i change certificates to <tls socketTLS="true" startTLS="false"> <privateKey>file://conf/hranitel-ist.ru-key.pem</privateKey> <certificates>file://conf/hranitel-ist.ru-chain.pem</certificates> </tls> but still same :c
сб, 1 февр. 2025 г. в 16:17, Ilya Terskov <prosgar...@gmail.com>: > Hi there! Matt can u help me? > i config like u said > <tls socketTLS="false" startTLS="false"> > <privateKey>file://../cert/hranitel-ist.ru-key.pem</privateKey> > <certificates>file://../cert/hranitel-ist.ru-crt.pem</certificates> > </tls> > for smtp and imap, server starting without errors > > 15:58:35.219 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service bound to: > 0.0.0.0:143 > 15:58:35.223 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service is running on: > KSUSHA-ILYUSHA > 15:58:35.223 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service handler hello > name is: KSUSHA-ILYUSHA > 15:58:35.224 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service handler > connection timeout is: 300 > 15:58:35.225 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service connection > backlog is: 200 > 15:58:35.226 ←[34m[INFO ]←[0;39m o.a.j.p.l.SslConfig - TLS enabled with > auth NONE using truststore null > 15:58:35.234 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service bound to: > 0.0.0.0:993 > 15:58:35.235 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service is running on: > KSUSHA-ILYUSHA > 15:58:35.235 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service handler hello > name is: KSUSHA-ILYUSHA > 15:58:35.236 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service handler > connection timeout is: 300 > 15:58:35.238 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service connection > backlog is: 200 > 15:58:35.241 ←[34m[INFO ]←[0;39m o.a.j.p.l.SslConfig - SSL enabled with > keystore(JKS) at null, certificates file://../cert/hranitel-ist.ru-crt.pem > 15:58:35.524 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - Init IMAP Service done > 15:58:35.617 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - Init IMAP Service done > 15:58:35.623 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - LMTP Service disabled by > configuration > 15:58:35.627 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - POP3 Service disabled by > configuration > 15:58:35.634 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service bound to: > 0.0.0.0:25 > 15:58:35.634 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service is running on: > KSUSHA-ILYUSHA > 15:58:35.635 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler hello > name is: KSUSHA-ILYUSHA > 15:58:35.635 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler > connection timeout is: 360 > 15:58:35.637 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service connection > backlog is: 200 > 15:58:35.640 ←[34m[INFO ]←[0;39m o.a.j.s.n.SMTPServer - No maximum message > size is enforced for this server. > 15:58:35.642 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service bound to: > 0.0.0.0:465 > 15:58:35.643 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service is running on: > KSUSHA-ILYUSHA > 15:58:35.643 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler hello > name is: KSUSHA-ILYUSHA > 15:58:35.644 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler > connection timeout is: 360 > 15:58:35.648 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service connection > backlog is: 200 > 15:58:35.649 ←[34m[INFO ]←[0;39m o.a.j.p.l.SslConfig - SSL enabled with > keystore(JKS) at null, certificates file://../cert/hranitel-ist.ru-crt.pem > 15:58:35.650 ←[34m[INFO ]←[0;39m o.a.j.s.n.SMTPServer - No maximum message > size is enforced for this server. > 15:58:35.651 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service bound to: > 0.0.0.0:587 > 15:58:35.652 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service is running on: > KSUSHA-ILYUSHA > 15:58:35.656 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler hello > name is: KSUSHA-ILYUSHA > 15:58:35.660 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler > connection timeout is: 360 > 15:58:35.660 ←[34m[INFO ]←[0;39m > o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service connection > backlog is: 200 > 15:58:35.661 ←[34m[INFO ]←[0;39m o.a.j.p.l.SslConfig - TLS enabled with > auth NONE using truststore null > > but i cant log in into mail via any client > > сб, 1 февр. 2025 г. в 10:15, Ilya Terskov <prosgar...@gmail.com>: > >> Thanks alot Matt i try make Pem from Lets encrypt and use it. >> >> сб, 1 февр. 2025 г., 06:46 cryptearth <cryptea...@cryptearth.de.invalid>: >> >>> "It doesn't work" is not a helpful error description - in fact: it is >>> none at all. >>> If you try to start james with regular PEM files but have messed up >>> something you will get a stack trace telling you what went wrong. >>> Converting a PEM certificate chain with a private key into a java >>> keystore is not required anymore (although I still have a little helper >>> doing exactly that). >>> >>> Anyway - here's how I've set it up: >>> >>> - placing the certificate chain in <james>/conf/chain.crt >>> Important: chain.crt has to contain your certificate and the >>> intermediate certificate in that order and should not contain the root >>> certificate. >>> - placing the private key in <james>/conf/private.key >>> Important: make sure it has access set to 0600 (so read/write only to >>> the user, none to group or others); you CAN also secure it by a >>> passphrase - but my personal point: as you have to provide it along in >>> the config it's the same as hanging a key right next to a locked door - >>> why even bother to lock the door in the first place? >>> >>> Add to the server xml files (example for smtp/25): >>> >>> <smtpservers> >>> <smtpserver enabled="true"> >>> <jmxName>smtpserver-global</jmxName> >>> <bind>0.0.0.0:25</bind> >>> <connectionBacklog>200</connectionBacklog> >>> <tls socketTLS="false" startTLS="true"> >>> <privateKey>file://conf/private.key</privateKey> >>> <certificates>file://conf/chain.crt</certificates> >>> <!-- An optional secret might be specified for the private >>> key --> >>> <!-- <secret>james72laBalle</secret> --> >>> </tls> >>> // ... rest of the file >>> >>> Same for every other TLS block. >>> >>> Afterwards start james by your start script - it should come up without >>> issues. For the smtp server you can use services such as >>> https://www.checktls.com/TestReceiver - can also check dane and mta-sts >>> and produce a very detailed log, my personal favorite >>> or >>> https://ssl-tools.net/mailservers - can have some issues sometimes - >>> but >>> also has good result presentation >>> >>> If you got your inbound smtp correctly setup - copy the config to imap >>> (and maybe pop if you use that) and make sure the ports are correct. >>> You should also set starttls on outgoing connections in the >>> mailetcontainer.xml, section RemoteDelivery: >>> >>> <processor state="relay" enableJmx="true"> >>> <mailet match="All" class="RemoteDelivery"> >>> <outgoingQueue>outgoing</outgoingQueue> >>> <startTLS>true</startTLS> >>> >>> Note: proper spelling is important - it has to be written as "startTLS" >>> - otherwise you will get an error on startup >>> And you can test that as well with the above sites or just send an email >>> to your gmail account and look into the raw mail - it should say >>> something like this: >>> >>> Received by: mx.google.mx via ESMTPS for <recpt> (TLS=<some tls cipher>) >>> >>> If you get any error please get the full log so we can get what failed >>> and direct you towards the right file to fix. >>> >>> You may also can automate it with certbot by just sym-linking to the >>> files used by apache - but if so you have to run james as root. >>> >>> Hope this helps. >>> >>> >>> Matt >>> >>> >>> Am 31.01.25 um 20:13 schrieb Ilya Terskov: >>> > Hi there guys once more :) >>> > I hear that james can use common acme/lets encrypt pkcs keys instead of >>> > java jks, even see this in readme files but i try make it and never >>> get it >>> > work... But converting from pkcs to jks and this keys works. Can you >>> tell >>> > me how u doing it? >>> > >>> >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org >>> For additional commands, e-mail: server-user-h...@james.apache.org >>> >>>
