Re: SMTP+SSL howto

[Denis Navitaniuk]

Hello, Emmanuel!

I tried to configure James as you described in your last post, but I had 
the same problem as before.
I tried both (jdk141) and (jdk131 with jsse) with the same unsuccessfull 
result.

When I'm connecting to port 465 via openssl, I receive the following 
response:

CONNECTED(00000006)
---
Certificate chain
 0 s:/C=MD/ST=Moldova/L=Chisinau/O=Compudava/OU=Coolmail/CN=Navitaniuk 
Denis
   i:/C=MD/ST=Moldova/L=Chisinau/O=Compudava/OU=Coolmail/CN=Navitaniuk 
Denis
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDHjCCAtsCBD7cSIcwCwYHKoZIzjgEAwUAMHQxCzAJBgNVBAYTAk1EMRAwDgYD
VQQIEwdNb2xkb3ZhMREwDwYDVQQHEwhDaGlzaW5hdTESMBAGA1UEChMJQ29tcHVk
YXZhMREwDwYDVQQLEwhDb29sbWFpbDEZMBcGA1UEAxMQTmF2aXRhbml1ayBEZW5p
czAeFw0wMzA2MDMwNzA0MzlaFw0wNDA2MDIwNzA0MzlaMHQxCzAJBgNVBAYTAk1E
MRAwDgYDVQQIEwdNb2xkb3ZhMREwDwYDVQQHEwhDaGlzaW5hdTESMBAGA1UEChMJ
Q29tcHVkYXZhMREwDwYDVQQLEwhDb29sbWFpbDEZMBcGA1UEAxMQTmF2aXRhbml1
ayBEZW5pczCCAbgwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLfSpwu7OTn
9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3
a5lQpaSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1
864rYdcq7/IiAxmd0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXW
mz3ey7yrXDa4V7l5lK+7+jrqgvlXTAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hM
KBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6jfwv6ITVi8ftiegEkO8yk8b6o
UZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GFAAKBgQDMvWH58FkbLAmqymd1
ob82jAxiY4YTy4odq35I+CC/BXeAc/5U168oJLdEnfrwKfM31zqHhtUXVXXBvHkz
5HVymTXNPGrxKvAaa2QCz8Rs6Vi1w3x4GZAdORvdRlxL4pei9z8qxmNySeMrKHm4
dgiYwcvoE1h2IDepgcZO76r8WTALBgcqhkjOOAQDBQADMAAwLQIUJ/rWZrHJTfOl
7L2RKniDPnc3IRgCFQCHWX5nVsKIm/MNgRfkXo1aJa1p8A==
-----END CERTIFICATE-----
subject=/C=MD/ST=Moldova/L=Chisinau/O=Compudava/OU=Coolmail/CN=Navitaniuk 
Denis
issuer=/C=MD/ST=Moldova/L=Chisinau/O=Compudava/OU=Coolmail/CN=Navitaniuk 
Denis
---
No client certificate CA names sent
---
SSL handshake has read 1263 bytes and written 332 bytes
---
New, TLSv1/SSLv3, Cipher is EDH-DSS-DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
    Protocol  : TLSv1
    Cipher    : EDH-DSS-DES-CBC3-SHA
    Session-ID: 
3EDC49E122C2E7CB75D755AE5510538E4E2C2C26D6A4565337DEF4F32F8B32DE
    Session-ID-ctx:
    Master-Key: 
66DB86793C11164B614A4B20D21DFE3DC306FA168708C9FD87336C923D12BD694947EEBD6EF9D056C74DE60D739DD112
    Key-Arg   : None
    Krb5 Principal: None
    Start Time: 1054624225
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
220 zanta SMTP Server (JAMES SMTP Server 2.1.3) ready Tue, 3 Jun 2003 
10:10:25 +0300 (EEST)

That response was generated for my last certificate, made under jdk131_08.

The Outlook responded that timeout was occured.

In logs I saw:
03/06/03 09:35:13 DEBUG smtpserver-tls: Calling start()
03/06/03 09:35:13 DEBUG smtpserver-tls: Exception handling socket to 
192.168.12.227 (192.168.12.227) : Connection has been shutdown: 
javax.net.ssl.SSLHandshakeException: Remote host closed connection 
during handshake
javax.net.ssl.SSLException: Connection has been shutdown: 
javax.net.ssl.SSLHandshakeException: Remote host closed connection 
during handshake
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.d(DashoA6275)
    at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
    at java.io.BufferedInputStream.read1(BufferedInputStream.java:220)
    at java.io.BufferedInputStream.read(BufferedInputStream.java:277)
    at sun.nio.cs.StreamDecoder$CharsetSD.readBytes(StreamDecoder.java:406)
    at sun.nio.cs.StreamDecoder$CharsetSD.implRead(StreamDecoder.java:446)
    at sun.nio.cs.StreamDecoder.read(StreamDecoder.java:180)
    at java.io.InputStreamReader.read(InputStreamReader.java:167)
    at java.io.BufferedReader.fill(BufferedReader.java:136)
    at java.io.BufferedReader.readLine(BufferedReader.java:299)
    at java.io.BufferedReader.readLine(BufferedReader.java:362)
    at 
org.apache.james.smtpserver.SMTPHandler.readCommandLine(SMTPHandler.java:527)
    at 
org.apache.james.smtpserver.SMTPHandler.handleConnection(SMTPHandler.java:381)
    at 
org.apache.james.util.connection.ServerConnection$ClientConnectionRunner.run(ServerConnection.java:462)
    at 
org.apache.avalon.excalibur.thread.impl.ExecutableRunnable.execute(ExecutableRunnable.java:47)
    at 
org.apache.avalon.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:80)
Caused by: javax.net.ssl.SSLHandshakeException: Remote host closed 
connection during handshake
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
    at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275)
    at 
sun.nio.cs.StreamEncoder$CharsetSE.writeBytes(StreamEncoder.java:334)
    at 
sun.nio.cs.StreamEncoder$CharsetSE.implFlushBuffer(StreamEncoder.java:402)
    at sun.nio.cs.StreamEncoder$CharsetSE.implFlush(StreamEncoder.java:406)
    at sun.nio.cs.StreamEncoder.flush(StreamEncoder.java:150)
    at java.io.OutputStreamWriter.flush(OutputStreamWriter.java:213)
    at java.io.BufferedWriter.flush(BufferedWriter.java:230)
    at java.io.PrintWriter.flush(PrintWriter.java:120)
    at 
org.apache.james.smtpserver.SMTPHandler.writeLoggedFlushedResponse(SMTPHandler.java:505)
    at 
org.apache.james.smtpserver.SMTPHandler.handleConnection(SMTPHandler.java:378)
    ... 3 more
Caused by: java.io.EOFException: SSL peer shut down incorrectly
    at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
    ... 16 more

Any ideas?

Could you, please, send me code for your proxy? May be it will help 
somehow...

Thanks in advance.
Denis.
Emmanuel Gilmont wrote:
Hello,

I try to do a short howto to configure James with SSL/TLS.

Hope it will help you.

Emmanuel

------------------------------------------------------------------------

Abstract:
---------
How to configure James to enable a secure connection using SSL/TLS. This 
document describes the steps to have a running instance of James with a SMTP 
and a POP handler either with SSL/TLS feature.

Issues:
-------
There are 2 issues, a major and a minor.

Major issue: quite all SMTP servers around the world use a plain text session 
on port 25 to exchange mails between them. This implies you must have 2 SMTP 
handlers on James. The first one will use plain text session on port 25. The 
second one will use a SSL/TLS session on port 465. If you don't setup the first, 
nobody can send you mails.

Minor issue: some mail clients could not use the SSL/TLS feature to receive 
mail. If it happens, you should setup 2 POP handlers (same as for SMTP).

Note:
-----
If you don't know which port to use, have a look in the file /etc/services. It 
defines all standard ports.

Configuring the SMTP handler:
-----------------------------
Step 1: configure james/SAR-INF/config.xml like this (I remove all comments 
to be clear). I enbale auth and verify in order to prevent any open relay (correct
me if I'm wrong).
  
  <smtpserver enabled="true">
      <port>25</port>
      <handler>
         <helloName autodetect="true">myMailServer</helloName>
         <connectiontimeout>360000</connectiontimeout>
         <authRequired>true</authRequired>
         <verifyIdentity>true</verifyIdentity>
         <maxmessagesize>0</maxmessagesize>
      </handler>
   </smtpserver>
   
   <smtpserver-tls enabled="true">
      <port>465</port>
      <useTLS>true</useTLS>
      <handler>
         <helloName autodetect="true">myMailServer</helloName>
         <connectiontimeout>360000</connectiontimeout>
         <authRequired>true</authRequired>
         <verifyIdentity>true</verifyIdentity>
         <maxmessagesize>0</maxmessagesize>
      </handler>
   </smtpserver-tls>
   
   .....
   
   // Enable the ssl factory and specify where the java keystore is located
   // ( here in james/SAR-INF/conf -> james/SAR-INF/conf/keystore )
   <sockets>
      <server-sockets>
         <factory name="plain" class="org.apache.avalon.cornerstone.blocks.sockets.DefaultServerSocketFactory"/>
         <factory name="ssl" class="org.apache.avalon.cornerstone.blocks.sockets.TLSServerSocketFactory">
            <keystore>
               <file>conf/keystore</file>
               <password>keystore</password>
               <type>JKS</type>
               <protocol>TLS</protocol>
               <algorithm>SunX509</algorithm>
               <authenticate-client>false</authenticate-client>
            </keystore>
         </factory>
      </server-sockets>
      <client-sockets>
         <factory name="plain" class="org.apache.avalon.cornerstone.blocks.sockets.DefaultSocketFactory"/>
      </client-sockets>
   </sockets>
   

Step 2: in file james/SAR-INF/assembly.xml , duplicate the bloc which has name 
"smtpserver". In the duplicated bloc, change "smtpserver" by "smtpserver-tls".
This reflects the second handler in the file config.xml.

Step 3: create the keystore in james/SAR-INF/conf

In a shell, type the following:

---<<type start>>---
: keytool -selfcert -genkey -validity 365 -keypass keystore -keystore ./keystore
Enter keystore password:  keystore
What is your first and last name?
  [Unknown]:
What is the name of your organizational unit?
  [Unknown]:
What is the name of your organization?
  [Unknown]:
What is the name of your City or Locality?
  [Unknown]:
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:
Is CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
  [no]:  yes
---<<type end>>---
Type the correct values for your certificate ;-)

Note: use same password (here keystore) everywhere!

Configuring the POP handler:
-----------------------------
It's the same story as for SMTP. Just decide if you want only a SSL/TLS or
 a PLAIN + SSL/TLS connection.
 
 
Testing:
--------

Start James. If all is correct, it should start without any error message.

To test the SSL/TLS feature, start openssl in a shell and type:

---<<type start>>---
: openssl
OpenSSL> s_client -connect localhost:465
//and ssl will print a lot of information...

---<<type end>>---





That's all.

------------------------------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


--
----------------------------------------------------------------------
Denis Navitaniuk.
Java Developer, Compudava SRL
str. Columna 131, Chisinau, MD-2012, Moldova
Tel: +373 227309 Fax: +373 2228843
Email: [EMAIL PROTECTED]
icq#: 108266260
The information in this email is confidential and may be legally 
privileged. It is intended solely for the addressee. Any opinions 
expressed are mine and do not necessarily represent the opinions of the 
Company. If you are not the intended recipient, any disclosure, copying, 
distribution or any action taken or omitted to be taken in reliance on 
it, is prohibited and may be unlawful. Emails are susceptible to 
interference. The sender accepts no responsibility for information, 
errors or omissions in this email, or for its use or misuse, or for any 
act committed or omitted in connection with this communication. If in 
doubt, please verify the authenticity of the contents with the sender.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]