You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-user@james.apache.org by Jerry Malcolm <te...@malcolms.com> on 2019/11/06 05:03:26 UTC

Re: port 25 & 587 & 465 and keystore password.

Just a quick, but huge "Thank You" to Mark for this information. I 
copied and customized your statements below for my domain, and SSL 
worked the first time after reboot.  Another checkmark on my list of 
todo items....

Jerry

On 10/28/2019 10:06 AM, Mark Gordon wrote:
> What I found was that the type of store was causing my problem.  I noticed
> that using the bouncy castle provider was causing the problem.
> The store I had created worked fine on 3.3.  When I added the bouncy castle
> jars to 3.3 (to get DKIM going) I started getting the same "incorrect
> password" error.
>
> The examples I found for converting a LETSENCRYPT ssl cert into a java
> keystore said to change the keystore to the non-proprietary type pkcs12.  I
> found that the keystores that worked were of the JKS which seems to be the
> default type.  If you list out a keystore of this type it will recommend
> you convert it to pkcs12.... but then you have the "incorrect password"
> error.
>
> After creating the cert with certbot (this creates letsencrypt
> certificates) then you run these two commands:
>
> This got me past the incorrect password problem.
>
> I don't feel qualified to add to the wiki as I don't know why the other
> style does not work with bouncy castle.  This was just brute force trial
> and error.
>
> openssl pkcs12 -export \
>           -in /etc/letsencrypt/live/mail1.example.com/cert.pem \
>           -inkey /etc/letsencrypt/live/mail1.example.com/privkey.pem \
>           -out /tmp/mail1.example.com.p12 \
>           -name james \
>           -CAfile /etc/letsencrypt/live/mail1.example.com/fullchain.pem \
>           -caname "Let's Encrypt Authority X3" \
>           -password pass:changeit
>
> /home/orderpt/software/jdk1.8.0_231/bin/keytool -importkeystore \
>          -deststorepass changeit \
>          -destkeypass changeit \
>          -deststoretype jks \     ---- THIS IS THE IMPORTANT LINE
>          -srckeystore /tmp/mail1.example.com.p12 \
>          -srcstoretype PKCS12 \
>          -srcstorepass changeit \
>          -destkeystore
> /home/orderpt/software/james-server-app-3.4.0/var/mail1.example.com.keystore
> \
>          -alias james
>
> -Mark
>
>
> On Mon, Oct 28, 2019 at 4:21 AM Tellier Benoit <bt...@apache.org> wrote:
>
>> Hello Mark,
>>
>> Was http://james.apache.org/server/config-ssl-tls.html to answer your
>> concerns?
>>
>> Please contribute to [1] if you think you can enhance it!
>>
>> [1]
>>
>> https://github.com/apache/james-project/blob/master/src/site/xdoc/server/config-ssl-tls.xml
>>
>> Regards,
>>
>> Benoit
>>
>> On 28/10/2019 00:41, Mark Gordon wrote:
>>> Hey James thanks for the info on the multiple SMTP servers.
>>>
>>> I got past the ssl cert problem.  I had to do with the type of
>> keystore.  I
>>> will send you the scripts I used.  I am using letsencrypt ssl certs and
>>> they seem to be working correctly.
>>>
>>>
>>> On Sat, Oct 26, 2019, 9:46 PM Jerry Malcolm <te...@malcolms.com>
>> wrote:
>>>> Mark,
>>>>
>>>> I hit the same problem you are seeing about a month ago and reported it
>>>> on the forum, but got no response. I was not using SSL on my previous
>>>> version.  I planned to move to SSL as part of my migration.  I just
>>>> figured the proble was due to lack of knowledge on my part and pushed it
>>>> to the back burner.  But since you had something working that no longer
>>>> works, that gives me a different perspective on the problem.  I'll
>>>> probably start digging into the problem sometime this week.  If anyone
>>>> else already understands this problem, you won't hurt my feelings if you
>>>> find the problem and report a fix before I have a chance to begin
>>>> debugging it. :-)
>>>>
>>>> As far as ports go, you can have as many imap and smtp servers defined
>>>> as you want.  You can have an smtp server with no SSL running on 25 and
>>>> completely different smtp server running on 587 with TLS.  For every
>>>> port you want to have an SMTP server, just replicate the <smtpserver>
>>>> block inside <smtpservers> in conf/smtpserver.xml and make the obvious
>>>> modifications to the new block.  Also make sure you have a bind
>>>> statement (<bind>0.0.0.0:465</bind>) in each block, and add the <tls>
>>>> block to the smtpservers that you want to have ssl/tls on.  I've run two
>>>> smtp servers for years, one on port 25 and one on port 2025 that I tell
>>>> my clients to use to get around isp blockading port 25 to prevent
>> spamming.
>>>> Jerry
>>>>
>>>> On 10/26/2019 5:17 PM, Mark Gordon wrote:
>>>>> I have spent some time trying to get James 3.4 to work I have gotten
>>>> past a
>>>>> few problems.  The latest is that I am getting a "keystore password
>>>>> incorrect" and If I use the same keystore and config in 3.3 it works
>>>> fine.
>>>>> Any ideas?
>>>>>
>>>>> For inbound mail, can you only have port 587 open with START TLS?  and
>>>> not
>>>>> have anything running on port 25?.
>>>>>
>>>>> With James can you have port 587 and 465 using ssl/tls and have 25 not?
>>>> If
>>>>> so how would one do this?
>>>>>
>>>>> Thanks,
>>>>> Mark
>>>>>
>>>>>
>>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>>>> For additional commands, e-mail: server-user-help@james.apache.org
>>>>
>>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
>> For additional commands, e-mail: server-user-help@james.apache.org
>>
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: server-user-unsubscribe@james.apache.org
For additional commands, e-mail: server-user-help@james.apache.org