and only partly so, the rest is DNS -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: apache/james:demo-3.6.0
>I saw this article in my feeds the other day. With a read: >https://ploum.net/the-monstrosity-email-has-become/ > Interesting article, but I would forcible argue that despite having to contend with legacy tech (actually your mail exchanger does that for you) and various hoops to jump through, including DMARC, SPF & DKIM, running your own email server from an always on machine (ie not one behind a home broadband connection) remains eminently doable. I've not found it anything like so trying to reduce unwanted email to close to nothing as that author describes. Non tech people I know with accounts at gmail, hotmail etc tell me they also get much less spam that they used to. However, I suspect the network remains awash with the rubbish; it's not delivered due to everyone being forced to implement SPF and DKIM and using online blocklists. It is still being sent though, by the unscrupulous spammers, who don't tell their unscrupulous customers that although they send out their crap as per contract, no one gets it in an inbox. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: apache/james:demo-3.6.0
hi Benoit > >Thanks for pointing DMarc out! > >That would be great if someone find a bit of time to have a quick write >up on how to setup DMarc with James. Also it could be great to have >integrations for James retrieving, understanding, and complying with >DMarc policies. It's not really a James issue at least not in the sense that you're wanting to get your email into an inbox rather than a spam folder. Rather it's a DNS issue, as with SPF - you just need an appropriate text record. DKIM differs, in that it's a two part thing, you need a public key in your DNS, but also James must sign the email with the appropriate private key. If you wanted to check the DMARC of incoming mail, then it would become a James issue, but I don't believe it's worth the pain as checking an online blocklist is straight forward and adequate on it's own - maybe with a bit of spamassassin as backup. Didn't the write ups you linked originate from my own one? Months/a year ago someone from the James community asked me if they could base something on them. I said I was entirely happy for that and remain entirely happy if that was done and if you want to add a DMARC article based on what's at dmatthews.org, just go ahead. I should say that my James foo is out of date as after investigating it, I decided to stick with exim4 as the devil I know being better than the devil I don't. As I've already said though, for SPF and DMARC, it makes no difference if your fighting with James/exim4/postfix etc - these are DNS issues rather mail exchanger issues. Incidentally, if anyone can explain to me why DMARC, which seems to just duplicate DKIM and SPF, is not a stupid technology, I'd be pleased to read that -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: apache/james:demo-3.6.0
>Hello Sean, > >Email trust is definitely a complicated thing. Getting third party >accepting your emails is a complex task [1]. To send emails to (say) >Gmail, you would need to buy a domain, register you MXs, set up >scertificates, battle with DKIM and SPF, etc... > >[1] https://james.apache.org/howTo/spf.html >https://james.apache.org/howTo/dkim.html I'd add to that DMARC, which as far as I can make out is a pointless addition to the fight against spammers, unlike DKIM & SPF. I'd agree they are a bit of a pain to set up, especially DKIM, but at least I see the sense in them in addition to actually getting your email delivered to an inbox rather than junk. An alternative read at https://dmatthews.org/email_auth.html covers similar ground -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Apache James : Purely MX record based smtp.
hi Amlan Why do you think any SMTP server needs anything other than an MX record? OK Some TXT records for dkim, spf and dmarc, but why an A record? I doubt that I properly understand your use case and since James itself does SMTP, I don't follow why you talk about connecting to an smtp provider with your own James instance. I'm out of date with James now, but did do a write up with config changes, as much as for my own future reference as for anyone else. I'm not sure if it will help you, but it's at https://dmatthews.org/java_email.html if you care to look. best wishes -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: systemd auto start and stop
>What are the errors in your James.log file? > None that I can recall; I've not looked at James for a while. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: What is difference between Message-Id and EmailId ?
>Last but not least: this is a rather technical discussion, more related >to James development, but maybe not relevant for James users. As such I >believe next time we want to discuss technical details related to James >development (which is great!) we should do it on server-dev. > No, no Benoit! It was great to read that lucid explanation here :-) -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Sender Name change
>Any update here is appreciated. > >On Wed, Dec 16, 2020 at 3:03 PM JPrasanna Venkatesan >prasanna1...@gmail.com> >wrote: > >> Hi All, >> >> I want to change the sender name (from addresss) alone and I like to fetch >> it from my postgres DB using a select query. how to do this one. >> what sort of help are you looking for - is it with a James issue or a postgres issue? -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Helo command rejected: need fully-qualified hostname being in a home network
hi Pablo >But this setup is in a home network. The setup uses Dynamic DNS where the >james server is behind the router, and the router is forwarding ports 25, 587 >to the james server. > I used to do something like that 15 years ago, but I wouldn't think of trying to run a mail server from inside a home network now. Even then a lot of mail got grey listed; I'm surprised you get gmail to accept mail at all now. I think that email servers in general do not like dealing with anything without a static ip address. I'm pretty sure that's the case if you're on the end of a broadband home connection and I'd guess the same applies if you try and use a dynamic DNS service. I'm not certain this is the problem you have just now (although I think it might be), but I don't think what you're trying to do is going to lead to a happy life. If you want to run an email server (an excellent idea!) I'd suggest getting a VM from someone like linode. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Helo command rejected: need fully-qualified hostname being in a home network
>Guice case. The security setup with SPF, DKIM and DMARC, follows what is >described at https://dmatthews.org/java_email.html. That's me :-) >My gmail account can >receive email successfully from this server. That means the DNS >configuration seems working. It also likely means those above settings are correct. The mail goes into the inbox (not junk/spam) yes? >But still there is a problem sending email >to other servers. For example, trying to subscribe to the james-dev >developer list, the server complains: > >Error message: >504 5.5.2 >localhost>: Helo command rejected: need fully-qualified hostname > That's not connected with those security settings and maybe not a James issue at all. Is this a linux server? What does hostname -f say? -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: JMAP extensions support
I'll jump in here with a unixy do one thing and do it well view. James is already huge - in the non java world the competition is, for instance, exim4 and dovecot - both of them that is, not either or. Surely if you want to tack on contact/calendar implementations somewhere an email client (not server) is a better place. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: v.3.5 - issues enable jSPF
hi Matt I'd agree there was a problem back in version 3.3, but changes may have been made since then? If I removed comments from this code (below) in smtpserver.xml even test mails were never delivered. I didn't investigate further, mainly because I find that you pretty much kill incoming spam dead by configuring DNSBL checking (more uncommenting in the same file). So SPF checking and spamassassin too are hardly essential. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: a bit additional work required on openSUSE 15.2 with James 3.5.0
hi Matt >What I'd like to say with this little WoT: Although SPF, DKIM, DMARC and >even things like S/MIME and PGP are things a mail server admin has to >care about - there'Re even government size oddities one has to consider. >And although the mess in germany is one of its kind - I guess there're >similar stuff all over the world. > wow! I feel your pain - email in a walled garden. DKIM in particular, is a bit of a hassle, but at least I can see a technical reason for it and I think that + SPF, it actually has hit the spammers. For all the government crap we have here in the UK (particularly in this "difficult time") there is no attempt to put an oar into the email system. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: a bit additional work required on openSUSE 15.2 with James 3.5.0
hello aain > >I got "inspired" by this topic to write down a guide myself. Although I >only have SPF set up right now I may take the time to also have a look >into DKIM and DMARC. It won't be perfect, but same as with Davids guide: >It should others new to James get started. > I should clarify my attitude to SPF/DKIM/DMARC I do check incoming mail SPF coz it's easy in both James and exim4, so why not, although checking incoming mail against online blacklists (DNSBL) pretty much solves the spam problem. I don't bother to check DKIM or DMARC. My experience is that you must implement SPF and DKIM for domains you are hosting as if you don't gmail, hotmail and other mega providers will put your outgoing mail in spam boxes without warning you - the logs will say queued for delivery / accepted. You may as well have DMARC as well although I can't see the point of it from a technical point of view. SPF and DMARC for your hosted domains is a DNS issue rather than an issue for james/exim4 or whatever. DKIM is a two part thing - you must have a public key in the domains' DNS and james/exim4 must sign outgoing mail with the corresponding private key. Fully dealt with at https://dmatthews.org/email_auth.html except that I've only done the DNS on a tinyDNS based system. I'd love to add info for BIND and I'll credit anyone who provides that in my writeup. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: a bit additional work required on openSUSE 15.2 with James 3.5.0
Hi Tellier >As I understand you mostly use James as a MTA ? james-smtp (dedicated to >mail processing, without mailbox storage) [3] is awaiting >3, and would >benefit to be added to the documentation effort ;-) I did trial James as a MTA / mail exchanger cum imap server and with version 3.3 I had everything looking to be working as I'd expect. To be honest though, although the James project is of interest to me (I like email and java!) I'm still sticking with exim4 and dovecot on my production setup. The devil you know is better than the devil you don't! As already said, I'm quite happy for the documentation I wrote to be reused and I don't try and insist on any conditions for doing that. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: a bit additional work required on openSUSE 15.2 with James 3.5.0
Hi Tellier > >I gave your link a read and found it very interesting. > >Especially I believe the SPF part would deserve more visibility. > >Would you agree sharing it on the Apache James community website as a >"How to" ? [1] [2] Yes of course. Regarding SPF, I'd add that DKIM is also a must and the info at https://dmatthews.org/email_auth.html should be equally visible. I found out the hard way that these days, if you try and run an email server without implementing SPF and DKIM for your domains, the mega providers will silently put all your mail in junk boxes. Not so convinced about DMARC which I don't really see the point of, but you may as well have that also as it's not difficult to implement. Somewhat grudgingly, I have to admit that these technologies do make some sense, apart from raising the bar by gmail, hotmail etc against people like me that just want to run their own email or provide a service for a small number of customers. I do check incoming mail for SPF (but not DKIM) and I have spamassassin sitting in the background, but it very seldom has to take action. Just dropping anything from an IP in a DNSBL pretty much solves the spam problem. A relative of mine that uses one of the mega providers recently observed to me that there is very little in his spam box these days. Putting spammers out of business is good! -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: a bit additional work required on openSUSE 15.2 with James 3.5.0
hi Matt thanks for feedback >but I'm missing the important last step to >actually add the user accounts via james-cli.sh (or maybe any other >method). So, anything would just be rejected with a "550 user not found". > yes I should include that >groupware Citadel/UX. It got an update at some point >and ever since I wasn't able to get it working ever again. :-) My story - I worked for a debian based shop back when exim4 was the default MX; more knowledgeable than me colleagues help me get started and after much struggles with the beast I'd say I was close to being a demi-semi expert :-) I'm reluctant to throw out my hard earned experience, but exim4 is way over the top complicated for what I need and these days debian people are just as likely to be using postfix. I like java, so that's the base of my interest in James. Maybe one day I will take a jump! I absolutely agree that the James documentation is a lot behind what it could be and in tinkering with it, I've relied quite heavily on transferable knowledge about what mail exchangers and imap servers should be doing. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: a bit additional work required on openSUSE 15.2 with James 3.5.0
hi Matt >So, if anyone needs some help getting current James versions run on >current opensuse systems I'm happy to offer help as far as I can provide it. I've not yet taken the plunge and moved my production email off exim4 and dovecot, but I'm very interested in keeping abreast of James developments. If you have the odd moment you could take a look at https://dmatthews.org/java_email.html and point out anything that's out of date (the write up is based on 3.3) or just plain wrong :-) -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Incoming messages via web service & using custom email headers
hi Juhan >We'll start to build a system for a government where each resident will have a digital postbox and any government party can send messages and documents to any of the residents securely. Which government is this? -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: sending mail from Android with K9 fails
> >> Can james deliver mail to the same account sent from another machine - a >> desktop/laptop with a known to be correctly configured email client? > >Yes, in my desktop, Thunderbird receives email in this account and sends >it as well. > >> >> Can the android machine running K9 send mail to a test account at >> gmail/hotmail or some such place? > > >Interesting: I have just done a test sending email to my gmail account >from K9 (Android), and it has worked. The log in James shows no >exception for this email. > hi Pablo Don't follow your last paragraph - why would James log an email sent to gmail from an android device? Anyway what you reported semi-confirms my suspicions that it's K9 rather than james to (mostly) blame. I messed around trying to get K9 to play nice with an mail exchanger running dovecot & exim4 and gave up. Can't remember the details as this was some time ago, but I think I concluded that K9 was rather over opinionated about the settings it should use and lacked config options that it really ought to have. I'm not familiar with thunderbird, but I imagine that like sylpheed (for instance) you can configure settings for ports and SSL/TLS? So if you make that play with your gmail account (as does your K9) that might help you understand what settings your james server needs to play nicely with K9. My solution to this problem was to add a small screen interface to my (server side) webmail frontend :-) -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: sending mail from Android with K9 fails
hi Pablo >Is there any insight on what to do here ? > I'd suggest a couple of test:- Can james deliver mail to the same account sent from another machine - a desktop/laptop with a known to be correctly configured email client? Can the android machine running K9 send mail to a test account at gmail/hotmail or some such place? I found in the past that K9 does not always behave so well. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Unable to delete blob file for mail
Hi Matt >Meanwhile, with regards to my other issue, having applied the log4j changes >suggested by David Matthews, I can see that after a period of time the >MailDelivrer stops running: > Just like to clarify that as per the acknowledgement on the link I gave you, we have Jerry Malcom to thank for that log4J work. Don't want to appear to be claiming the credit for that excellent piece of work :-) -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Unable to delete blob file for mail
Hi Matt >Also, more importantly, we've noticed a significant delay in receiving >emails after the initial relay (up to 24 hours), could this be related? Are >there any logs for actually relaying to the destination smtp server? > I had an issue with james regarding the lack of feedback in the logs from remote mail exchangers when sending email. Another person following this list posted a log4j file that much improved things. You still don't see the raw response from the remote MX, but at least, with this file in place, james gives it's own assessment of what happens when you send mail. I put a copy of this file at the bottom of this article:- https://dmatthews.org/java_email.html I suggest giving that a whirl. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Prefer IPv6 on outbound
Hi I think I agree with you now - I noticed you were hosting your own DNS and I couldn't see anything untoward. So yes it seems to be a james issue *although* that does not explain why my system report from a linode VM goes (via exim4 which is ipv6 by default) over ipv4 to a gmail account. :-) -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Prefer IPv6 on outbound
>What does this have to do with my sending domain? v6 is configured on my >sending domain but that shouldn't matter anyway. Well it could be, although in your case (scoopta.email?) I don't think it is. Another possibility is that it's a linode issue? And as it happens I have a linode VM which is currently mailing only a single daily system report to a gmail address and I notice that gmail is checking the ipv4 SPF and that's actually not what I would have expected. In this instance there is no james involvement, but as I said, I would have expected this to go over ipv6. I don't especially care and in the past when things definitely were going over ipv6, I've had problems with the linode ipv6 address being in a blocklist - definitely not from anything I've done of course :-) Incidentally, I found it impossible to get the ipv6 address out of this block list and I wondered at the time if whole ipv6 ranges got blacklisted due to naughtiness from a single address. At the time I solved the problem by stopping ipv6 in exim4, but that config is not in place at the moment. So maybe a linode issue? -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Prefer IPv6 on outbound
>Is there a way to prefer IPv6 for outbound email? I set >-Djava.net.preferIPv6Addresses=true but james/JavaDNS doesn't seem to >obey it. When sending to gmail which fully supports IPv6 inbound my >server still sends over v4. > Is this really a james issue rather than the DNS of your sending domain? -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Keystore Renewal Policy?
hi Jerry I do take your point as I only offer webmail access. However, debian (for instance) offers scripts as part of both its exim4 and dovecot packages, purpose of which is to create certificates. I don't think they ever did that for apache. So I can't see that they would do that if outlook, thunderbird, sylpheed, k9 etc and other dedicated email client programs would complain at that. As we know, you must renew LetsEncrypt certs every 90 days. Compared to what was available for our web sites before this service, we are not going to complain! However you can certainly create a self signed cert that lasts for a year (dovecot does that), not sure if you can spin up one that doesn't expire. So I still don't see why you have good reason for wanting your James instance to offer a LetsEncrypt cert when I'm sure there are many more servers running exim4 and dovecot behind a self signed one (even if the admins keep those up to date!). -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Keystore Renewal Policy?
>David, > >That's good info in the article. But my question was does the >keytool-generated file expire as well when the underlying cert >(LetsEncrypt or self-signed cert) expires? Or can I simply renew the >underlying cert without having to re-execute the keytool step each time >the cert auto-renews? > Short answer - I don't know. But a couple of thoughts:- 1) That keytool command completes as you snap your fingers, it's not an intensive thing. 2)LetsEncrypt for https, I totally get (and use it myself); you do not want people having to ignore browser warnings to see your web site. I don't see it as an issue with imaps though. Dovecot is another imap server and depending on which version/distro you use, for imaps it comes with a certificate or offers a script to create one. Seems to me that using keytool is just the equivalent for James - I guess you could also use openssl, which dovecot uses. I just checked that and saw the cert expires after 365 days, so I've certainly run on an out of date cert at times even if I'm not doing it now. :-) Do I care? No, my webmail program doesn't check the cert for validity - it runs on the same machine as dovecot so that is hardly a serious issue - I just want the encryption. I'm pretty sure there's no problem with sylpheed either, although it's a good while since I used it. May be things like thunderbird check cert validity? Not sure. How many people are going to access their email on your server? It's not like a web page which is for the whole world. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Keystore Renewal Policy?
hi Jerry Not sure how helpful this is, but I mention it just in case https://dmatthews.org/java_email.html#imaps discusses imaps with james. I use a self signed cert and TBH not sure what extra LetsEncrypt offers you over that, but I produce the key with keytool -genkey -alias james -keyalg RSA and from https://letsencrypt.org/docs/integration-guide/ "Let’s Encrypt accepts RSA keys from 2048 to 4096 bits in length" -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: James 3.4.0 WebAdmin
hi Sean > >I am new to Apache James and I have downloaded version 3.4.0. I and several other people who wrote to this list had problems with this version. My experience was that emails were spooled, but never delivered and no error messages in the logs either. Other people reported the same problem, so I would suggest getting 3.3.0, which I found pretty much just works. > >The installation does not include a webadmin.properties file - does version >3.4.0 not include WebAdmin and if not is there an alternative way to configure >James via Java. > As far as I know there is no web frontend and james is configured by editing the files in the conf directory. I've written some notes for doing that - not especially difficult, rather to remind myself:- https://dmatthews.org/java_email.html and I suggest you might also want to look at:- https://dmatthews.org/email_auth.html That last page is not james specific, but if you want to run your own mail exchanger that information is important whatever software you choose. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: Best single-node setup
>Hi, > >I am about to deploy a James instance for personal usage. I have a >restricted budget (say 50€/month) so I'm looking for the best setup >possible for that target. hi Matthieu It's not so easy to understand what information you're hoping for, but I assume some sort of virtual machine offering is going to meet your needs. I have experience of VMs at Bytemark and Linode, but I'm not well informed about which companies offer the best service/price, although both of those two are OK. >* IMAP + SMTP (in and out) >* TLS + SPF + DKIM You're talking about working to a budget and deploying your own James server, so surely you'll deal with configuring James to give IMAPS access and SMTP yourself? Here's my 2 cents worth on SPF and DKIM. 1)It's absolutely essential that you configure your domain's DNS with these (and also DMARC) and that James signs outgoing email with your DKIM private key. If you don't do that you'll be relying on recipients at yahoo, gmail, hotmail etc to whitelist your email address to get them delivery to inbox rather than junk folders. 2)The effective way to avoid get deluged with incoming spam yourself is to configure James to use DNSBLs. If you do that, my experience is that you don't really need to worry about checking SPF and DKIM (or DMARC) on incoming email. Fact is that most spammers are already in these blocklists, so just dropping everything that has been caught there will solve the incoming spam problem at least 95%. I find that with that in place even running spamassassin offers little extra. Here's a couple of Howto's to set up James (including IMAPS, DKIM and DNSBL) https://dmatthews.org/java_email.html and to configure your domains DNS with SPF, DKIM and DMARC. https://dmatthews.org/email_auth.html That last page is rather tinyDNS specific, but it will be of some help even if your domain's DNS server uses some other system, in which case feedback would be appreciated and will be added to that page. -- David Matthews m...@dmatthews.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
