Hello Otto, hello all, On 28/08/2021 04:37, Otto, Karsten Andreas wrote: > On 27.08.21 16:42, Raphaël Ouazana-Sustowski wrote: >> I'm in favor of getting rid of keystore in favor of PEM format (or at >> least allowing both). >> > If at all possible please allow both; in our setup we use the same > keystore for multiple service endpoints in addition to the mail server. > It would be inconvenient to require different formats in this case. I agree let's avoid alienate users, even more when renewal/format changes could be non trivial (at least to me...). > > Also let me point out that we use PCKS#12 keystores (.p12), which is the > preferred format for newer Java releases. Maybe setting the James > default for .p12 instead of .jks would be a step in the right direction? I do agree with this, even more that changing the keystore algorithm is trivial.
I fully agree making the keystore type configurable. Supporting PKCS12 is definitly a quick and easy win! This could look something like this: <tls socketTLS="false" startTLS="false"><keystore>file://conf/keystore</keystore> <keystoreType>PKCS12</keystoreType> <secret>yoursecret</secret> <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider><algorithm>SunX509</algorithm> </tls> Then the self-signed keystore generation becomes: $ keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore keystore I did open https://issues.apache.org/jira/projects/JAMES/issues/JAMES-3638?filter=allissues as well as https://github.com/apache/james-project/pull/625. To be fair, I see this as a first step, I would like having an alternative without keystore. Regards, Benoit > > Cheers, Karsten > > --------------------------------------------------------------------- > To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org > For additional commands, e-mail: server-dev-h...@james.apache.org > > --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org
