Hey Ilya,
the startTLS block in mailetcontainer is for outbound mail only and has
to be written exactly as that. There's no such block as socketTLS for
outbound mail as outbound always rely on oppotunistic tls - aka:
starttls on the target server. It's called opportunistic because the
fallback is to just not encrypt the connection but go plain - which is
ok for server-to-server delievery as one only transmit the mail but no
user credentials.
As for why the inbound doesn't work:
First: you have to at least select EITHER socketTLS or startTLS.
Selecting none results in no tls at all. Selecting both - haven't tested
it but likely results in a failure at startup. It also depends what you
enable for what port:
TCP/25 - incoming SMTP - it can only either have startTLS or none
TCP/465 - secure submission - it's supposed to have socketTLS only
TCP/587 - submission - can have either none or startTLS but not socketTLS
same goes for imap and pop
TCP/143 - regular imap port - either none or startTLS
TCP/993 - imaps - socketTLS
TCP/110 - regular pop3 - either none or startTLS
TCP/995 - pop3s - socketTLS
Although POP isn't used much around anymore.
So, from your reply:
<tls socketTLS="false" startTLS="false">
Doesn't do anything and I wouldn't use it at all - not even for the
incoming smtp on port 25 - as there are some servers out there refusing
a plain connectiong.
<tls socketTLS="true" startTLS="false">
Looks better but can be used for the secured ports 465, 993 and 995.
Are you using plain PEM files? The log seem to suggest you just copied a
JKS - as my startup log does not show this line.
The certificate file should start with -----BEGIN CERTIFICATE----- while
the (unencrypted) key file should start with -----BEGIN RSA PRIVATE KEY-----
Matt
Am 02.02.25 um 19:29 schrieb Benoit TELLIER:
Hi Ilya
smtpserver.xml only defines certificates for incoming connections
This can be checked via openssl s_client -connect yourdomain.com:465
For outgoing traffic one need to set up a compliant remote delivery.
CF
https://james.staged.apache.org/james-project/3.9.0/servers/distributed/configure/mailets.html#_remotedelivery
--
Best regards,
Benoit TELLIER
General manager of Linagora VIETNAM.
Product owner for Team-Mail product.
Chairman of the Apache James project.
Mail: btell...@linagora.com
Tel: (0033) 6 77 26 04 58 (WhatsApp, Signal)
On Feb 1, 2025 4:05 PM, from Ilya Terskov <prosgar...@gmail.com>i change
certificates to
<tls socketTLS="true" startTLS="false">
<privateKey>file://conf/hranitel-ist.ru-key.pem</privateKey>
<certificates>file://conf/hranitel-ist.ru-chain.pem</certificates>
</tls>
but still same :c
сб, 1 февр. 2025 г. в 16:17, Ilya Terskov <prosgar...@gmail.com>:
Hi there! Matt can u help me?
i config like u said
<tls socketTLS="false" startTLS="false">
<privateKey>file://../cert/hranitel-ist.ru-key.pem</privateKey>
<certificates>file://../cert/hranitel-ist.ru-crt.pem</certificates>
</tls>
for smtp and imap, server starting without errors
15:58:35.219 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service bound to:
0.0.0.0:143
15:58:35.223 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service is running on:
KSUSHA-ILYUSHA
15:58:35.223 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service handler hello
name is: KSUSHA-ILYUSHA
15:58:35.224 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service handler
connection timeout is: 300
15:58:35.225 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service connection
backlog is: 200
15:58:35.226 ←[34m[INFO ]←[0;39m o.a.j.p.l.SslConfig - TLS enabled with
auth NONE using truststore null
15:58:35.234 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service bound to:
0.0.0.0:993
15:58:35.235 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service is running on:
KSUSHA-ILYUSHA
15:58:35.235 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service handler hello
name is: KSUSHA-ILYUSHA
15:58:35.236 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service handler
connection timeout is: 300
15:58:35.238 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - IMAP Service connection
backlog is: 200
15:58:35.241 ←[34m[INFO ]←[0;39m o.a.j.p.l.SslConfig - SSL enabled with
keystore(JKS) at null, certificates file://../cert/hranitel-ist.ru-crt.pem
15:58:35.524 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - Init IMAP Service done
15:58:35.617 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - Init IMAP Service done
15:58:35.623 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - LMTP Service disabled by
configuration
15:58:35.627 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - POP3 Service disabled by
configuration
15:58:35.634 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service bound to:
0.0.0.0:25
15:58:35.634 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service is running on:
KSUSHA-ILYUSHA
15:58:35.635 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler hello
name is: KSUSHA-ILYUSHA
15:58:35.635 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler
connection timeout is: 360
15:58:35.637 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service connection
backlog is: 200
15:58:35.640 ←[34m[INFO ]←[0;39m o.a.j.s.n.SMTPServer - No maximum message
size is enforced for this server.
15:58:35.642 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service bound to:
0.0.0.0:465
15:58:35.643 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service is running on:
KSUSHA-ILYUSHA
15:58:35.643 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler hello
name is: KSUSHA-ILYUSHA
15:58:35.644 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler
connection timeout is: 360
15:58:35.648 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service connection
backlog is: 200
15:58:35.649 ←[34m[INFO ]←[0;39m o.a.j.p.l.SslConfig - SSL enabled with
keystore(JKS) at null, certificates file://../cert/hranitel-ist.ru-crt.pem
15:58:35.650 ←[34m[INFO ]←[0;39m o.a.j.s.n.SMTPServer - No maximum message
size is enforced for this server.
15:58:35.651 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service bound to:
0.0.0.0:587
15:58:35.652 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service is running on:
KSUSHA-ILYUSHA
15:58:35.656 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler hello
name is: KSUSHA-ILYUSHA
15:58:35.660 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service handler
connection timeout is: 360
15:58:35.660 ←[34m[INFO ]←[0;39m
o.a.j.p.l.n.AbstractConfigurableAsyncServer - SMTP Service connection
backlog is: 200
15:58:35.661 ←[34m[INFO ]←[0;39m o.a.j.p.l.SslConfig - TLS enabled with
auth NONE using truststore null
but i cant log in into mail via any client
сб, 1 февр. 2025 г. в 10:15, Ilya Terskov <prosgar...@gmail.com>:
Thanks alot Matt i try make Pem from Lets encrypt and use it.
сб, 1 февр. 2025 г., 06:46 cryptearth <cryptea...@cryptearth.de.invalid>:
"It doesn't work" is not a helpful error description - in fact: it is
none at all.
If you try to start james with regular PEM files but have messed up
something you will get a stack trace telling you what went wrong.
Converting a PEM certificate chain with a private key into a java
keystore is not required anymore (although I still have a little helper
doing exactly that).
Anyway - here's how I've set it up:
- placing the certificate chain in <james>/conf/chain.crt
Important: chain.crt has to contain your certificate and the
intermediate certificate in that order and should not contain the root
certificate.
- placing the private key in <james>/conf/private.key
Important: make sure it has access set to 0600 (so read/write only to
the user, none to group or others); you CAN also secure it by a
passphrase - but my personal point: as you have to provide it along in
the config it's the same as hanging a key right next to a locked door -
why even bother to lock the door in the first place?
Add to the server xml files (example for smtp/25):
<smtpservers>
<smtpserver enabled="true">
<jmxName>smtpserver-global</jmxName>
<bind>0.0.0.0:25</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="false" startTLS="true">
<privateKey>file://conf/private.key</privateKey>
<certificates>file://conf/chain.crt</certificates>
<!-- An optional secret might be specified for the private
key -->
<!-- <secret>james72laBalle</secret> -->
</tls>
// ... rest of the file
Same for every other TLS block.
Afterwards start james by your start script - it should come up without
issues. For the smtp server you can use services such as
checktls.com/TestReceiver - can also check dane and mta-sts
and produce a very detailed log, my personal favorite
or
ssl-tools.net/mailservers - can have some issues sometimes -
but
also has good result presentation
If you got your inbound smtp correctly setup - copy the config to imap
(and maybe pop if you use that) and make sure the ports are correct.
You should also set starttls on outgoing connections in the
mailetcontainer.xml, section RemoteDelivery:
<processor state="relay" enableJmx="true">
<mailet match="All" class="RemoteDelivery">
<outgoingQueue>outgoing</outgoingQueue>
<startTLS>true</startTLS>
Note: proper spelling is important - it has to be written as "startTLS"
- otherwise you will get an error on startup
And you can test that as well with the above sites or just send an email
to your gmail account and look into the raw mail - it should say
something like this:
Received by: mx.google.mx via ESMTPS for <recpt> (TLS=<some tls cipher>)
If you get any error please get the full log so we can get what failed
and direct you towards the right file to fix.
You may also can automate it with certbot by just sym-linking to the
files used by apache - but if so you have to run james as root.
Hope this helps.
Matt
Am 31.01.25 um 20:13 schrieb Ilya Terskov:
Hi there guys once more :)
I hear that james can use common acme/lets encrypt pkcs keys instead of
java jks, even see this in readme files but i try make it and never
get it
work... But converting from pkcs to jks and this keys works. Can you
tell
me how u doing it?
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
For additional commands, e-mail: server-user-h...@james.apache.org
