[
https://issues.apache.org/jira/browse/JAMES-3209?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17132706#comment-17132706
]
Ioan Eugen Stan commented on JAMES-3209:
----------------------------------------
Thanks for the comment [~rouazana]. I checkd some time ago on the phone how I
can do that and it did not seem easy. Now I checked again and things look more
promising. I think it should be an easier setup to implement it in Java and
remove Nginx as a dependency (A distributed one ).
I found some links after refining my search and it seems (at first glance) we
can read the PEM in pure Java
https://gist.github.com/destan/b708d11bd4f403506d6d5bb5fe6a82c5
There are a few issues to consider when implementing this:
1. How to create a socket with that certificate.
2. How to handle multiple domains on the same port. We could have each domain
handled by another certificate. I don't know how Java does this.
In nginx you define multiple servers, one per domain and they share the port.
Another option for reading the PEM file is with Bouncycastle - it's already a
dependency of James mailets.
https://stackoverflow.com/questions/14919048/bouncy-castle-pemreader-pemparser
> Auth Module to make James usable with Nginx mail proxy for TLS termination
> ---------------------------------------------------------------------------
>
> Key: JAMES-3209
> URL: https://issues.apache.org/jira/browse/JAMES-3209
> Project: James Server
> Issue Type: New Feature
> Reporter: Ioan Eugen Stan
> Priority: Major
>
> Apache James needs to be deployed with TLS encryption to ensure security of
> emails during transport.
> We could use Nginx as a mail proxy and use it for TLS termination.
> However we need to implement an HTTP auth service for that to work.
> This issue should cover work on making Nginx a valid mail proxy in front of
> Apache James.
> References:
> https://docs.nginx.com/nginx/admin-guide/mail-proxy/mail-proxy/
> https://nginx.org/en/docs/mail/ngx_mail_auth_http_module.html#protocol
> == Context
> Unfortunately, Java has only the keystore for managing TLS certificates. This
> is makes deploying TLS certificates hard for Apache James since the internet
> does not use. keystore format.
> We could use Nginx as a amil proxy. Nginx supports the certificate format
> that all other tools use. (add format here - PKCS #XXX ). People know how to
> setup Nginx with LetsEncrypt and benefit from free TLS certificates with
> automatic renewal.
> However we need an integration piece: the nginx auth service. It's an http
> service that works only with headers. It should be simple to write and work
> integrate.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
