Re: James 2.3 - TLS Connection Problem/Questions
Not exactly related but I had a similar issue with tomcat/keytool where I was calling gnu keytool and not java keytool, id check the output of 'which keytool' to know that you are calling the right binary. On Oct 17, 2013 10:32 AM, Jan Drake jan.s.dr...@gmail.com wrote: Alrighty, then. Apache james V2.3 tls support is apparently not compatible with microsoft exchange handling of tls connection management since james v2.3 doesn't support starttls. Next, I went for trying apache james 3 beta 4 and... Voila! It supports starttls so I get a connection. ...only to find that I get an exception and find that james 3 beta 4 isn't rfc compliant, per: https://issues.apache.org/jira/browse/JAMES-1422 ...now, that was... July of 2012... https://issues.apache.org/jira/browse/JAMES-1422 Although it was referenced, I can't seem to find a beta 5 and the issue above is still unresolved. I am now trying to find the snapshot for this fix that apparently went into trunk at some point. Am I the only person trying to use apache james with tls and exchange? Thanks for all the help and support. Jan - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: James 2.3 - TLS Connection Problem/Questions
Thanks. Good thing to check. I used the full path to the java directory where keytool was installed: /usr/java/jdk1.7.0_40/jre/bin/keytool Jan On 10/17/13 10:47 AM, Adam Crinklaw acrink...@gmail.com wrote: Not exactly related but I had a similar issue with tomcat/keytool where I was calling gnu keytool and not java keytool, id check the output of 'which keytool' to know that you are calling the right binary. On Oct 17, 2013 10:32 AM, Jan Drake jan.s.dr...@gmail.com wrote: Alrighty, then. Apache james V2.3 tls support is apparently not compatible with microsoft exchange handling of tls connection management since james v2.3 doesn't support starttls. Next, I went for trying apache james 3 beta 4 and... Voila! It supports starttls so I get a connection. ...only to find that I get an exception and find that james 3 beta 4 isn't rfc compliant, per: https://issues.apache.org/jira/browse/JAMES-1422 ...now, that was... July of 2012... https://issues.apache.org/jira/browse/JAMES-1422 Although it was referenced, I can't seem to find a beta 5 and the issue above is still unresolved. I am now trying to find the snapshot for this fix that apparently went into trunk at some point. Am I the only person trying to use apache james with tls and exchange? Thanks for all the help and support. Jan - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: James 2.3 - TLS Connection Problem/Questions
Look at my last post for a link to beta 5 dl... On Oct 17, 2013 10:32 AM, Jan Drake jan.s.dr...@gmail.com wrote: Alrighty, then. Apache james V2.3 tls support is apparently not compatible with microsoft exchange handling of tls connection management since james v2.3 doesn't support starttls. Next, I went for trying apache james 3 beta 4 and... Voila! It supports starttls so I get a connection. ...only to find that I get an exception and find that james 3 beta 4 isn't rfc compliant, per: https://issues.apache.org/jira/browse/JAMES-1422 ...now, that was... July of 2012... https://issues.apache.org/jira/browse/JAMES-1422 Although it was referenced, I can't seem to find a beta 5 and the issue above is still unresolved. I am now trying to find the snapshot for this fix that apparently went into trunk at some point. Am I the only person trying to use apache james with tls and exchange? Thanks for all the help and support. Jan - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
Re: James 2.3 - TLS Connection Problem/Questions
Thanks, Robert. Not enough sleep. :) Jan On 10/17/13 11:20 AM, Robert Munn robert.d.m...@gmail.com wrote: Look at my last post for a link to beta 5 dl... On Oct 17, 2013 10:32 AM, Jan Drake jan.s.dr...@gmail.com wrote: Alrighty, then. Apache james V2.3 tls support is apparently not compatible with microsoft exchange handling of tls connection management since james v2.3 doesn't support starttls. Next, I went for trying apache james 3 beta 4 and... Voila! It supports starttls so I get a connection. ...only to find that I get an exception and find that james 3 beta 4 isn't rfc compliant, per: https://issues.apache.org/jira/browse/JAMES-1422 ...now, that was... July of 2012... https://issues.apache.org/jira/browse/JAMES-1422 Although it was referenced, I can't seem to find a beta 5 and the issue above is still unresolved. I am now trying to find the snapshot for this fix that apparently went into trunk at some point. Am I the only person trying to use apache james with tls and exchange? Thanks for all the help and support. Jan - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org - To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
RE: James 2.3 - TLS Connection Problem/Questions
Hi Jan, I would check to make sure the unlimited strength policy files are installed. Link to Java 7 policy files below: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html Kind regards, Johnny Minty Sent from my Windows Phone From: Jan Drakemailto:jan.s.dr...@gmail.com Sent: 16/10/2013 6:05 p.m. To: James Users Listmailto:server-user@james.apache.org Subject: Re: James 2.3 - TLS Connection Problem/Questions Yeh, I get Connected(0003) -- then no response from server, nothing in log files until I close the connection. Pulling my hair out here... I never get the 250 message from the mail server. The logs don't give any indication of issues until the client cuts the connection, then it fails mid handshake. After a lot of reading it seems like it might be a failure to select a cipher in the handshake but... Not sure. Any and all help is greatly appreciated. Rapidly approaching a deadline. Jan P.S. It is a self-signed certificate -- I assume the details on the cert aren't really relevant or checked. On 10/15/13 7:30 PM, Robert Munn robert.d.m...@gmail.com wrote: I am using starttls in James, here is my command: openssl s_client -connect localhost:25 -state -starttls smtp This works for me to connect with starttls=true specified in James 3.04. Robert On Tue, Oct 15, 2013 at 6:29 PM, Jan Drake jan.s.dr...@gmail.com wrote: Thanks, Robert. I did use the keytool as documented here in creating your own certificate keystore: http://james.apache.org/server/3/config-ssl-tls.html -- which I realize is for version 3 presume it holds to 2.3 keytool -genkey -alias james -keyalg RSA -keystore your_keystore_filename ...and I remember entering the passwords and entered them in the config.xml file for ssl configuration. I got this wrong initially and james wouldn't even start up. It starts up with no problem and indicates ssl is configured on the proper port. I'm wondering if this is a tls version thing. When I connected originally I tried openssl s_client -connect ip:port -state Here's the results of openssl connection attempt: [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 -state -tls1 CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert read:fatal:internal error SSL_connect:failed in SSLv3 read server hello A 140461473093448:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1197:SSL alert number 80 140461473093448:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:594: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1381886891 Timeout : 7200 (sec) Verify return code: 0 (ok) --- [root@ip-10-167-12-205 SAR-INF]# Without TLS1 I get: [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 -state CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:internal error SSL_connect:error in SSLv2/v3 read server hello A 139934735300424:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:674: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 112 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Any help would be greatly appreciated... On a crunch here. Jan On 10/15/13 6:15 PM, Robert Munn robert.d.m...@gmail.com wrote: This is a guess but I bet the private key is not in the keystore. Did you generate the cert request using keytool? If not, you will need to generate pfx file with the public and private key in it, then transform the pfx file into the keystore format, specifying that keystore as the store for James. That should do it. Here is a discussion on Stack Overflow about the transform process. http://stackoverflow.com/questions/4217107/how-to-convert-pfx-file-to-key s tore-with-private-key On Tue, Oct 15, 2013 at 4:06 PM, Jan Drake jan.s.dr...@gmail.com wrote: Not sure if I should expect to get posts that I send to this list returned to me by the list? It seems to filter them out so I can't be sure they made the list. Anyway, original message below, with some additional information from the smtpserver log: 5/10/13 21:55:04 INFO smtpserver: Connection from ip-10-144-83-143.ec2.internal
Re: James 2.3 - TLS Connection Problem/Questions
Thanks for this. No dice. -showcerts doesn't display any certs associated with the connection. How very odd... Jan On 10/15/13 11:09 PM, Johnny Minty joh...@minty.net.nz wrote: Hi Jan, I would check to make sure the unlimited strength policy files are installed. Link to Java 7 policy files below: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432 124.html Kind regards, Johnny Minty Sent from my Windows Phone From: Jan Drakemailto:jan.s.dr...@gmail.com Sent: ?16/?10/?2013 6:05 p.m. To: James Users Listmailto:server-user@james.apache.org Subject: Re: James 2.3 - TLS Connection Problem/Questions Yeh, I get Connected(0003) -- then no response from server, nothing in log files until I close the connection. Pulling my hair out here... I never get the 250 message from the mail server. The logs don't give any indication of issues until the client cuts the connection, then it fails mid handshake. After a lot of reading it seems like it might be a failure to select a cipher in the handshake but... Not sure. Any and all help is greatly appreciated. Rapidly approaching a deadline. Jan P.S. It is a self-signed certificate -- I assume the details on the cert aren't really relevant or checked. On 10/15/13 7:30 PM, Robert Munn robert.d.m...@gmail.com wrote: I am using starttls in James, here is my command: openssl s_client -connect localhost:25 -state -starttls smtp This works for me to connect with starttls=true specified in James 3.04. Robert On Tue, Oct 15, 2013 at 6:29 PM, Jan Drake jan.s.dr...@gmail.com wrote: Thanks, Robert. I did use the keytool as documented here in creating your own certificate keystore: http://james.apache.org/server/3/config-ssl-tls.html -- which I realize is for version 3 presume it holds to 2.3 keytool -genkey -alias james -keyalg RSA -keystore your_keystore_filename ...and I remember entering the passwords and entered them in the config.xml file for ssl configuration. I got this wrong initially and james wouldn't even start up. It starts up with no problem and indicates ssl is configured on the proper port. I'm wondering if this is a tls version thing. When I connected originally I tried openssl s_client -connect ip:port -state Here's the results of openssl connection attempt: [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 -state -tls1 CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert read:fatal:internal error SSL_connect:failed in SSLv3 read server hello A 140461473093448:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1197:SSL alert number 80 140461473093448:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:594: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1381886891 Timeout : 7200 (sec) Verify return code: 0 (ok) --- [root@ip-10-167-12-205 SAR-INF]# Without TLS1 I get: [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 -state CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:internal error SSL_connect:error in SSLv2/v3 read server hello A 139934735300424:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:674: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 112 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Any help would be greatly appreciated... On a crunch here. Jan On 10/15/13 6:15 PM, Robert Munn robert.d.m...@gmail.com wrote: This is a guess but I bet the private key is not in the keystore. Did you generate the cert request using keytool? If not, you will need to generate pfx file with the public and private key in it, then transform the pfx file into the keystore format, specifying that keystore as the store for James. That should do it. Here is a discussion on Stack Overflow about the transform process. http://stackoverflow.com/questions/4217107/how-to-convert-pfx-file-to-ke y s tore-with-private-key On Tue, Oct 15, 2013 at 4:06 PM, Jan Drake jan.s.dr...@gmail.com wrote: Not sure if I should expect to get posts that I send to this list returned to me by the list? It seems to filter them out so I can't be sure they made
Re: James 2.3 - TLS Connection Problem/Questions
Hmm. You alluded to the keytool command in the install docs holding for James v 2.3, which I take it is what you are running. Maybe the server doesn't like the wildcard cert. If this is a self-signed cert, try generating a new one for just the domain you need for the mail server and see if the server likes that. As an alternative, I would suggest upgrading to James Server 3 beta 5: https://repository.apache.org/content/repositories/snapshots/org/apache/james/james-server-app/3.0.0-beta5-SNAPSHOT/james-server-app-3.0.0-beta5-20131015.104349-220-app.zip Make sure to install the unlimited JCE per Johnny's link and the JAXB 2.1 jar per the install instructions on the James web site. I am running beta 5 now and to my view it is much improved over beta 4. Robert On Wed, Oct 16, 2013 at 8:38 AM, Jan Drake jan.s.dr...@gmail.com wrote: Thanks for this. No dice. -showcerts doesn't display any certs associated with the connection. How very odd... Jan On 10/15/13 11:09 PM, Johnny Minty joh...@minty.net.nz wrote: Hi Jan, I would check to make sure the unlimited strength policy files are installed. Link to Java 7 policy files below: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432 124.html Kind regards, Johnny Minty Sent from my Windows Phone From: Jan Drakemailto:jan.s.dr...@gmail.com Sent: ?16/?10/?2013 6:05 p.m. To: James Users Listmailto:server-user@james.apache.org Subject: Re: James 2.3 - TLS Connection Problem/Questions Yeh, I get Connected(0003) -- then no response from server, nothing in log files until I close the connection. Pulling my hair out here... I never get the 250 message from the mail server. The logs don't give any indication of issues until the client cuts the connection, then it fails mid handshake. After a lot of reading it seems like it might be a failure to select a cipher in the handshake but... Not sure. Any and all help is greatly appreciated. Rapidly approaching a deadline. Jan P.S. It is a self-signed certificate -- I assume the details on the cert aren't really relevant or checked. On 10/15/13 7:30 PM, Robert Munn robert.d.m...@gmail.com wrote: I am using starttls in James, here is my command: openssl s_client -connect localhost:25 -state -starttls smtp This works for me to connect with starttls=true specified in James 3.04. Robert On Tue, Oct 15, 2013 at 6:29 PM, Jan Drake jan.s.dr...@gmail.com wrote: Thanks, Robert. I did use the keytool as documented here in creating your own certificate keystore: http://james.apache.org/server/3/config-ssl-tls.html -- which I realize is for version 3 presume it holds to 2.3 keytool -genkey -alias james -keyalg RSA -keystore your_keystore_filename ...and I remember entering the passwords and entered them in the config.xml file for ssl configuration. I got this wrong initially and james wouldn't even start up. It starts up with no problem and indicates ssl is configured on the proper port. I'm wondering if this is a tls version thing. When I connected originally I tried openssl s_client -connect ip:port -state Here's the results of openssl connection attempt: [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 -state -tls1 CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert read:fatal:internal error SSL_connect:failed in SSLv3 read server hello A 140461473093448:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1197:SSL alert number 80 140461473093448:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:594: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1381886891 Timeout : 7200 (sec) Verify return code: 0 (ok) --- [root@ip-10-167-12-205 SAR-INF]# Without TLS1 I get: [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 -state CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:internal error SSL_connect:error in SSLv2/v3 read server hello A 139934735300424:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:674: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 112 bytes
Re: James 2.3 - TLS Connection Problem/Questions
Thanks, Robert. I'm a bit leary about stability of V3 yet and haven't done any testing to see if my custom mailets will operate the same way they do in V2.3 -- any insight there would be helpful. I will take your advice and regenerate the certificates. I'm currently testing with a self-signed certificate. I'm not aware of what validation checking may be done on the values I provided when generating the certificate -- wondering if there's something there it might not like. I thought with a self-signed there was very little actual validation happening (certainly no upstream certificate validation but maybe there is something else). Appreciate your help and everyone else who is offering suggestions. Jan On 10/16/13 9:44 AM, Robert Munn robert.d.m...@gmail.com wrote: Hmm. You alluded to the keytool command in the install docs holding for James v 2.3, which I take it is what you are running. Maybe the server doesn't like the wildcard cert. If this is a self-signed cert, try generating a new one for just the domain you need for the mail server and see if the server likes that. As an alternative, I would suggest upgrading to James Server 3 beta 5: https://repository.apache.org/content/repositories/snapshots/org/apache/ja mes/james-server-app/3.0.0-beta5-SNAPSHOT/james-server-app-3.0.0-beta5-201 31015.104349-220-app.zip Make sure to install the unlimited JCE per Johnny's link and the JAXB 2.1 jar per the install instructions on the James web site. I am running beta 5 now and to my view it is much improved over beta 4. Robert On Wed, Oct 16, 2013 at 8:38 AM, Jan Drake jan.s.dr...@gmail.com wrote: Thanks for this. No dice. -showcerts doesn't display any certs associated with the connection. How very odd... Jan On 10/15/13 11:09 PM, Johnny Minty joh...@minty.net.nz wrote: Hi Jan, I would check to make sure the unlimited strength policy files are installed. Link to Java 7 policy files below: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-43 2 124.html Kind regards, Johnny Minty Sent from my Windows Phone From: Jan Drakemailto:jan.s.dr...@gmail.com Sent: ?16/?10/?2013 6:05 p.m. To: James Users Listmailto:server-user@james.apache.org Subject: Re: James 2.3 - TLS Connection Problem/Questions Yeh, I get Connected(0003) -- then no response from server, nothing in log files until I close the connection. Pulling my hair out here... I never get the 250 message from the mail server. The logs don't give any indication of issues until the client cuts the connection, then it fails mid handshake. After a lot of reading it seems like it might be a failure to select a cipher in the handshake but... Not sure. Any and all help is greatly appreciated. Rapidly approaching a deadline. Jan P.S. It is a self-signed certificate -- I assume the details on the cert aren't really relevant or checked. On 10/15/13 7:30 PM, Robert Munn robert.d.m...@gmail.com wrote: I am using starttls in James, here is my command: openssl s_client -connect localhost:25 -state -starttls smtp This works for me to connect with starttls=true specified in James 3.04. Robert On Tue, Oct 15, 2013 at 6:29 PM, Jan Drake jan.s.dr...@gmail.com wrote: Thanks, Robert. I did use the keytool as documented here in creating your own certificate keystore: http://james.apache.org/server/3/config-ssl-tls.html -- which I realize is for version 3 presume it holds to 2.3 keytool -genkey -alias james -keyalg RSA -keystore your_keystore_filename ...and I remember entering the passwords and entered them in the config.xml file for ssl configuration. I got this wrong initially and james wouldn't even start up. It starts up with no problem and indicates ssl is configured on the proper port. I'm wondering if this is a tls version thing. When I connected originally I tried openssl s_client -connect ip:port -state Here's the results of openssl connection attempt: [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 -state -tls1 CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert read:fatal:internal error SSL_connect:failed in SSLv3 read server hello A 140461473093448:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1197:SSL alert number 80 140461473093448:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:594: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: Session-ID: Session-ID-ctx: Master-Key: Key-Arg
Re: James 2.3 - TLS Connection Problem/Questions
Well, one problem down, one to go? TLS Connectivity now checks out at the openssl and nmap levels. I even get: No client certificate CA names sent --- SSL handshake has read 1666 bytes and written 278 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: DHE-RSA-AES256-SHA Session-ID: 525F1A02D89EB34BC3AC815A21677F7EB41C16132E1515FFA02C8E2997E0BA81 Session-ID-ctx: Master-Key: F520C4BC8AF662AB996444D90A16058C3A8D3DA9F0DB6BF4F1F5D490D333D69C60D93ED63DA D61B140BE1ED90AE1F68E Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1381964290 Timeout : 7200 (sec) Verify return code: 18 (self signed certificate) --- 220 ip-10-167-12-205 SMTP Server (JAMES SMTP Server 2.3.2) ready Wed, 16 Oct 2013 22:58:10 + (UTC) EHLO ehlo test.me ...but then it just hangs... No response. Anybody seen this? Jan On 10/16/13 9:55 AM, Jan Drake jan.s.dr...@gmail.com wrote: Thanks, Robert. I'm a bit leary about stability of V3 yet and haven't done any testing to see if my custom mailets will operate the same way they do in V2.3 -- any insight there would be helpful. I will take your advice and regenerate the certificates. I'm currently testing with a self-signed certificate. I'm not aware of what validation checking may be done on the values I provided when generating the certificate -- wondering if there's something there it might not like. I thought with a self-signed there was very little actual validation happening (certainly no upstream certificate validation but maybe there is something else). Appreciate your help and everyone else who is offering suggestions. Jan On 10/16/13 9:44 AM, Robert Munn robert.d.m...@gmail.com wrote: Hmm. You alluded to the keytool command in the install docs holding for James v 2.3, which I take it is what you are running. Maybe the server doesn't like the wildcard cert. If this is a self-signed cert, try generating a new one for just the domain you need for the mail server and see if the server likes that. As an alternative, I would suggest upgrading to James Server 3 beta 5: https://repository.apache.org/content/repositories/snapshots/org/apache/j a mes/james-server-app/3.0.0-beta5-SNAPSHOT/james-server-app-3.0.0-beta5-20 1 31015.104349-220-app.zip Make sure to install the unlimited JCE per Johnny's link and the JAXB 2.1 jar per the install instructions on the James web site. I am running beta 5 now and to my view it is much improved over beta 4. Robert On Wed, Oct 16, 2013 at 8:38 AM, Jan Drake jan.s.dr...@gmail.com wrote: Thanks for this. No dice. -showcerts doesn't display any certs associated with the connection. How very odd... Jan On 10/15/13 11:09 PM, Johnny Minty joh...@minty.net.nz wrote: Hi Jan, I would check to make sure the unlimited strength policy files are installed. Link to Java 7 policy files below: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-4 3 2 124.html Kind regards, Johnny Minty Sent from my Windows Phone From: Jan Drakemailto:jan.s.dr...@gmail.com Sent: ?16/?10/?2013 6:05 p.m. To: James Users Listmailto:server-user@james.apache.org Subject: Re: James 2.3 - TLS Connection Problem/Questions Yeh, I get Connected(0003) -- then no response from server, nothing in log files until I close the connection. Pulling my hair out here... I never get the 250 message from the mail server. The logs don't give any indication of issues until the client cuts the connection, then it fails mid handshake. After a lot of reading it seems like it might be a failure to select a cipher in the handshake but... Not sure. Any and all help is greatly appreciated. Rapidly approaching a deadline. Jan P.S. It is a self-signed certificate -- I assume the details on the cert aren't really relevant or checked. On 10/15/13 7:30 PM, Robert Munn robert.d.m...@gmail.com wrote: I am using starttls in James, here is my command: openssl s_client -connect localhost:25 -state -starttls smtp This works for me to connect with starttls=true specified in James 3.04. Robert On Tue, Oct 15, 2013 at 6:29 PM, Jan Drake jan.s.dr...@gmail.com wrote: Thanks, Robert. I did use the keytool as documented here in creating your own certificate keystore: http://james.apache.org/server/3/config-ssl-tls.html -- which I realize is for version 3 presume it holds to 2.3 keytool -genkey -alias james -keyalg RSA -keystore your_keystore_filename ...and I remember entering the passwords and entered them in the config.xml file for ssl configuration. I got this wrong initially and james wouldn't even start up. It starts up with no problem and indicates ssl is configured
Re: James 2.3 - TLS Connection Problem/Questions
Curiouser and curiouser... Openssl connection testing works and I can ehlo and send email to the server using that. Exchange server connects to james and then hangs no matter what I do. Anybody ever gotten an exchange 2010 server to communicate via tls and basic auth with james 2.3? Jan On 10/16/13 9:44 AM, Robert Munn robert.d.m...@gmail.com wrote: Hmm. You alluded to the keytool command in the install docs holding for James v 2.3, which I take it is what you are running. Maybe the server doesn't like the wildcard cert. If this is a self-signed cert, try generating a new one for just the domain you need for the mail server and see if the server likes that. As an alternative, I would suggest upgrading to James Server 3 beta 5: https://repository.apache.org/content/repositories/snapshots/org/apache/ja mes/james-server-app/3.0.0-beta5-SNAPSHOT/james-server-app-3.0.0-beta5-201 31015.104349-220-app.zip Make sure to install the unlimited JCE per Johnny's link and the JAXB 2.1 jar per the install instructions on the James web site. I am running beta 5 now and to my view it is much improved over beta 4. Robert On Wed, Oct 16, 2013 at 8:38 AM, Jan Drake jan.s.dr...@gmail.com wrote: Thanks for this. No dice. -showcerts doesn't display any certs associated with the connection. How very odd... Jan On 10/15/13 11:09 PM, Johnny Minty joh...@minty.net.nz wrote: Hi Jan, I would check to make sure the unlimited strength policy files are installed. Link to Java 7 policy files below: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-43 2 124.html Kind regards, Johnny Minty Sent from my Windows Phone From: Jan Drakemailto:jan.s.dr...@gmail.com Sent: ?16/?10/?2013 6:05 p.m. To: James Users Listmailto:server-user@james.apache.org Subject: Re: James 2.3 - TLS Connection Problem/Questions Yeh, I get Connected(0003) -- then no response from server, nothing in log files until I close the connection. Pulling my hair out here... I never get the 250 message from the mail server. The logs don't give any indication of issues until the client cuts the connection, then it fails mid handshake. After a lot of reading it seems like it might be a failure to select a cipher in the handshake but... Not sure. Any and all help is greatly appreciated. Rapidly approaching a deadline. Jan P.S. It is a self-signed certificate -- I assume the details on the cert aren't really relevant or checked. On 10/15/13 7:30 PM, Robert Munn robert.d.m...@gmail.com wrote: I am using starttls in James, here is my command: openssl s_client -connect localhost:25 -state -starttls smtp This works for me to connect with starttls=true specified in James 3.04. Robert On Tue, Oct 15, 2013 at 6:29 PM, Jan Drake jan.s.dr...@gmail.com wrote: Thanks, Robert. I did use the keytool as documented here in creating your own certificate keystore: http://james.apache.org/server/3/config-ssl-tls.html -- which I realize is for version 3 presume it holds to 2.3 keytool -genkey -alias james -keyalg RSA -keystore your_keystore_filename ...and I remember entering the passwords and entered them in the config.xml file for ssl configuration. I got this wrong initially and james wouldn't even start up. It starts up with no problem and indicates ssl is configured on the proper port. I'm wondering if this is a tls version thing. When I connected originally I tried openssl s_client -connect ip:port -state Here's the results of openssl connection attempt: [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 -state -tls1 CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert read:fatal:internal error SSL_connect:failed in SSLv3 read server hello A 140461473093448:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1197:SSL alert number 80 140461473093448:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:594: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1381886891 Timeout : 7200 (sec) Verify return code: 0 (ok) --- [root@ip-10-167-12-205 SAR-INF]# Without TLS1 I get: [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 -state CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write
Re: James 2.3 - TLS Connection Problem/Questions
Okay... I think I may have found it and, if I'm right, it isn't pretty. With UseTLS enabled on an smtpserver in james 2.3 it looks like the following is true: - it doesn't advertise starttls and expects TLS to have been initiated as part of the initial connection to, say, port 465 - it doesn't respond to -starttls smtp via openssl which seems to confirm this Which seems to leave me with the option of using another smtp server to interact with an exchange server that sends tls, or to somehow determine if james 2.3 can use mutually authenticated tls (via certificate) which means I need to get the owner of the exchange server to install my certificate on their box(es). That seems insane... Thoughts? Jan P.S. Alternatively, we have a problem that is completely orthogonal to my view of the issues. :) On 10/16/13 7:53 PM, Jan Drake jan.s.dr...@gmail.com wrote: Curiouser and curiouser... Openssl connection testing works and I can ehlo and send email to the server using that. Exchange server connects to james and then hangs no matter what I do. Anybody ever gotten an exchange 2010 server to communicate via tls and basic auth with james 2.3? Jan On 10/16/13 9:44 AM, Robert Munn robert.d.m...@gmail.com wrote: Hmm. You alluded to the keytool command in the install docs holding for James v 2.3, which I take it is what you are running. Maybe the server doesn't like the wildcard cert. If this is a self-signed cert, try generating a new one for just the domain you need for the mail server and see if the server likes that. As an alternative, I would suggest upgrading to James Server 3 beta 5: https://repository.apache.org/content/repositories/snapshots/org/apache/j a mes/james-server-app/3.0.0-beta5-SNAPSHOT/james-server-app-3.0.0-beta5-20 1 31015.104349-220-app.zip Make sure to install the unlimited JCE per Johnny's link and the JAXB 2.1 jar per the install instructions on the James web site. I am running beta 5 now and to my view it is much improved over beta 4. Robert On Wed, Oct 16, 2013 at 8:38 AM, Jan Drake jan.s.dr...@gmail.com wrote: Thanks for this. No dice. -showcerts doesn't display any certs associated with the connection. How very odd... Jan On 10/15/13 11:09 PM, Johnny Minty joh...@minty.net.nz wrote: Hi Jan, I would check to make sure the unlimited strength policy files are installed. Link to Java 7 policy files below: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-4 3 2 124.html Kind regards, Johnny Minty Sent from my Windows Phone From: Jan Drakemailto:jan.s.dr...@gmail.com Sent: ?16/?10/?2013 6:05 p.m. To: James Users Listmailto:server-user@james.apache.org Subject: Re: James 2.3 - TLS Connection Problem/Questions Yeh, I get Connected(0003) -- then no response from server, nothing in log files until I close the connection. Pulling my hair out here... I never get the 250 message from the mail server. The logs don't give any indication of issues until the client cuts the connection, then it fails mid handshake. After a lot of reading it seems like it might be a failure to select a cipher in the handshake but... Not sure. Any and all help is greatly appreciated. Rapidly approaching a deadline. Jan P.S. It is a self-signed certificate -- I assume the details on the cert aren't really relevant or checked. On 10/15/13 7:30 PM, Robert Munn robert.d.m...@gmail.com wrote: I am using starttls in James, here is my command: openssl s_client -connect localhost:25 -state -starttls smtp This works for me to connect with starttls=true specified in James 3.04. Robert On Tue, Oct 15, 2013 at 6:29 PM, Jan Drake jan.s.dr...@gmail.com wrote: Thanks, Robert. I did use the keytool as documented here in creating your own certificate keystore: http://james.apache.org/server/3/config-ssl-tls.html -- which I realize is for version 3 presume it holds to 2.3 keytool -genkey -alias james -keyalg RSA -keystore your_keystore_filename ...and I remember entering the passwords and entered them in the config.xml file for ssl configuration. I got this wrong initially and james wouldn't even start up. It starts up with no problem and indicates ssl is configured on the proper port. I'm wondering if this is a tls version thing. When I connected originally I tried openssl s_client -connect ip:port -state Here's the results of openssl connection attempt: [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 -state -tls1 CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert read:fatal:internal error SSL_connect:failed in SSLv3 read server hello A 140461473093448:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1197:SSL alert number 80 140461473093448:error:1409E0E5:SSL
Re: James 2.3 - TLS Connection Problem/Questions
This is a guess but I bet the private key is not in the keystore. Did you generate the cert request using keytool? If not, you will need to generate pfx file with the public and private key in it, then transform the pfx file into the keystore format, specifying that keystore as the store for James. That should do it. Here is a discussion on Stack Overflow about the transform process. http://stackoverflow.com/questions/4217107/how-to-convert-pfx-file-to-keystore-with-private-key On Tue, Oct 15, 2013 at 4:06 PM, Jan Drake jan.s.dr...@gmail.com wrote: Not sure if I should expect to get posts that I send to this list returned to me by the list? It seems to filter them out so I can't be sure they made the list. Anyway, original message below, with some additional information from the smtpserver log: 5/10/13 21:55:04 INFO smtpserver: Connection from ip-10-144-83-143.ec2.internal (10.144.83.143) 15/10/13 22:05:04 ERROR smtpserver: Socket to ip-10-144-83-143.ec2.internal (10.144.83.143) timeout. java.net.SocketTimeoutException: Read timed out at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:152) at java.net.SocketInputStream.read(SocketInputStream.java:122) at sun.security.ssl.InputRecord.readFully(InputRecord.java:442) at sun.security.ssl.InputRecord.read(InputRecord.java:480) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882) at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) at java.io.BufferedInputStream.fill(BufferedInputStream.java:235) at java.io.BufferedInputStream.read(BufferedInputStream.java:254) at org.apache.james.util.CRLFTerminatedReader.read(CRLFTerminatedReader.java:153) at org.apache.james.util.CRLFTerminatedReader.readLine(CRLFTerminatedReader.java:113) at org.apache.james.smtpserver.SMTPHandler.readCommandLine(SMTPHandler.java:751) at org.apache.james.smtpserver.SMTPHandler.handleConnection(SMTPHandler.java:372) at org.apache.james.util.connection.ServerConnection$ClientConnectionRunner.run(ServerConnection.java:432) at org.apache.excalibur.thread.impl.ExecutableRunnable.execute(ExecutableRunnable.java:55) at org.apache.excalibur.thread.impl.WorkerThread.run(WorkerThread.java:116) Additionally... the exchange server attempting to connect is showing no errors in the protocol log just continuous attempts to connect. Any thoughts? Jan -- Forwarded message -- From: Jan Drake jan.s.dr...@gmail.com Date: Tue, Oct 15, 2013 at 8:17 AM Subject: James 2.3 - TLS Connection Problem/Questions To: James Users List server-user@james.apache.org After following the instructions I could find on generating a key and configuring TLS/SSL for SMTP in James 2.3, I encountered no configuration errors in logs; however, every time I try to connect to the port securely the connection hangs and, eventually, the server log shows an error and claims connection termination from the client. I'm wondering if I've missed something. Firewalls are totally open... the connection establishes but hangs. And, the other question I have is... given a CSR for a cert for a domain, in this case wildcard, what's the best type of cert to request for use with James 2.3? Apache2 Apache+OpenSSL Apache+ApacheSSL ... or? Thanks, Jan
Re: James 2.3 - TLS Connection Problem/Questions
I am using starttls in James, here is my command: openssl s_client -connect localhost:25 -state -starttls smtp This works for me to connect with starttls=true specified in James 3.04. Robert On Tue, Oct 15, 2013 at 6:29 PM, Jan Drake jan.s.dr...@gmail.com wrote: Thanks, Robert. I did use the keytool as documented here in creating your own certificate keystore: http://james.apache.org/server/3/config-ssl-tls.html -- which I realize is for version 3 presume it holds to 2.3 keytool -genkey -alias james -keyalg RSA -keystore your_keystore_filename ...and I remember entering the passwords and entered them in the config.xml file for ssl configuration. I got this wrong initially and james wouldn't even start up. It starts up with no problem and indicates ssl is configured on the proper port. I'm wondering if this is a tls version thing. When I connected originally I tried openssl s_client -connect ip:port -state Here's the results of openssl connection attempt: [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 -state -tls1 CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert read:fatal:internal error SSL_connect:failed in SSLv3 read server hello A 140461473093448:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1197:SSL alert number 80 140461473093448:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:594: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1381886891 Timeout : 7200 (sec) Verify return code: 0 (ok) --- [root@ip-10-167-12-205 SAR-INF]# Without TLS1 I get: [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 -state CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:internal error SSL_connect:error in SSLv2/v3 read server hello A 139934735300424:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:674: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 112 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Any help would be greatly appreciated... On a crunch here. Jan On 10/15/13 6:15 PM, Robert Munn robert.d.m...@gmail.com wrote: This is a guess but I bet the private key is not in the keystore. Did you generate the cert request using keytool? If not, you will need to generate pfx file with the public and private key in it, then transform the pfx file into the keystore format, specifying that keystore as the store for James. That should do it. Here is a discussion on Stack Overflow about the transform process. http://stackoverflow.com/questions/4217107/how-to-convert-pfx-file-to-keys tore-with-private-key On Tue, Oct 15, 2013 at 4:06 PM, Jan Drake jan.s.dr...@gmail.com wrote: Not sure if I should expect to get posts that I send to this list returned to me by the list? It seems to filter them out so I can't be sure they made the list. Anyway, original message below, with some additional information from the smtpserver log: 5/10/13 21:55:04 INFO smtpserver: Connection from ip-10-144-83-143.ec2.internal (10.144.83.143) 15/10/13 22:05:04 ERROR smtpserver: Socket to ip-10-144-83-143.ec2.internal (10.144.83.143) timeout. java.net.SocketTimeoutException: Read timed out at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:152) at java.net.SocketInputStream.read(SocketInputStream.java:122) at sun.security.ssl.InputRecord.readFully(InputRecord.java:442) at sun.security.ssl.InputRecord.read(InputRecord.java:480) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:927) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java :1312) at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:882) at sun.security.ssl.AppInputStream.read(AppInputStream.java:102) at java.io.BufferedInputStream.fill(BufferedInputStream.java:235) at java.io.BufferedInputStream.read(BufferedInputStream.java:254) at org.apache.james.util.CRLFTerminatedReader.read(CRLFTerminatedReader.java :153) at org.apache.james.util.CRLFTerminatedReader.readLine(CRLFTerminatedReader. java:113)
Re: James 2.3 - TLS Connection Problem/Questions
Yeh, I get Connected(0003) -- then no response from server, nothing in log files until I close the connection. Pulling my hair out here... I never get the 250 message from the mail server. The logs don't give any indication of issues until the client cuts the connection, then it fails mid handshake. After a lot of reading it seems like it might be a failure to select a cipher in the handshake but... Not sure. Any and all help is greatly appreciated. Rapidly approaching a deadline. Jan P.S. It is a self-signed certificate -- I assume the details on the cert aren't really relevant or checked. On 10/15/13 7:30 PM, Robert Munn robert.d.m...@gmail.com wrote: I am using starttls in James, here is my command: openssl s_client -connect localhost:25 -state -starttls smtp This works for me to connect with starttls=true specified in James 3.04. Robert On Tue, Oct 15, 2013 at 6:29 PM, Jan Drake jan.s.dr...@gmail.com wrote: Thanks, Robert. I did use the keytool as documented here in creating your own certificate keystore: http://james.apache.org/server/3/config-ssl-tls.html -- which I realize is for version 3 presume it holds to 2.3 keytool -genkey -alias james -keyalg RSA -keystore your_keystore_filename ...and I remember entering the passwords and entered them in the config.xml file for ssl configuration. I got this wrong initially and james wouldn't even start up. It starts up with no problem and indicates ssl is configured on the proper port. I'm wondering if this is a tls version thing. When I connected originally I tried openssl s_client -connect ip:port -state Here's the results of openssl connection attempt: [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 -state -tls1 CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv3 write client hello A SSL3 alert read:fatal:internal error SSL_connect:failed in SSLv3 read server hello A 140461473093448:error:14094438:SSL routines:SSL3_READ_BYTES:tlsv1 alert internal error:s3_pkt.c:1197:SSL alert number 80 140461473093448:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:594: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher: Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1381886891 Timeout : 7200 (sec) Verify return code: 0 (ok) --- [root@ip-10-167-12-205 SAR-INF]# Without TLS1 I get: [root@ip-10-167-12-205 SAR-INF]# openssl s_client -connect localhost:25 -state CONNECTED(0003) SSL_connect:before/connect initialization SSL_connect:SSLv2/v3 write client hello A SSL3 alert read:fatal:internal error SSL_connect:error in SSLv2/v3 read server hello A 139934735300424:error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error:s23_clnt.c:674: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 112 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE --- Any help would be greatly appreciated... On a crunch here. Jan On 10/15/13 6:15 PM, Robert Munn robert.d.m...@gmail.com wrote: This is a guess but I bet the private key is not in the keystore. Did you generate the cert request using keytool? If not, you will need to generate pfx file with the public and private key in it, then transform the pfx file into the keystore format, specifying that keystore as the store for James. That should do it. Here is a discussion on Stack Overflow about the transform process. http://stackoverflow.com/questions/4217107/how-to-convert-pfx-file-to-key s tore-with-private-key On Tue, Oct 15, 2013 at 4:06 PM, Jan Drake jan.s.dr...@gmail.com wrote: Not sure if I should expect to get posts that I send to this list returned to me by the list? It seems to filter them out so I can't be sure they made the list. Anyway, original message below, with some additional information from the smtpserver log: 5/10/13 21:55:04 INFO smtpserver: Connection from ip-10-144-83-143.ec2.internal (10.144.83.143) 15/10/13 22:05:04 ERROR smtpserver: Socket to ip-10-144-83-143.ec2.internal (10.144.83.143) timeout. java.net.SocketTimeoutException: Read timed out at java.net.SocketInputStream.socketRead0(Native Method) at java.net.SocketInputStream.read(SocketInputStream.java:152) at java.net.SocketInputStream.read(SocketInputStream.java:122) at sun.security.ssl.InputRecord.readFully(InputRecord.java:442) at