Hi Matt, thank you very much for your response.,
conf_mailetcontainer.xml
Description: XML document
We tried every possible configuration but still failing. It seems a general bug or we are missing a simple detail.
<mailet match="All" class="RemoteDelivery">
<outgoingQueue>outgoing</outgoingQueue>
<delayTime>5000, 100000, 500000</delayTime>
<maxRetries>25</maxRetries>
<maxDnsProblemRetries>0</maxDnsProblemRetries>
<deliveryThreads>10</deliveryThreads>
<sendpartial>true</sendpartial>
<bounceProcessor>bounces</bounceProcessor>
<startTLS>true</startTLS>
</mailet>
Regards.
> cryptearth <cryptea...@cryptearth.de> şunları yazdı (9 Eyl 2020 21:16):
>
> Hello Mehmet,
>
> this is an easy topic.
>
> Why this happens?
> By RFC a SMTP server has to accept incomming unencrypted connections on
> TCP/25, as this is the default SMTP port. It depends on the server if and
> what features to support. Some may be configured to only accept mails from
> other servers, some may configured to only accept user connections (which
> today is done via TCP/465 and TCP/587), but usually pretty much anything the
> SMTP server is capable of is supported on this default port.
> As E-Mail was invented when the internet still was just a research project
> and not many had even access to it, and standards like TLS were invetend
> decades later, even todays server which comply with the original SMTP accept
> unencrypted connections.
> So, why does Google complain about an e-mail was dropped over an unsecured
> connection?
> Although no user credentials are transmitted when one server drops a mail on
> another server the message body itself could contain data one might want to
> protected against eavesdroppers or modification.
> To ensure that the mail isn't read or modified on the way between the sending
> server and the receiving one this connection can be encrypted the same way as
> a mail client can encrypte its connection to the server: StartTLS.
> James does support to enable outgoing StartTLS via config. The file in
> question is <james-home>/conf/mailetcontainer.xml which, as by its file
> extension, is a structured xml file. Within it there's a section starting with
> <processor state="transport">
> Within the transport processor you will find this:
> <mailet match="All" class="RemoteDelivery">
> This section is responsible what happens when james has figured a mail has to
> go outbound to another server. To enable outgoing StartTLS just add this line:
> <startTLS>true</startTLS>
> In my config it looks like this:
>
> <processor state="transport" enableJmx="true">
> ... some stuff
> <mailet match="All" class="RemoteDelivery">
> <outgoing>outgoing</outgoing>
> <startTLS>true</startTLS>
> ... the rest
>
> This way when james sees the StartTLS extension after EHLO it will use it to
> establish a secured channel before dropping in the mail. This will get rid of
> gmail complain about a mail was dropped in via an unsecured connection.
> One note: For what ever reason it is important that the spelling is correct:
> It HAS TO be lowercase "start" and uppercase "TLS": "startTLS" - any other
> spelling will just be ignored or may throw an error at start up.
>
> Does it increase the overall security? Well, the only thing you may protect
> against is that someone along the wire between your server and the nearest
> google mail server may read or modify the mail - but as it rely on seeing the
> starttls after EHLO anyone able to modify the connection can just drop it
> which will force james to use a regular unencrypted connection. There're some
> DNS records which could be used to enforce encryption, like DANE and others,
> but unless you use MTAs which make actual use of them and have domains
> providing the required records it's still just a possibility - there's no way
> to enforce encrypted connections yet. TLDR: If you want to secure your mails
> use something like S/MIME or PGP/GnuPG. StartTLS is just to secure the
> communication channel itself.
>
>
> greetings from Germany,
>
> Matt
>
> Am 09.09.2020 um 16:35 schrieb Mehmet:
>> Hi there, does anyone experienced unencrypted mail problem? We are sending
>> to gmail but says unencrypted. we are using 3.5 dockerisied version. We
>> tried some config changes but did not worked so far.
>>
>> Any help / professional support would be appreciated.
>>
>> Regards.
>>
>> Mehmet
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
> For additional commands, e-mail: server-user-h...@james.apache.org
>
--------------------------------------------------------------------- To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
