[ https://issues.apache.org/jira/browse/JAMES-3645?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Benoit Tellier closed JAMES-3645. --------------------------------- Fix Version/s: 3.7.0 Resolution: Fixed https://github.com/apache/james-project/pull/632 fixed this. > RemoteDelivery sslEnable parameter have no effect > ------------------------------------------------- > > Key: JAMES-3645 > URL: https://issues.apache.org/jira/browse/JAMES-3645 > Project: James Server > Issue Type: Improvement > Reporter: Benoit Tellier > Priority: Major > Fix For: 3.7.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > h3. Description > As an administrator I wish to secure my outgoing emails using SSL (SMTPS on > port 465), and default to SMTP on port 25 (where STARTTLS can be used > opportunistically). > This need is a recurring one for Gitter users (often asked, known for years > to be buggy). > h3. Setting up test James servers > I did write a simple docker-compose.yml file to experiment this: > {code:java} > version: '3' > services: > james1: > image: apache/james:memory-latest > container_name: james1 > hostname: james1 > volumes: > - $PWD/keystore:/root/conf/keystore > james2: > image: apache/james:memory-latest > container_name: james2 > hostname: james2 > volumes: > - $PWD/keystore:/root/conf/keystore > {code} > I do embed two RcptHooks to diagnose where remoteDelivery connects on james2: > {code:java} > package org.apache.james; > import org.apache.james.core.MailAddress; > import org.apache.james.core.MaybeSender; > import org.apache.james.protocols.smtp.SMTPSession; > import org.apache.james.protocols.smtp.hook.HookResult; > import org.apache.james.protocols.smtp.hook.RcptHook; > public class SoutRcptHook implements RcptHook { > @Override > public HookResult doRcpt(SMTPSession session, MaybeSender sender, > MailAddress rcpt) { > System.out.println(" <---> SSL activated: " + > sender.asPrettyString() + " sends a message securely to " + rcpt.asString()); > return HookResult.DECLINED; > } > {code} > And > {code:java} > package org.apache.james; > import org.apache.james.core.MailAddress; > import org.apache.james.core.MaybeSender; > import org.apache.james.protocols.smtp.SMTPSession; > import org.apache.james.protocols.smtp.hook.HookResult; > import org.apache.james.protocols.smtp.hook.RcptHook; > public class NoSSLRcptHook implements RcptHook { > @Override > public HookResult doRcpt(SMTPSession session, MaybeSender sender, > MailAddress rcpt) { > System.out.println(" <---> NO SSL: " + sender.asPrettyString() + " > sends a message securely to " + rcpt.asString()); > return HookResult.DECLINED; > } > } > {code} > Which then ellows configuring the SMTP server: > {code:java} > <smtpservers> > <smtpserver enabled="true"> > <jmxName>smtpserver-global</jmxName> > <bind>0.0.0.0:25</bind> > <tls socketTLS="false" startTLS="true"> > <keystore>file://conf/keystore</keystore> > <secret>james72laBalle</secret> > > <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider> > <algorithm>SunX509</algorithm> > </tls> > <smtpGreeting>Apache JAMES awesome SMTP Server</smtpGreeting> > <handlerchain> > <handler > class="org.apache.james.smtpserver.CoreCmdHandlerLoader"/> > <handler class="org.apache.james.NoSSLRcptHook"/> > </handlerchain> > </smtpserver> > <smtpserver enabled="true"> > <jmxName>smtpserver-TLS</jmxName> > <bind>0.0.0.0:465</bind> > <tls socketTLS="true" startTLS="false"> > <keystore>file://conf/keystore</keystore> > <secret>james72laBalle</secret> > > <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider> > <algorithm>SunX509</algorithm> > </tls> > <smtpGreeting>Apache JAMES awesome SMTP Server</smtpGreeting> > <handlerchain> > <handler > class="org.apache.james.smtpserver.CoreCmdHandlerLoader"/> > <handler class="org.apache.james.SoutRcptHook"/> > </handlerchain> > </smtpserver> > </smtpservers> > {code} > We then can review logs to know which port was eventually used to receive > emails (smtp logs also tells us if STARTTLS is used). > I expect `sslEnable` parameter to govern this opportunistic SSL connection. > Thus RemoteDelivery configuration looks like this: > {code:java} > <processor state="relay" enableJmx="true"> > <mailet match="All" class="RemoteDelivery"> > <outgoingQueue>outgoing</outgoingQueue> > <bounceProcessor>bounces</bounceProcessor> > <debug>true</debug> > <mail.smtp.ssl.trust>*</mail.smtp.ssl.trust> > <sslEnable>true</sslEnable> > <startTLS>true</startTLS> > </mailet> > </processor> > {code} > We then can create some test data and send a mail from james1 to james2: > {code:java} > docker-compose up -d > docker exec james1 james-cli adddomain james1 > docker exec james2 james-cli adddomain james2 > docker exec james1 james-cli adduser bob@james1 123456 > docker exec james2 james-cli adduser bob@james2 123456 > docker inspect james1 > telnet [james1] 25 > auth login > Ym9iQGphbWVzMQ== > MTIzNDU2 > ehlo james1 > mail from: <bob@james1> > rcpt to: <bob@james2> > data > Subject: rueooerwbwerb > veriobwerobwerbr > rwebeberber > . > {code} > Will generate james1 to remote-deliver a mail to james2, and we can in the > process diagnose the remote delivery behaviour between the two. > h3. Actual behaviour > james1 attepts an SSL connection on port 25: > {code:java} > james1 | 06:56:43.405 [DEBUG] o.a.j.t.m.r.d.MailDelivrer - Could not > connect to SMTP host: 172.30.0.2, port: 25 > james1 | javax.net.ssl.SSLException: Unsupported or unrecognized SSL > message > james1 | at > java.base/sun.security.ssl.SSLSocketInputRecord.handleUnknownRecord(SSLSocketInputRecord.java:451) > james1 | at > java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:175) > james1 | at > java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:110) > james1 | at > java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1418) > james1 | at > java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1324) > james1 | at > java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) > james1 | at > java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411) > james1 | at > com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:626) > james1 | at > com.sun.mail.util.SocketFetcher.createSocket(SocketFetcher.java:400) > james1 | at > com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:238) > james1 | at > com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:2175) > james1 | at > com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:740) > {code} > And james2 do not recognizes the commands: > {code:java} > james2 | 06:56:43.410 [DEBUG] o.a.j.p.a.h.CommandDispatcher - > org.apache.james.protocols.api.handler.CommandDispatcher received: > ZVVF�������E�F�8T�E'F��LO��#��� > james2 | 06:56:43.411 [DEBUG] o.a.j.p.a.h.CommandDispatcher - Lookup > command handler for command: ZVVF�������E�F�8T�E'F��LO��#��� > james2 | 06:56:43.437 [DEBUG] o.a.j.p.a.h.CommandHandlerResultLogger - > org.apache.james.protocols.smtp.core.UnknownCmdHandler: [500 5.5.1 Command > ZVVF�������E�F�8T�E'F��LO��#��� unrecognized.] > james2 | 06:56:43.441 [DEBUG] o.a.j.p.a.h.CommandDispatcher - > org.apache.james.protocols.api.handler.CommandDispatcher received: > �5��98�#�'<�%�)G@� �/��32�� > james2 | 06:56:43.442 [DEBUG] o.a.j.p.a.h.CommandDispatcher - Lookup > command handler for command: �5��98�#�'<�%�)G@� �/��32�� > james2 | 06:56:43.442 [DEBUG] o.a.j.p.a.h.CommandHandlerResultLogger - > org.apache.james.protocols.smtp.core.UnknownCmdHandler: [500 5.5.1 Command > �5��98�#�'<�%�)G@� �/��32�� unrecognized.] > james2 | 06:56:43.443 [DEBUG] o.a.j.p.a.h.CommandDispatcher - > org.apache.james.protocols.api.handler.CommandDispatcher received: ,* > james2 | 06:56:43.443 [DEBUG] o.a.j.p.a.h.CommandDispatcher - Lookup > command handler for command: ,* > {code} > h3. Expected behaviour > We expect the mail to be sent over SSL. > We expect that if the target host do not support SSL on port 465 that we > fallback to SMTP on port 25, and use STARTTLS. > h3. Interesting notice > * MXHostAddressIterator is adding the protocol (smtp VS smtps) and the port > (25 VS 465). While setting these values according to SMTPS & 465 SSL is > correctly performed. > The management of the fallback behavior however requires a fallback host > address to be generated (SMTP + 25 after the SMTPS one), and also requires > handling down the line in MailDelivrerToHost (use of two sessions, one for > SMTP, one for SMTPS). > * The use of self signed certificates for the distant server when using > remoteDelivery : > {code:java} > <jvmFlag>-Djavax.net.ssl.trustStore=/root/conf/keystore</jvmFlag> > {code} > * Fallback can be tested by disactivating the SSL SMTP port: > {code:java} > <smtpservers> > <smtpserver enabled="true"> > <jmxName>smtpserver-global</jmxName> > <bind>0.0.0.0:25</bind> > <tls socketTLS="false" startTLS="true"> > <keystore>file://conf/keystore</keystore> > <secret>james72laBalle</secret> > > <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider> > <algorithm>SunX509</algorithm> > </tls> > <smtpGreeting>Apache JAMES awesome SMTP Server</smtpGreeting> > <handlerchain> > <handler > class="org.apache.james.smtpserver.fastfail.ValidRcptHandler"/> > <handler > class="org.apache.james.smtpserver.CoreCmdHandlerLoader"/> > <handler class="org.apache.james.NoSSLRcptHook"/> > </handlerchain> > </smtpserver> > <smtpserver enabled="false"> > <jmxName>smtpserver-TLS</jmxName> > <bind>0.0.0.0:465</bind> > <tls socketTLS="true" startTLS="false"> > <keystore>file://conf/keystore</keystore> > <secret>james72laBalle</secret> > > <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider> > <algorithm>SunX509</algorithm> > </tls> > <smtpGreeting>Apache JAMES awesome SMTP Server</smtpGreeting> > <handlerchain> > <handler > class="org.apache.james.smtpserver.fastfail.ValidRcptHandler"/> > <handler > class="org.apache.james.smtpserver.CoreCmdHandlerLoader"/> > <handler class="org.apache.james.SoutRcptHook"/> > </handlerchain> > </smtpserver> > </smtpservers> > {code} -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org