What I found was that the type of store was causing my problem. I noticed
that using the bouncy castle provider was causing the problem.
The store I had created worked fine on 3.3. When I added the bouncy castle
jars to 3.3 (to get DKIM going) I started getting the same "incorrect
password" error.
The examples I found for converting a LETSENCRYPT ssl cert into a java
keystore said to change the keystore to the non-proprietary type pkcs12. I
found that the keystores that worked were of the JKS which seems to be the
default type. If you list out a keystore of this type it will recommend
you convert it to pkcs12.... but then you have the "incorrect password"
error.
After creating the cert with certbot (this creates letsencrypt
certificates) then you run these two commands:
This got me past the incorrect password problem.
I don't feel qualified to add to the wiki as I don't know why the other
style does not work with bouncy castle. This was just brute force trial
and error.
openssl pkcs12 -export \
-in /etc/letsencrypt/live/mail1.example.com/cert.pem \
-inkey /etc/letsencrypt/live/mail1.example.com/privkey.pem \
-out /tmp/mail1.example.com.p12 \
-name james \
-CAfile /etc/letsencrypt/live/mail1.example.com/fullchain.pem \
-caname "Let's Encrypt Authority X3" \
-password pass:changeit
/home/orderpt/software/jdk1.8.0_231/bin/keytool -importkeystore \
-deststorepass changeit \
-destkeypass changeit \
-deststoretype jks \ ---- THIS IS THE IMPORTANT LINE
-srckeystore /tmp/mail1.example.com.p12 \
-srcstoretype PKCS12 \
-srcstorepass changeit \
-destkeystore
/home/orderpt/software/james-server-app-3.4.0/var/mail1.example.com.keystore
\
-alias james
-Mark
On Mon, Oct 28, 2019 at 4:21 AM Tellier Benoit <btell...@apache.org> wrote:
> Hello Mark,
>
> Was http://james.apache.org/server/config-ssl-tls.html to answer your
> concerns?
>
> Please contribute to [1] if you think you can enhance it!
>
> [1]
>
> https://github.com/apache/james-project/blob/master/src/site/xdoc/server/config-ssl-tls.xml
>
> Regards,
>
> Benoit
>
> On 28/10/2019 00:41, Mark Gordon wrote:
> > Hey James thanks for the info on the multiple SMTP servers.
> >
> > I got past the ssl cert problem. I had to do with the type of
> keystore. I
> > will send you the scripts I used. I am using letsencrypt ssl certs and
> > they seem to be working correctly.
> >
> >
> > On Sat, Oct 26, 2019, 9:46 PM Jerry Malcolm <techst...@malcolms.com>
> wrote:
> >
> >> Mark,
> >>
> >> I hit the same problem you are seeing about a month ago and reported it
> >> on the forum, but got no response. I was not using SSL on my previous
> >> version. I planned to move to SSL as part of my migration. I just
> >> figured the proble was due to lack of knowledge on my part and pushed it
> >> to the back burner. But since you had something working that no longer
> >> works, that gives me a different perspective on the problem. I'll
> >> probably start digging into the problem sometime this week. If anyone
> >> else already understands this problem, you won't hurt my feelings if you
> >> find the problem and report a fix before I have a chance to begin
> >> debugging it. :-)
> >>
> >> As far as ports go, you can have as many imap and smtp servers defined
> >> as you want. You can have an smtp server with no SSL running on 25 and
> >> completely different smtp server running on 587 with TLS. For every
> >> port you want to have an SMTP server, just replicate the <smtpserver>
> >> block inside <smtpservers> in conf/smtpserver.xml and make the obvious
> >> modifications to the new block. Also make sure you have a bind
> >> statement (<bind>0.0.0.0:465</bind>) in each block, and add the <tls>
> >> block to the smtpservers that you want to have ssl/tls on. I've run two
> >> smtp servers for years, one on port 25 and one on port 2025 that I tell
> >> my clients to use to get around isp blockading port 25 to prevent
> spamming.
> >>
> >> Jerry
> >>
> >> On 10/26/2019 5:17 PM, Mark Gordon wrote:
> >>> I have spent some time trying to get James 3.4 to work I have gotten
> >> past a
> >>> few problems. The latest is that I am getting a "keystore password
> >>> incorrect" and If I use the same keystore and config in 3.3 it works
> >> fine.
> >>> Any ideas?
> >>>
> >>> For inbound mail, can you only have port 587 open with START TLS? and
> >> not
> >>> have anything running on port 25?.
> >>>
> >>> With James can you have port 587 and 465 using ssl/tls and have 25 not?
> >> If
> >>> so how would one do this?
> >>>
> >>> Thanks,
> >>> Mark
> >>>
> >>>
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
> >> For additional commands, e-mail: server-user-h...@james.apache.org
> >>
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
> For additional commands, e-mail: server-user-h...@james.apache.org
>
>
--
Mark Gordon <m...@ordertech.com>
OrderTech Corporation | 819 W Fairmont Dr Ste 2 | Tempe, AZ 85282
*o:* (480) 285-1403 <4802851403> | *f:* (480) 464-5824 <4804645824> | *m:*
(602) 549-0488 <6025490488>
www.ordertech.com
LinkedIn <http://www.linkedin.com/company/ordertech-corp> | Twitter
<https://twitter.com/OrderTech> | Facebook
<https://www.facebook.com/OrderTech>
