[
https://issues.apache.org/jira/browse/JAMES-3639?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17412920#comment-17412920
]
Benoit Tellier commented on JAMES-3639:
---------------------------------------
{code:java}
<smtpservers>
<smtpserver enabled="true">
<jmxName>smtpserver-global</jmxName>
<bind>0.0.0.0:25</bind>
<tls socketTLS="false" startTLS="false">
<privateKey>file://conf/privatekey.pem</privateKey>
<certificates>file://conf/fullchain.pem</certificates>
</tls>
<authRequired>false</authRequired>
<smtpGreeting>Apache JAMES awesome SMTP Server</smtpGreeting>
<handlerchain>
<handler
class="org.apache.james.smtpserver.fastfail.ValidRcptHandler"/>
<handler class="org.apache.james.smtpserver.CoreCmdHandlerLoader"/>
</handlerchain>
</smtpserver>
<smtpserver enabled="true">
<jmxName>smtpserver-TLS</jmxName>
<bind>0.0.0.0:465</bind>
<tls socketTLS="true" startTLS="false">
<privateKey>file://conf/privatekey.pem</privateKey>
<certificates>file://conf/fullchain.pem</certificates>
</tls>
<authRequired>true</authRequired>
<verifyIdentity>false</verifyIdentity>
<smtpGreeting>Apache JAMES awesome SMTP Server</smtpGreeting>
<handlerchain>
<handler
class="org.apache.james.smtpserver.fastfail.ValidRcptHandler"/>
<handler class="org.apache.james.smtpserver.CoreCmdHandlerLoader"/>
</handlerchain>
</smtpserver>
<smtpserver enabled="true">
<jmxName>smtpserver-authenticated</jmxName>
<bind>0.0.0.0:587</bind>
<tls socketTLS="false" startTLS="true">
<privateKey>file://conf/privatekey.pem</privateKey>
<certificates>file://conf/fullchain.pem</certificates>
</tls>
<authRequired>true</authRequired>
<authorizedAddresses>127.0.0.0/8</authorizedAddresses>
<smtpGreeting>Apache JAMES awesome SMTP Server</smtpGreeting>
<handlerchain>
<handler
class="org.apache.james.smtpserver.fastfail.ValidRcptHandler"/>
<handler class="org.apache.james.smtpserver.CoreCmdHandlerLoader"/>
</handlerchain>
</smtpserver>
</smtpservers>
{code}
file://conf/privatekey.pem and file://conf/fullchain.pem are let's encrypt
generated.
James starts:
{code:java}
02:42:39.941 [INFO ] o.a.j.w.WebAdminServer - Web admin server started
02:42:40.129 [INFO ] o.a.j.m.s.JMXServer - JMX server started
02:42:40.141 [INFO ] o.a.j.GuiceJamesServer - JAMES server started
{code}
Here is the open SSL result:
{code:java}
$ openssl s_client -connect 172.17.0.3:465
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = ldap.linagora.com.vn
verify return:1
---
Certificate chain
0 s:CN = ldap.linagora.com.vn
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFLjCCBBagAwIBAgISBH/pbsXVwSA1Q+JzPUwaLVkMMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA5MDcwNTUwNTNaFw0yMTEyMDYwNTUwNTJaMB8xHTAbBgNVBAMT
FGxkYXAubGluYWdvcmEuY29tLnZuMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAwE43JmzObxoO/+GhNG5gmuiZtt7BRaEf1S4InitLAeTTj+DRnY3mki6u
VOPTDyzwK4SPE+ugqcunv+t/YmHqvh9lRUd3mBHQzCmPMu1lA/ZDUJxdIrGAuN9F
UPTQC0GT+P8uKj/Xf+15AVbf+PiCY2YDoBz8CGH2EQ6TuxCtuJWgSTRpSaOwdOxs
WyAYRnm7iKhVm5YGMOYsRI9dUiG7On0lp51259QmlnVf8E7lgzSHyVdjuq5CcuTB
lQnuSgkp2tKgjUEY1rht45SYsArONyOyRDjjYS8zOUDPlB6x71W/hFYrDXoL1qS8
G/MQXqss1XypCy411gDK9BucDs0ahQIDAQABo4ICTzCCAkswDgYDVR0PAQH/BAQD
AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
MB0GA1UdDgQWBBRpO2xwQqdv0Mf9qUvI3Ae/GU4HkjAfBgNVHSMEGDAWgBQULrMX
t1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0
dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVu
Y3Iub3JnLzAfBgNVHREEGDAWghRsZGFwLmxpbmFnb3JhLmNvbS52bjBMBgNVHSAE
RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw
Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB2
APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABe78GHQkAAAQDAEcw
RQIhALdy7373aaOPiXYu7EURlKIgrIiiFXe9L1vuSsQczAN9AiBllXgGHQE4OjzW
7Ys15UygsfXZ/YSNt/79FVJta52Z7QB2AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEA
KQaNsgiaN9kTAAABe78GHUAAAAQDAEcwRQIgVdfQKWHXD0cfeR6xA4IAhUW3vMOz
8iBqncTuWp5cBXUCIQD0vOfX00YzAnsS16tl6NJxgypvjAT8dMTDYUH/KZ920zAN
BgkqhkiG9w0BAQsFAAOCAQEAuGREYnWjg7pDVPbejenQAwsH0v1mLDzkabbmjUv+
59TL/3r4cPrW0livvP43kHdV4ozDIqjGHEF+ve4Hm6UI2rsn0GDDqPi2FhjGhxg5
RM9sDt4JNQszADFaWBfYIOOXqSCGW/lbW7lDkO+0sT3E1o/taglUy5PLdx6Of1Kc
Yk3AurjTZcdQoBiiRXIbfom8TnPCUsgzVUJOBIdjF46YAYZgmpjp+I+m1TklotgG
21bfVEw16Q5TMS08dqk9U9q4fgaFgoqciwAc7LkjoEBmIVMgi8gzSYjlIDP6RzqM
noLcXrc//kvlzcrX1oER+J+J+4NhzohfGHzHXJaFBgFnMA==
-----END CERTIFICATE-----
subject=CN = ldap.linagora.com.vn
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4558 bytes and written 363 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 7CA318DE5D275B25246950185C0AB353863F2EDB5339EDDC1B031A7426F15057
Session-ID-ctx:
Resumption PSK:
D26A1CAFE237EE7A6B80136A9A950C2243133D7AC76DDE59DEB2DEE85E74F27735BBDD0B2AC19F6B272BC4F2CD2FB676
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 86400 (seconds)
TLS session ticket:
0000 - 9b 50 74 48 fb a0 45 7a-0d ba f6 3c f1 e9 83 74 .PtH..Ez...<...t
0010 - 1d 9c be 9a 1e a8 58 4b-a0 5c c0 86 0b 6d b6 ad ......XK.\...m..
Start Time: 1631241786
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
220 Apache JAMES awesome SMTP Server
....
{code}
> Allow to configure SSL from PEM keys (without a keystore)
> ---------------------------------------------------------
>
> Key: JAMES-3639
> URL: https://issues.apache.org/jira/browse/JAMES-3639
> Project: James Server
> Issue Type: Improvement
> Components: IMAPServer, JMAP, POP3Server, SMTPServer
> Reporter: Benoit Tellier
> Assignee: Antoine Duprat
> Priority: Major
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
> This gives the opportunity to inter-operate directly with OpenSSL formats and
> avoids some potentially tricky configuration steps (importing the keys in a
> keystore).
> Read related thread on the mailing list:
> https://www.mail-archive.com/[email protected]/msg70772.html
> How this looks like:
> {code:java}
> <tls socketTLS="true" startTLS="false">
> <privateKey>file://conf/private.nopass.key</privateKey>
> <certificates>file://conf/certs.self-signed.csr</certificates>
> </tls>
> {code}
> Tested manually with self signed certificates:
> {code:java}
> # Generating your private key
> openssl genrsa -des3 -out private.key 2048
> # Creating your certificates
> openssl req -new -key private.key -out certs.csr
> # Signing the certificate yourself
> openssl x509 -req -days 365 -in certs.csr -signkey private.key -out
> certs.self-signed.csr
> # Removing the password from the private key
> # Not necessary if you supply the secret in the configuration
> openssl rsa -in private.key -out private.nopass.key
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
