Hello,
I try to do a short howto to configure James with SSL/TLS.
Hope it will help you.
Emmanuel
Abstract:
---------
How to configure James to enable a secure connection using SSL/TLS. This
document describes the steps to have a running instance of James with a SMTP
and a POP handler either with SSL/TLS feature.
Issues:
-------
There are 2 issues, a major and a minor.
Major issue: quite all SMTP servers around the world use a plain text session
on port 25 to exchange mails between them. This implies you must have 2 SMTP
handlers on James. The first one will use plain text session on port 25. The
second one will use a SSL/TLS session on port 465. If you don't setup the first,
nobody can send you mails.
Minor issue: some mail clients could not use the SSL/TLS feature to receive
mail. If it happens, you should setup 2 POP handlers (same as for SMTP).
Note:
-----
If you don't know which port to use, have a look in the file /etc/services. It
defines all standard ports.
Configuring the SMTP handler:
-----------------------------
Step 1: configure james/SAR-INF/config.xml like this (I remove all comments
to be clear). I enbale auth and verify in order to prevent any open relay (correct
me if I'm wrong).
<smtpserver enabled="true">
<port>25</port>
<handler>
<helloName autodetect="true">myMailServer</helloName>
<connectiontimeout>360000</connectiontimeout>
<authRequired>true</authRequired>
<verifyIdentity>true</verifyIdentity>
<maxmessagesize>0</maxmessagesize>
</handler>
</smtpserver>
<smtpserver-tls enabled="true">
<port>465</port>
<useTLS>true</useTLS>
<handler>
<helloName autodetect="true">myMailServer</helloName>
<connectiontimeout>360000</connectiontimeout>
<authRequired>true</authRequired>
<verifyIdentity>true</verifyIdentity>
<maxmessagesize>0</maxmessagesize>
</handler>
</smtpserver-tls>
.....
// Enable the ssl factory and specify where the java keystore is located
// ( here in james/SAR-INF/conf -> james/SAR-INF/conf/keystore )
<sockets>
<server-sockets>
<factory name="plain"
class="org.apache.avalon.cornerstone.blocks.sockets.DefaultServerSocketFactory"/>
<factory name="ssl"
class="org.apache.avalon.cornerstone.blocks.sockets.TLSServerSocketFactory">
<keystore>
<file>conf/keystore</file>
<password>keystore</password>
<type>JKS</type>
<protocol>TLS</protocol>
<algorithm>SunX509</algorithm>
<authenticate-client>false</authenticate-client>
</keystore>
</factory>
</server-sockets>
<client-sockets>
<factory name="plain"
class="org.apache.avalon.cornerstone.blocks.sockets.DefaultSocketFactory"/>
</client-sockets>
</sockets>
Step 2: in file james/SAR-INF/assembly.xml , duplicate the bloc which has name
"smtpserver". In the duplicated bloc, change "smtpserver" by "smtpserver-tls".
This reflects the second handler in the file config.xml.
Step 3: create the keystore in james/SAR-INF/conf
In a shell, type the following:
---<<type start>>---
: keytool -selfcert -genkey -validity 365 -keypass keystore -keystore ./keystore
Enter keystore password: keystore
What is your first and last name?
[Unknown]:
What is the name of your organizational unit?
[Unknown]:
What is the name of your organization?
[Unknown]:
What is the name of your City or Locality?
[Unknown]:
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
[no]: yes
---<<type end>>---
Type the correct values for your certificate ;-)
Note: use same password (here keystore) everywhere!
Configuring the POP handler:
-----------------------------
It's the same story as for SMTP. Just decide if you want only a SSL/TLS or
a PLAIN + SSL/TLS connection.
Testing:
--------
Start James. If all is correct, it should start without any error message.
To test the SSL/TLS feature, start openssl in a shell and type:
---<<type start>>---
: openssl
OpenSSL> s_client -connect localhost:465
//and ssl will print a lot of information...
---<<type end>>---
That's all.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
