Thanks alot Matt i try make Pem from Lets encrypt and use it. сб, 1 февр. 2025 г., 06:46 cryptearth <cryptea...@cryptearth.de.invalid>:
> "It doesn't work" is not a helpful error description - in fact: it is > none at all. > If you try to start james with regular PEM files but have messed up > something you will get a stack trace telling you what went wrong. > Converting a PEM certificate chain with a private key into a java > keystore is not required anymore (although I still have a little helper > doing exactly that). > > Anyway - here's how I've set it up: > > - placing the certificate chain in <james>/conf/chain.crt > Important: chain.crt has to contain your certificate and the > intermediate certificate in that order and should not contain the root > certificate. > - placing the private key in <james>/conf/private.key > Important: make sure it has access set to 0600 (so read/write only to > the user, none to group or others); you CAN also secure it by a > passphrase - but my personal point: as you have to provide it along in > the config it's the same as hanging a key right next to a locked door - > why even bother to lock the door in the first place? > > Add to the server xml files (example for smtp/25): > > <smtpservers> > <smtpserver enabled="true"> > <jmxName>smtpserver-global</jmxName> > <bind>0.0.0.0:25</bind> > <connectionBacklog>200</connectionBacklog> > <tls socketTLS="false" startTLS="true"> > <privateKey>file://conf/private.key</privateKey> > <certificates>file://conf/chain.crt</certificates> > <!-- An optional secret might be specified for the private > key --> > <!-- <secret>james72laBalle</secret> --> > </tls> > // ... rest of the file > > Same for every other TLS block. > > Afterwards start james by your start script - it should come up without > issues. For the smtp server you can use services such as > https://www.checktls.com/TestReceiver - can also check dane and mta-sts > and produce a very detailed log, my personal favorite > or > https://ssl-tools.net/mailservers - can have some issues sometimes - but > also has good result presentation > > If you got your inbound smtp correctly setup - copy the config to imap > (and maybe pop if you use that) and make sure the ports are correct. > You should also set starttls on outgoing connections in the > mailetcontainer.xml, section RemoteDelivery: > > <processor state="relay" enableJmx="true"> > <mailet match="All" class="RemoteDelivery"> > <outgoingQueue>outgoing</outgoingQueue> > <startTLS>true</startTLS> > > Note: proper spelling is important - it has to be written as "startTLS" > - otherwise you will get an error on startup > And you can test that as well with the above sites or just send an email > to your gmail account and look into the raw mail - it should say > something like this: > > Received by: mx.google.mx via ESMTPS for <recpt> (TLS=<some tls cipher>) > > If you get any error please get the full log so we can get what failed > and direct you towards the right file to fix. > > You may also can automate it with certbot by just sym-linking to the > files used by apache - but if so you have to run james as root. > > Hope this helps. > > > Matt > > > Am 31.01.25 um 20:13 schrieb Ilya Terskov: > > Hi there guys once more :) > > I hear that james can use common acme/lets encrypt pkcs keys instead of > > java jks, even see this in readme files but i try make it and never get > it > > work... But converting from pkcs to jks and this keys works. Can you tell > > me how u doing it? > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org > For additional commands, e-mail: server-user-h...@james.apache.org > >
