[jira] [Commented] (JAMES-3209) Auth Module to make James usable with Nginx mail proxy for TLS termination

Wed, 10 Jun 2020 06:59:50 -0700 


    [ 
https://issues.apache.org/jira/browse/JAMES-3209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17130704#comment-17130704
 ] 

Raphael Ouazana commented on JAMES-3209:
----------------------------------------

Instead of adding an Nginx proxy to James to handle TLS, why not contributing 
to James to handle properly certificates?

I know that James currently uses keystores, and in a pretty bad way, but I 
think it could be easily replaced by nice configuration options allowing to 
directly use certificates in the PEM format, and so being more suitable to use 
by admin and for example with Let's Encrypt.

 

BTW will Nginx support works with STARTTLS IMAP operation?

> Auth Module to make James usable with Nginx mail proxy for TLS termination 
> ---------------------------------------------------------------------------
>
>                 Key: JAMES-3209
>                 URL: https://issues.apache.org/jira/browse/JAMES-3209
>             Project: James Server
>          Issue Type: New Feature
>            Reporter: Ioan Eugen Stan
>            Priority: Major
>
> Apache James needs to be deployed with TLS encryption to ensure security of 
> emails during transport. 
> We could use Nginx as a mail proxy and use it for TLS termination. 
> However we need to implement an HTTP auth service for that to work. 
> This issue should cover work on making Nginx a valid mail proxy in front of 
> Apache James.
> References:
> https://docs.nginx.com/nginx/admin-guide/mail-proxy/mail-proxy/ 
> https://nginx.org/en/docs/mail/ngx_mail_auth_http_module.html#protocol
> == Context
> Unfortunately, Java has only the keystore for managing TLS certificates. This 
> is makes deploying TLS certificates hard for Apache James since the internet 
> does not use. keystore format. 
> We could use Nginx as a amil proxy. Nginx supports the certificate format 
> that all other tools use. (add format here - PKCS #XXX ). People know how to 
> setup Nginx with LetsEncrypt and benefit from free TLS certificates with 
> automatic renewal. 
> However we need an integration piece: the nginx auth service. It's an http 
> service that works only with headers. It should be simple to write and work 
> integrate.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to