hi guys. Alot of thanks to u all. i get it working just fine.
<smtpserver enabled="true">
<jmxName>smtpserver-global</jmxName>
<bind>0.0.0.0:25</bind>
<helloName autodetect="false">hranitel-ist.ru</helloName>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="true">
<privateKey>file://../cert/hranitel-ist.ru-key.pem</privateKey>
<certificates>file://../cert/hranitel-ist.ru-chain.pem</certificates>
</tls>
<connectiontimeout>360</connectiontimeout>
<connectionLimit>0</connectionLimit>
<connectionLimitPerIP>0</connectionLimitPerIP>
<auth>
<announce>never</announce>
<requireSSL>false</requireSSL>
<plainAuthEnabled>true</plainAuthEnabled>
</auth>
<authorizedAddresses>127.0.0.0/8</authorizedAddresses>
<verifyIdentity>false</verifyIdentity>
<maxmessagesize>0</maxmessagesize>
<addressBracketsEnforcement>true</addressBracketsEnforcement>
<smtpGreeting>Apache JAMES awesome SMTP Server</smtpGreeting>
<handlerchain>
<handler
class="org.apache.james.smtpserver.fastfail.ValidRcptHandler"/>
<handler
class="org.apache.james.smtpserver.CoreCmdHandlerLoader"/>
</handlerchain>
</smtpserver>
i change <tls socketTLS="false" startTLS="false"> to <tls socketTLS="false"
startTLS="true">
and it worked and test goin excelent now. also want to ask about
<requireSSL>false</requireSSL> should i set up it for 25 port also true?
<smtpserver enabled="false"> for 25 port bad idea?
i explicit set up as u see HELO message <helloName autodetect="false">
hranitel-ist.ru</helloName> its fine? cuz without it have my PC name which
not good for me i think have domain name in HELO what it need to be
пн, 3 февр. 2025 г. в 02:37, cryptearth <cryptea...@cryptearth.de.invalid>:
> Hey Ilya,
>
> the startTLS block in mailetcontainer is for outbound mail only and has
> to be written exactly as that. There's no such block as socketTLS for
> outbound mail as outbound always rely on oppotunistic tls - aka:
> starttls on the target server. It's called opportunistic because the
> fallback is to just not encrypt the connection but go plain - which is
> ok for server-to-server delievery as one only transmit the mail but no
> user credentials.
> As for why the inbound doesn't work:
> First: you have to at least select EITHER socketTLS or startTLS.
> Selecting none results in no tls at all. Selecting both - haven't tested
> it but likely results in a failure at startup. It also depends what you
> enable for what port:
>
> TCP/25 - incoming SMTP - it can only either have startTLS or none
> TCP/465 - secure submission - it's supposed to have socketTLS only
> TCP/587 - submission - can have either none or startTLS but not socketTLS
>
> same goes for imap and pop
>
> TCP/143 - regular imap port - either none or startTLS
> TCP/993 - imaps - socketTLS
>
> TCP/110 - regular pop3 - either none or startTLS
> TCP/995 - pop3s - socketTLS
>
> Although POP isn't used much around anymore.
>
> So, from your reply:
>
> <tls socketTLS="false" startTLS="false">
> Doesn't do anything and I wouldn't use it at all - not even for the
> incoming smtp on port 25 - as there are some servers out there refusing
> a plain connectiong.
>
> <tls socketTLS="true" startTLS="false">
> Looks better but can be used for the secured ports 465, 993 and 995.
>
> Are you using plain PEM files? The log seem to suggest you just copied a
> JKS - as my startup log does not show this line.
> The certificate file should start with -----BEGIN CERTIFICATE----- while
> the (unencrypted) key file should start with -----BEGIN RSA PRIVATE
> KEY-----
>
> Matt
>
>
> Am 02.02.25 um 19:29 schrieb Benoit TELLIER:
> > Hi Ilya
> >
> > smtpserver.xml only defines certificates for incoming connections
> >
> > This can be checked via openssl s_client -connect yourdomain.com:465
> >
> > For outgoing traffic one need to set up a compliant remote delivery.
> >
> > CF
> https://james.staged.apache.org/james-project/3.9.0/servers/distributed/configure/mailets.html#_remotedelivery
> >
> > --
> >
> > Best regards,
> >
> > Benoit TELLIER
> >
> > General manager of Linagora VIETNAM.
> > Product owner for Team-Mail product.
> > Chairman of the Apache James project.
> >
> > Mail: btell...@linagora.com
> > Tel: (0033) 6 77 26 04 58 (WhatsApp, Signal)
> >
> >
> > On Feb 1, 2025 4:05 PM, from Ilya Terskov <prosgar...@gmail.com>i
> change certificates to
> > <tls socketTLS="true" startTLS="false">
> > <privateKey>file://conf/hranitel-ist.ru-key.pem</privateKey>
> > <certificates>file://conf/hranitel-ist.ru-chain.pem</certificates>
> > </tls>
> > but still same :c
> >
> > сб, 1 февр. 2025 г. в 16:17, Ilya Terskov <prosgar...@gmail.com>:
> >
> >> Hi there! Matt can u help me?
> >> i config like u said
> >> <tls socketTLS="false" startTLS="false">
> >> <privateKey>file://../cert/hranitel-ist.ru-key.pem</privateKey>
> >> <certificates>file://../cert/hranitel-ist.ru-crt.pem</certificates>
> >> </tls>
> >> for smtp and imap, server starting without errors
> >>
> >> 15:58:35.219 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service bound to:
> >> 0.0.0.0:143
> >> 15:58:35.223 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service is running
> on:
> >> KSUSHA-ILYUSHA
> >> 15:58:35.223 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service handler hello
> >> name is: KSUSHA-ILYUSHA
> >> 15:58:35.224 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service handler
> >> connection timeout is: 300
> >> 15:58:35.225 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service connection
> >> backlog is: 200
> >> 15:58:35.226 ←[34m[INFO ]←[0;39m o.a.j.p.l.SslConfig - TLS enabled with
> >> auth NONE using truststore null
> >> 15:58:35.234 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service bound to:
> >> 0.0.0.0:993
> >> 15:58:35.235 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service is running
> on:
> >> KSUSHA-ILYUSHA
> >> 15:58:35.235 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service handler hello
> >> name is: KSUSHA-ILYUSHA
> >> 15:58:35.236 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service handler
> >> connection timeout is: 300
> >> 15:58:35.238 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service connection
> >> backlog is: 200
> >> 15:58:35.241 ←[34m[INFO ]←[0;39m o.a.j.p.l.SslConfig - SSL enabled with
> >> keystore(JKS) at null, certificates
> file://../cert/hranitel-ist.ru-crt.pem
> >> 15:58:35.524 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - Init IMAP Service done
> >> 15:58:35.617 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - Init IMAP Service done
> >> 15:58:35.623 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - LMTP Service disabled by
> >> configuration
> >> 15:58:35.627 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - POP3 Service disabled by
> >> configuration
> >> 15:58:35.634 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service bound to:
> >> 0.0.0.0:25
> >> 15:58:35.634 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service is running
> on:
> >> KSUSHA-ILYUSHA
> >> 15:58:35.635 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler hello
> >> name is: KSUSHA-ILYUSHA
> >> 15:58:35.635 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler
> >> connection timeout is: 360
> >> 15:58:35.637 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service connection
> >> backlog is: 200
> >> 15:58:35.640 ←[34m[INFO ]←[0;39m o.a.j.s.n.SMTPServer - No maximum
> message
> >> size is enforced for this server.
> >> 15:58:35.642 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service bound to:
> >> 0.0.0.0:465
> >> 15:58:35.643 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service is running
> on:
> >> KSUSHA-ILYUSHA
> >> 15:58:35.643 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler hello
> >> name is: KSUSHA-ILYUSHA
> >> 15:58:35.644 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler
> >> connection timeout is: 360
> >> 15:58:35.648 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service connection
> >> backlog is: 200
> >> 15:58:35.649 ←[34m[INFO ]←[0;39m o.a.j.p.l.SslConfig - SSL enabled with
> >> keystore(JKS) at null, certificates
> file://../cert/hranitel-ist.ru-crt.pem
> >> 15:58:35.650 ←[34m[INFO ]←[0;39m o.a.j.s.n.SMTPServer - No maximum
> message
> >> size is enforced for this server.
> >> 15:58:35.651 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service bound to:
> >> 0.0.0.0:587
> >> 15:58:35.652 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service is running
> on:
> >> KSUSHA-ILYUSHA
> >> 15:58:35.656 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler hello
> >> name is: KSUSHA-ILYUSHA
> >> 15:58:35.660 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler
> >> connection timeout is: 360
> >> 15:58:35.660 ←[34m[INFO ]←[0;39m
> >> o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service connection
> >> backlog is: 200
> >> 15:58:35.661 ←[34m[INFO ]←[0;39m o.a.j.p.l.SslConfig - TLS enabled with
> >> auth NONE using truststore null
> >>
> >> but i cant log in into mail via any client
> >>
> >> сб, 1 февр. 2025 г. в 10:15, Ilya Terskov <prosgar...@gmail.com>:
> >>
> >>> Thanks alot Matt i try make Pem from Lets encrypt and use it.
> >>>
> >>> сб, 1 февр. 2025 г., 06:46 cryptearth <cryptea...@cryptearth.de
> .invalid>:
> >>>
> >>>> "It doesn't work" is not a helpful error description - in fact: it is
> >>>> none at all.
> >>>> If you try to start james with regular PEM files but have messed up
> >>>> something you will get a stack trace telling you what went wrong.
> >>>> Converting a PEM certificate chain with a private key into a java
> >>>> keystore is not required anymore (although I still have a little
> helper
> >>>> doing exactly that).
> >>>>
> >>>> Anyway - here's how I've set it up:
> >>>>
> >>>> - placing the certificate chain in <james>/conf/chain.crt
> >>>> Important: chain.crt has to contain your certificate and the
> >>>> intermediate certificate in that order and should not contain the root
> >>>> certificate.
> >>>> - placing the private key in <james>/conf/private.key
> >>>> Important: make sure it has access set to 0600 (so read/write only to
> >>>> the user, none to group or others); you CAN also secure it by a
> >>>> passphrase - but my personal point: as you have to provide it along in
> >>>> the config it's the same as hanging a key right next to a locked door
> -
> >>>> why even bother to lock the door in the first place?
> >>>>
> >>>> Add to the server xml files (example for smtp/25):
> >>>>
> >>>> <smtpservers>
> >>>> <smtpserver enabled="true">
> >>>> <jmxName>smtpserver-global</jmxName>
> >>>> <bind>0.0.0.0:25</bind>
> >>>> <connectionBacklog>200</connectionBacklog>
> >>>> <tls socketTLS="false" startTLS="true">
> >>>> <privateKey>file://conf/private.key</privateKey>
> >>>> <certificates>file://conf/chain.crt</certificates>
> >>>> <!-- An optional secret might be specified for the
> private
> >>>> key -->
> >>>> <!-- <secret>james72laBalle</secret> -->
> >>>> </tls>
> >>>> // ... rest of the file
> >>>>
> >>>> Same for every other TLS block.
> >>>>
> >>>> Afterwards start james by your start script - it should come up
> without
> >>>> issues. For the smtp server you can use services such as
> >>>> checktls.com/TestReceiver - can also check dane and mta-sts
> >>>> and produce a very detailed log, my personal favorite
> >>>> or
> >>>> ssl-tools.net/mailservers - can have some issues sometimes -
> >>>> but
> >>>> also has good result presentation
> >>>>
> >>>> If you got your inbound smtp correctly setup - copy the config to imap
> >>>> (and maybe pop if you use that) and make sure the ports are correct.
> >>>> You should also set starttls on outgoing connections in the
> >>>> mailetcontainer.xml, section RemoteDelivery:
> >>>>
> >>>> <processor state="relay" enableJmx="true">
> >>>> <mailet match="All" class="RemoteDelivery">
> >>>> <outgoingQueue>outgoing</outgoingQueue>
> >>>> <startTLS>true</startTLS>
> >>>>
> >>>> Note: proper spelling is important - it has to be written as
> "startTLS"
> >>>> - otherwise you will get an error on startup
> >>>> And you can test that as well with the above sites or just send an
> email
> >>>> to your gmail account and look into the raw mail - it should say
> >>>> something like this:
> >>>>
> >>>> Received by: mx.google.mx via ESMTPS for <recpt> (TLS=<some tls
> cipher>)
> >>>>
> >>>> If you get any error please get the full log so we can get what failed
> >>>> and direct you towards the right file to fix.
> >>>>
> >>>> You may also can automate it with certbot by just sym-linking to the
> >>>> files used by apache - but if so you have to run james as root.
> >>>>
> >>>> Hope this helps.
> >>>>
> >>>>
> >>>> Matt
> >>>>
> >>>>
> >>>> Am 31.01.25 um 20:13 schrieb Ilya Terskov:
> >>>>> Hi there guys once more :)
> >>>>> I hear that james can use common acme/lets encrypt pkcs keys instead
> of
> >>>>> java jks, even see this in readme files but i try make it and never
> >>>> get it
> >>>>> work... But converting from pkcs to jks and this keys works. Can you
> >>>> tell
> >>>>> me how u doing it?
> >>>>>
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
> >>>> For additional commands, e-mail: server-user-h...@james.apache.org
> >>>>
> >>>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
> For additional commands, e-mail: server-user-h...@james.apache.org
>
>
