Hi,
I'm currently using a similiar config and it is working (james 3.0b4).
In my keystore is the full trust path including the CA
(CA->Intermediate->Host in my case).
I'm using portecle for editing the keystore, it's more convenient.
The private key of the certificate can be secured by a password, too.
Maybe this is not the case in your config. You should try to set the
password for the private key in the keystore either to <secret>-Value or
to an empty password. I'm currently not sure what is used by james.
I tried to run the imapserver both with starttls AND ssl at the same
time, but this seems to be impossible. If you want to use both of them,
you may try to put another imapserver-tag in the xml.
The config you posted in your message uses port 993 for starttls which
may introduce problems. You should use port 143 with starttls and 993
for ssl.
Another interesting option is
<plainAuthDisallowed>true</plainAuthDisallowed>
which infact disables login without tls in the imap server. But you
should test this if it works.
I hope this helps.
Kind regards,
Jan-Philipp Hülshoff
<imapservers>
<imapserver enabled="true">
<jmxName>imapserver</jmxName>
<bind>0.0.0.0:143</bind>
<connectionBacklog>200</connectionBacklog>
<!-- Set to true to use TLS for the Socket.
To use this you need to copy sunjce_provider.jar to
/path/james/lib directory.
-->
<tls socketTLS="false" startTLS="true">
<!-- To create a new keystore execute:
keytool -genkey -alias james -keyalg RSA -keystore
/path/to/james/conf/keystore
-->
<keystore>file://conf/bklosr.jks</keystore>
<secret>7737</secret>
<provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
</tls>
<!-- COMPRESS extension -->
<compress>true</compress>
<!-- Require TLS for Auth -->
<plainAuthDisallowed>true</plainAuthDisallowed>
<handler>
<helloName autodetect="true">some.domain</helloName>
<connectionLimit>100</connectionLimit>
<connectionLimitPerIP>10</connectionLimitPerIP>
</handler>
</imapserver>
Am 29.07.2013 21:37, schrieb invisiblewave:
> Been trying to secure my server for some time now, without success. If
> someone could point me to the next step I'd be grateful. I've tried two
> ways, following the instructions on the project website, with a local
> keystore and with a keystore using imported certificates from a provider, I
> get the same result using either keystore. I'm testing using the IMAP
> server. If I use true for both socketTLS and startTLS, the imap server
> doesn't start. Using certificates from startSSL, I've imported the CA, the
> class 1 intermediate, and the certificate I created with the keytool csr.
> Whatever I do seems to make no difference to the result! The server is
> listening, but the secure bit doesn't work! I'm running on Ubuntu 12.10.
>
> My imap configuration is as follows:
> <bind>0.0.0.0:993</bind>
>
> <connectionBacklog>200</connectionBacklog>
>
>
> <tls socketTLS="false" startTLS="true">
>
> <keystore>file://conf/.keystore</keystore>
> <secret>envelope</secret>
>
> <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
> </tls>
>
> And using the openssl client, I get the following response:
> openssl s_client -connect mail.mymailserver.com:993 -starttls imap
> CONNECTED(00000003)
> 140127271982752:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3
> alert handshake failure:s23_clnt.c:724:
> ---
> no peer certificate available
> ---
> No client certificate CA names sent
> ---
> SSL handshake has read 302 bytes and written 251 bytes
> ---
> New, (NONE), Cipher is (NONE)
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
>
>
>
>
> --
> View this message in context:
> http://james.10919.n7.nabble.com/STARTTLS-configuration-question-tp50107.html
> Sent from the James - Users mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
--
Jan-Philipp Huelshoff
Im Lichtenfelde 2
33100 Paderborn
Tel.: 0151/15928518, 05251/7091197
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
