Just a quick, but huge "Thank You" to Mark for this information. I
copied and customized your statements below for my domain, and SSL
worked the first time after reboot. Another checkmark on my list of
todo items....
Jerry
On 10/28/2019 10:06 AM, Mark Gordon wrote:
What I found was that the type of store was causing my problem. I noticed
that using the bouncy castle provider was causing the problem.
The store I had created worked fine on 3.3. When I added the bouncy castle
jars to 3.3 (to get DKIM going) I started getting the same "incorrect
password" error.
The examples I found for converting a LETSENCRYPT ssl cert into a java
keystore said to change the keystore to the non-proprietary type pkcs12. I
found that the keystores that worked were of the JKS which seems to be the
default type. If you list out a keystore of this type it will recommend
you convert it to pkcs12.... but then you have the "incorrect password"
error.
After creating the cert with certbot (this creates letsencrypt
certificates) then you run these two commands:
This got me past the incorrect password problem.
I don't feel qualified to add to the wiki as I don't know why the other
style does not work with bouncy castle. This was just brute force trial
and error.
openssl pkcs12 -export \
-in /etc/letsencrypt/live/mail1.example.com/cert.pem \
-inkey /etc/letsencrypt/live/mail1.example.com/privkey.pem \
-out /tmp/mail1.example.com.p12 \
-name james \
-CAfile /etc/letsencrypt/live/mail1.example.com/fullchain.pem \
-caname "Let's Encrypt Authority X3" \
-password pass:changeit
/home/orderpt/software/jdk1.8.0_231/bin/keytool -importkeystore \
-deststorepass changeit \
-destkeypass changeit \
-deststoretype jks \ ---- THIS IS THE IMPORTANT LINE
-srckeystore /tmp/mail1.example.com.p12 \
-srcstoretype PKCS12 \
-srcstorepass changeit \
-destkeystore
/home/orderpt/software/james-server-app-3.4.0/var/mail1.example.com.keystore
\
-alias james
-Mark
On Mon, Oct 28, 2019 at 4:21 AM Tellier Benoit <[email protected]> wrote:
Hello Mark,
Was http://james.apache.org/server/config-ssl-tls.html to answer your
concerns?
Please contribute to [1] if you think you can enhance it!
[1]
https://github.com/apache/james-project/blob/master/src/site/xdoc/server/config-ssl-tls.xml
Regards,
Benoit
On 28/10/2019 00:41, Mark Gordon wrote:
Hey James thanks for the info on the multiple SMTP servers.
I got past the ssl cert problem. I had to do with the type of
keystore. I
will send you the scripts I used. I am using letsencrypt ssl certs and
they seem to be working correctly.
On Sat, Oct 26, 2019, 9:46 PM Jerry Malcolm <[email protected]>
wrote:
Mark,
I hit the same problem you are seeing about a month ago and reported it
on the forum, but got no response. I was not using SSL on my previous
version. I planned to move to SSL as part of my migration. I just
figured the proble was due to lack of knowledge on my part and pushed it
to the back burner. But since you had something working that no longer
works, that gives me a different perspective on the problem. I'll
probably start digging into the problem sometime this week. If anyone
else already understands this problem, you won't hurt my feelings if you
find the problem and report a fix before I have a chance to begin
debugging it. :-)
As far as ports go, you can have as many imap and smtp servers defined
as you want. You can have an smtp server with no SSL running on 25 and
completely different smtp server running on 587 with TLS. For every
port you want to have an SMTP server, just replicate the <smtpserver>
block inside <smtpservers> in conf/smtpserver.xml and make the obvious
modifications to the new block. Also make sure you have a bind
statement (<bind>0.0.0.0:465</bind>) in each block, and add the <tls>
block to the smtpservers that you want to have ssl/tls on. I've run two
smtp servers for years, one on port 25 and one on port 2025 that I tell
my clients to use to get around isp blockading port 25 to prevent
spamming.
Jerry
On 10/26/2019 5:17 PM, Mark Gordon wrote:
I have spent some time trying to get James 3.4 to work I have gotten
past a
few problems. The latest is that I am getting a "keystore password
incorrect" and If I use the same keystore and config in 3.3 it works
fine.
Any ideas?
For inbound mail, can you only have port 587 open with START TLS? and
not
have anything running on port 25?.
With James can you have port 587 and 465 using ssl/tls and have 25 not?
If
so how would one do this?
Thanks,
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
