Re: looking for a complete TLS reference configuration

Mon, 13 Jun 2011 11:09:35 -0700 

Thank you, Norman

That worked for me as well.
I will do some more comparing between this and what I was trying to hopefully resolve where the problem was -- right now I'm thinking I was either launching from the wrong directory ("james/bin" rather than "james") or perhaps there was something wrong with my keystore file (mine was signed by a CA). I should be able to confirm which within the next day or two.
Now I can get back to Eric to see what works for running SMTP on both 25 and 465. 

-Dwayne

On 6/9/2011 02:34 PM, Norman Maurer wrote:

Sorry Dwayne for been so late.

This works for me...

# keytool -genkey -alias james -keyalg RSA -keystore
/path/to/james/conf/keystore
... (use the same password as in smtpserver.xml)

smtpserver.xml:


<!--
   Licensed to the Apache Software Foundation (ASF) under one
   or more contributor license agreements.  See the NOTICE file
   distributed with this work for additional information
   regarding copyright ownership.  The ASF licenses this file
   to you under the Apache License, Version 2.0 (the
   "License"); you may not use this file except in compliance
   with the License.  You may obtain a copy of the License at

     http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing,
   software distributed under the License is distributed on an
   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
   KIND, either express or implied.  See the License for the
   specific language governing permissions and limitations
   under the License.
  -->

<!-- See http://james.apache.org/server/3/config.html for usage -->

<smtpserver enabled="true">
   <bind>0.0.0.0:465</bind>
   <connectionBacklog>200</connectionBacklog>
   <tls socketTLS="true" startTLS="false">
         <keystore>file://conf/keystore</keystore>
         <secret>password</secret>
         <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
   </tls>
   <connectiontimeout>360</connectiontimeout>
   <connectionLimit>  0</connectionLimit>
   <connectionLimitPerIP>  0</connectionLimitPerIP>
   <authorizedAddresses>127.0.0.0/8</authorizedAddresses>
   <authRequired>true</authRequired>
   <verifyIdentity>true</verifyIdentity>
   <maxmessagesize>0</maxmessagesize>
   <addressBracketsEnforcement>true</addressBracketsEnforcement>
   <handlerchain enableJmx="true">
     <handler class="org.apache.james.smtpserver.fastfail.ValidRcptHandler"/>
     <handler class="org.apache.james.smtpserver.CoreCmdHandlerLoader"/>
   </handlerchain>
</smtpserver>


norman-maurers-macbook-pro:~ norman$ /usr/bin/openssl s_client -quiet
-connect localhost:465
depth=0 /C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown
verify return:1
220 192.168.0.208 SMTP Server (JAMES SMTP Server) ready Thu, 9 Jun
2011 20:31:07 +0200 (CEST)


The tests were made after I just untarred the release..

Hope it helps,
Norman

2011/6/6 Dwayne Nelson<[email protected]>:

Great, thanks!  I will look out for it.  Please also let me know which build
it corresponds to -- the main page suggests 3.0-M3 has released but
currently still provides the link for M2 only.

-Dwayne

On 6/4/2011 10:57 AM, Norman Maurer wrote:

Imn currently on-the-road butI will try to provide you one later today.

Bye
Norman

Am Samstag, 4. Juni 2011 schrieb Dwayne Nelson<[email protected]>:

Does anyone have a working sample configuration for TLS (complete with a
sample keystore and corresponding smtpserver.xml) that they wouldn't mind
sharing?

I am not able to tell what is not working with mine -- I only know that
james will shut down after a few seconds and it never answers on part 465.
  I feel like it would be a lot easier to customize the configuration if I
was able to successfully launch using a reference TLS configuration.

-Dwane

On 06/03/2011 07:15 AM, Dwayne Nelson wrote:

So I tried TLS on 465 using the existing smtpserver.xml file by added the
TLS block and had a similar result (James exits without warning or error).
  In this case the only changes I made to the default configuration were the
following:

(1) Added james.keystore to james/conf and

(2) Added the TLS block to smtpserver.xml

(3) Commented out the setting for authorizedAddresses

full config file below:

<smtpserver enabled="true">
<bind>0.0.0.0:465</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="true" startTLS="false">
<keystore>file://conf/james.keystore</keystore>
<secret>password</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
<connectiontimeout>360</connectiontimeout>
<connectionLimit>    0</connectionLimit>
<connectionLimitPerIP>    0</connectionLimitPerIP>

<!--
<authorizedAddresses>127.0.0.0/8</authorizedAddresses>
-->

<authRequired>true</authRequired>
<verifyIdentity>true</verifyIdentity>
<maxmessagesize>0</maxmessagesize>
<addressBracketsEnforcement>true</addressBracketsEnforcement>
<handlerchain enableJmx="true">
<handler class="org.apache.james.smtpserver.fastfail.ValidRcptHandler"/>
<handler class="org.apache.james.smtpserver.CoreCmdHandlerLoader"/>
</handlerchain>
</smtpserver>

If this configuration is working for others, there might be something
wrong with my keystore file.  But if that was the case, I would hope to see
some sort of error message.

-Dwayne

On 05/27/2011 05:36 AM, Eric Charles wrote:

Hi,

The multiport is for now a hack with the spring definitions.
Before this, may I ask you if you succeed to make it work with a single
encrypted port. The procedure on [1] should work (no need for
sunjce_provider.jar).

If single port works, we can review the multiport (there may be changes
in spring since last time we tried it).

Tks,
Eric

[1]
http://people.apache.org/~eric/james/20110517/site/config-ssl-tls.html

On 26/05/2011 22:26, Dwayne Nelson wrote:

I did try using a later snapshot and the behavior was the same. When I
changed the debugging level, I did not notice any errors associated with
the new smtpserver-ssl section. Instead, I noted exception thrown
relating to jackrabbit. Is there a how-to/quick-start guide covering
multi-port (25/465) smtp servers?

  From a new installation, here are the steps that I am taking:

(1) copy sunjce_provider.jar to james/lib (if it isn't already there)

I've also had to do a chmod a-x james/bin/wrapper-linux-x86-32 to
prevent an error (I'm running on Natty 64-bit)

(2) modify james/conf/context/james-server-context.xml to add a section
for smtpserver-ssl (right after the section for smtpserver). Here is the
full text of what I add:

<!--
SMTP Server SSL
-->
<bean id="smtpserver-ssl"
class="org.apache.james.smtpserver.netty.SMTPServer">
<property name="protocolHandlerChain"
ref="smtpProtocolHandlerChain-ssl"/>
</bean>
<bean id="smtpProtocolHandlerChain-ssl"

class="org.apache.james.container.spring.bean.postprocessor.ProtocolHandlerChainPostProcessor">

<property name="coreHandlersPackage"
value="org.apache.james.smtpserver.CoreCmdHandlerLoader"/>
<property name="beanName" value="smtpserver-ssl"/>
</bean>

(3) add smtpserver-ssl.xml to james/conf (with appropriate password and
configured for socketTLS) -- there is already a file for port 25. Here
are the contents of my new file:

<smtpserver enabled="true">
<bind>0.0.0.0:465</bind>
<connectionBacklog>200</connectionBacklog>
<tls socketTLS="true" startTLS="false">
<keystore>file://conf/james.keystore></keystore>
<secret>thisisnotreallymysecretpassword</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
<jmxName>smtpserver-ssl</jmxName>
<handler>
<helloName autodetect="false">localhost.tld</helloName>
<connectiontimeout>360</connectiontimeout>
<connectionLimit>    0</connectionLimit>
<connectionLimitPerIP>    0</connectionLimitPerIP>
<authRequired>true</authRequired>
<maxmessagesize>0</maxmessagesize>
<addressBracketsEnforcement>true</addressBracketsEnforcement>
<handlerchain>
<handler class="org.apache.james.smtpserver.fastfail.ValidRcptHandler" />
<handler class="org.apache.james.smtpserver.CoreCmdHandlerLoader" />
</handlerchain>
</handler>
</smtpserver>

(4) add james.keystore to james/conf

I'm pretty sure that's all I'm doing. Have I omitted something obvious?

-Dwayne

On 5/25/2011 10:40 AM, Eric Charles wrote:

Hi,

Sorry, seems like your last mail was unanswered.

Let us know the results, but latest snapshot should not change the
behavior on that level. You should see some exceptions in
james-server.log (you can change the debugging level if needed in
log4j.properties)

Tks,
- Eric

On 25/05/2011 16:11, Dwayne Nelson wrote:

I will try a newer snapshot today and see if that solves the problem.

On 5/23/2011 07:13 PM, Dwayne Nelson wrote:

Right - it doesn't exist. I was following the link from this page:

http://people.apache.org/~eric/james/20110517/site/config.html

But yes, your link [1] gets me the file I was looking for.

In reading it over again closely, I noted that I need to make a change
to conf/context/james-server-context.xml as well. I added the block
specified in the sample file and restarted, but James does not
initialize and quietly exits ... here is the only new message that
appears in the james-server.log file:

INFO 22:53:08,519 |
org.apache.james.container.spring.context.JamesServerApplicationContext
|
Refreshing

org.apache.james.container.spring.context.JamesServerApplicationContext@36baa466:

startup date [Mon May 23 22:53:08 UTC 2011]; root of context hierarchy

Where should I be looking for any thrown exceptions?

-Dwayne

On 05/23/2011 06:17 AM, Eric Charles wrote:

Hi,

The link you gave does not exist.
Are you talking about [1] ?

If this is the case, don't forget to update the spring configuration
file as written in [1]

If you want to be sure your smtpserver-ssl.xml is really processed,
simply put a bad tag inside and you should see an exception on
startup :)

Tks,

Eric

[1]

https://svn.apache.org/repos/asf/james/server/trunk/container-spring/src/main/config/examples/smtpserver-ssl.xml



On 22/05/2011 22:10, Dwayne Nelson wrote:

I can't find any linked examples for SMTP on port 465 and I am not
sure
if James is even looking at my new configuration file
(smtpserver-ssl.xml) -- no reference to port 465 appears in my
server logs.

This is where I looked for example information:


https://svn.apache.org/repos/asf/james/server/tags/james-server-3.0-M3/container-spring/src/main/config/examples/smtpserver.xml




-Dwayne

On 05/17/2011 07:57 AM, Eric Charles wrote:

Hi Daniel,

You can read a snapshot of the server website on [1] that is in-line
with the upcoming beta release.

The quick start has been updated to reflect current code.
For SSL [2] and Antispam [3], this is still draft (go to the linked
examples to have some ideas :)

Tks,
- Eric

[1] http://people.apache.org/~eric/james/20110517/site/index.html
[2]
http://people.apache.org/~eric/james/20110517/site/config-ssl-tls.html

[3]
http://people.apache.org/~eric/james/20110517/site/config-antispam.html



On 17/05/2011 05:27, Daniel Tan wrote:

Hi eric,

where will the links be updated for ssl and spam?

regards,
daniel

On 11-May-2011, at 10:54 PM, Eric Charles wrote:


Hi,

See also http://james.apache.org/server/3/quick-start.html.
You must edit database.properties and change the values
according to
your database (+ place the mysql jdbc driver in conf/lib folder).

For SSL and spam, the documentation will be available online begin
next week (we are in the process of releasing a new 3.0-M3
milestone).

Tks,

- Eric


On 11/05/2011 16:39, Daniel Tan wrote:

hi,

i am trying my hand in implementing james with ssl/spam/mysql.

at this link http://wiki.apache.org/james/V3ConfigTutorial, i
have
followed the instructions but when i telnet to localhost 4555, i
tried to adduser test test, the logs throws connection refused.

** END NESTED EXCEPTION **



Last packet sent to the server was 1 ms ago.)
at

org.apache.commons.dbcp.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:1549)



at

org.apache.commons.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:1388)



at

org.apache.commons.dbcp.BasicDataSource.getConnection(BasicDataSource.java:1044)



at

org.apache.openjpa.lib.jdbc.DelegatingDataSource.getConnection(DelegatingDataSource.java:137)



at

org.apache.openjpa.lib.jdbc.DecoratingDataSource.getConnection(DecoratingDataSource.java:112)



at

org.apache.openjpa.jdbc.schema.DataSourceFactory.installDBDictionary(DataSourceFactory.java:239)



... 60 more
Caused by: com.mysql.jdbc.CommunicationsException: Communications
link failure due to underlying exception:

** BEGIN NESTED EXCEPTION **

java.net.SocketException
MESSAGE: java.net.ConnectException: Connection refused

STACKTRACE:

java.net.SocketException: java.net.ConnectException: Connection
refused
at

com.mysql.jdbc.StandardSocketFactory.connect(StandardSocketFactory.java:156)



at com.mysql.jdbc.MysqlIO.<init>(MysqlIO.java:284)
at com.mysql.jdbc.Connection.createNewIO(Connection.java:2569)
at com.mysql.jdbc.Connection.<init>(Connection.java:1485)
at

com.mysql.jdbc.NonRegisteringDriver.connect(NonRegisteringDriver.java:266)



at

org.apache.commons.dbcp.DriverConnectionFactory.createConnection(DriverConnectionFactory.java:38)



at

org.apache.commons.dbcp.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:582)



at

org.apache.commons.dbcp.BasicDataSource.validateConnectionFactory(BasicDataSource.java:1556)



at

org.apache.commons.dbcp.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:1545)



at

org.apache.commons.dbcp.BasicDataSource.createDataSource(BasicDataSource.java:1388)



at

org.apache.commons.dbcp.BasicDataSource.getConnection(BasicDataSource.java:1044)



at

org.apache.openjpa.lib.jdbc.DelegatingDataSource.getConnection(DelegatingDataSource.java:137)



at

org.apache.openjpa.lib.jdbc.DecoratingDataSource.getConnection(DecoratingDataSource.java:112)



at

org.apache.openjpa.jdbc.schema.DataSourceFactory.installDBDictionary(DataSourceFactory.java:239)



at

org.apache.openjpa.jdbc.conf.JDBCConfigurationImpl.getConnectionFactory(JDBCConfigurationImpl.java:728)



at

org.apache.openjpa.jdbc.conf.JDBCConfigurationImpl.getDataSource(JDBCConfigurationImpl.java:867)



at

org.apache.openjpa.jdbc.kernel.JDBCStoreManager.getDataSource(JDBCStoreManager.java:176)



at

org.apache.openjpa.jdbc.kernel.JDBCStoreManager.setContext(JDBCStoreManager.java:159)



at

org.apache.openjpa.jdbc.kernel.JDBCStoreManager.setContext(JDBCStoreManager.java:145)



at

org.apache.openjpa.kernel.DelegatingStoreManager.setContext(DelegatingStoreManager.java:79)



at
org.apache.openjpa.kernel.BrokerImpl.initialize(BrokerImpl.java:360)


at
org.apache.openjpa.kernel.BrokerImpl.initialize(BrokerImpl.java:315)


at

org.apache.openjpa.kernel.AbstractBrokerFactory.initializeBroker(AbstractBrokerFactory.java:231)



at

org.apache.openjpa.kernel.AbstractBrokerFactory.newBroker(AbstractBrokerFactory.java:215)



at

org.apache.openjpa.kernel.DelegatingBrokerFactory.newBroker(DelegatingBrokerFactory.java:156)



at

org.apache.openjpa.persistence.EntityManagerFactoryImpl.createEntityManager(EntityManagerFactoryImpl.java:227)



at

org.apache.openjpa.persistence.EntityManagerFactoryImpl.createEntityManager(EntityManagerFactoryImpl.java:154)



at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at

sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)



at

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)



at java.lang.reflect.Method.invoke(Method.java:597)
at

org.springframework.orm.jpa.AbstractEntityManagerFactoryBean.invokeProxyMethod(AbstractE






for ssl, found this link http://wiki.apache.org/james/UsingSSL
but
it is outdated and only for v2. trying to find a guide for v3.

for spam, found this link but very outdated.

http://www.google.com.sg/url?sa=t&source=web&cd=5&ved=0CDMQFjAE&url=http%3A%2F%2Fwww.sans.org%2Freading_room%2Fwhitepapers%2Femail%2Fimplementing-spam-filtering-gateway-apache-james_1358&rct=j&q=implement%20apache%20james%20spam&ei=bp_KTd7eHY7JrQeN3JzpDw&usg=AFQjCNH0rWTaVXZw5mXRdLlDqxewWkdArA&sig2=kMd7nb4ABMqfcZiZ8NrfRg&cad=rja



---------------------------------------------------------------------


To unsubscribe, e-mail: [email protected]
For additional commands, e-mail:
[email protected]




---------------------------------------------------------------------


To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]





---------------------------------------------------------------------

To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]




---------------------------------------------------------------------

To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]



-----------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]




---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to