Thanks alot Matt i try make Pem from Lets encrypt and use it.

сб, 1 февр. 2025 г., 06:46 cryptearth <cryptea...@cryptearth.de.invalid>:

> "It doesn't work" is not a helpful error description - in fact: it is
> none at all.
> If you try to start james with regular PEM files but have messed up
> something you will get a stack trace telling you what went wrong.
> Converting a PEM certificate chain with a private key into a java
> keystore is not required anymore (although I still have a little helper
> doing exactly that).
>
> Anyway - here's how I've set it up:
>
> - placing the certificate chain in <james>/conf/chain.crt
> Important: chain.crt has to contain your certificate and the
> intermediate certificate in that order and should not contain the root
> certificate.
> - placing the private key in <james>/conf/private.key
> Important: make sure it has access set to 0600 (so read/write only to
> the user, none to group or others); you CAN also secure it by a
> passphrase - but my personal point: as you have to provide it along in
> the config it's the same as hanging a key right next to a locked door -
> why even bother to lock the door in the first place?
>
> Add to the server xml files (example for smtp/25):
>
> <smtpservers>
>      <smtpserver enabled="true">
>          <jmxName>smtpserver-global</jmxName>
>          <bind>0.0.0.0:25</bind>
>          <connectionBacklog>200</connectionBacklog>
>          <tls socketTLS="false" startTLS="true">
> <privateKey>file://conf/private.key</privateKey>
> <certificates>file://conf/chain.crt</certificates>
>              <!-- An optional secret might be specified for the private
> key -->
>              <!-- <secret>james72laBalle</secret> -->
>          </tls>
> // ... rest of the file
>
> Same for every other TLS block.
>
> Afterwards start james by your start script - it should come up without
> issues. For the smtp server you can use services such as
> https://www.checktls.com/TestReceiver - can also check dane and mta-sts
> and produce a very detailed log, my personal favorite
> or
> https://ssl-tools.net/mailservers - can have some issues sometimes - but
> also has good result presentation
>
> If you got your inbound smtp correctly setup - copy the config to imap
> (and maybe pop if you use that) and make sure the ports are correct.
> You should also set starttls on outgoing connections in the
> mailetcontainer.xml, section RemoteDelivery:
>
>          <processor state="relay" enableJmx="true">
>              <mailet match="All" class="RemoteDelivery">
> <outgoingQueue>outgoing</outgoingQueue>
>                      <startTLS>true</startTLS>
>
> Note: proper spelling is important - it has to be written as "startTLS"
> - otherwise you will get an error on startup
> And you can test that as well with the above sites or just send an email
> to your gmail account and look into the raw mail - it should say
> something like this:
>
> Received by: mx.google.mx via ESMTPS for <recpt> (TLS=<some tls cipher>)
>
> If you get any error please get the full log so we can get what failed
> and direct you towards the right file to fix.
>
> You may also can automate it with certbot by just sym-linking to the
> files used by apache - but if so you have to run james as root.
>
> Hope this helps.
>
>
> Matt
>
>
> Am 31.01.25 um 20:13 schrieb Ilya Terskov:
> > Hi there guys once more :)
> > I hear that james can use common acme/lets encrypt pkcs keys instead of
> > java jks, even see this in readme files but i try make it and never get
> it
> > work... But converting from pkcs to jks and this keys works. Can you tell
> > me how u doing it?
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org
> For additional commands, e-mail: server-user-h...@james.apache.org
>
>

Reply via email to