"It doesn't work" is not a helpful error description - in fact: it is
none at all.
If you try to start james with regular PEM files but have messed up
something you will get a stack trace telling you what went wrong.
Converting a PEM certificate chain with a private key into a java
keystore is not required anymore (although I still have a little helper
doing exactly that).
Anyway - here's how I've set it up:
- placing the certificate chain in <james>/conf/chain.crt
Important: chain.crt has to contain your certificate and the
intermediate certificate in that order and should not contain the root
certificate.
- placing the private key in <james>/conf/private.key
Important: make sure it has access set to 0600 (so read/write only to
the user, none to group or others); you CAN also secure it by a
passphrase - but my personal point: as you have to provide it along in
the config it's the same as hanging a key right next to a locked door -
why even bother to lock the door in the first place?
Add to the server xml files (example for smtp/25):
<smtpservers>
<smtpserver enabled="true">
<jmxName>smtpserver-global</jmxName>
<bind>0.0.0.0:25</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="true">
<privateKey>file://conf/private.key</privateKey>
<certificates>file://conf/chain.crt</certificates>
<!-- An optional secret might be specified for the private
key -->
<!-- <secret>james72laBalle</secret> -->
</tls>
// ... rest of the file
Same for every other TLS block.
Afterwards start james by your start script - it should come up without
issues. For the smtp server you can use services such as
https://www.checktls.com/TestReceiver - can also check dane and mta-sts
and produce a very detailed log, my personal favorite
or
https://ssl-tools.net/mailservers - can have some issues sometimes - but
also has good result presentation
If you got your inbound smtp correctly setup - copy the config to imap
(and maybe pop if you use that) and make sure the ports are correct.
You should also set starttls on outgoing connections in the
mailetcontainer.xml, section RemoteDelivery:
<processor state="relay" enableJmx="true">
<mailet match="All" class="RemoteDelivery">
<outgoingQueue>outgoing</outgoingQueue>
<startTLS>true</startTLS>
Note: proper spelling is important - it has to be written as "startTLS"
- otherwise you will get an error on startup
And you can test that as well with the above sites or just send an email
to your gmail account and look into the raw mail - it should say
something like this:
Received by: mx.google.mx via ESMTPS for <recpt> (TLS=<some tls cipher>)
If you get any error please get the full log so we can get what failed
and direct you towards the right file to fix.
You may also can automate it with certbot by just sym-linking to the
files used by apache - but if so you have to run james as root.
Hope this helps.
Matt
Am 31.01.25 um 20:13 schrieb Ilya Terskov:
Hi there guys once more :)
I hear that james can use common acme/lets encrypt pkcs keys instead of
java jks, even see this in readme files but i try make it and never get it
work... But converting from pkcs to jks and this keys works. Can you tell
me how u doing it?
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org
