<bind>0.0.0.0:10993</bind>
Configuring James to use SSL
TweetPosted on Saturday Feb 07, 2015 at 12:07AM in Technology
Environment
-
Apache James 3.0.0beta5-SNAPSHOT
-
Oracle JDK8u31
-
CentOS 6.5
Requirement
-
Listening IMAPS at 993
-
Listening SMTPS at 465 (for mail client)
-
Listening SMTP at 25 (for accepting connection from other SMTP server. STARTTLS enabled)
-
Expose these ports with forwarding by
iptables
Put Java KeyStore
I put it to $JAMES_HOME/conf/mykeystore.jks. check this posting for how to create the Java KeyStore.
Configuring IMAPS
-
Change port number in
bindelement as follows: -
Edit
tlselement as follows:<tls socketTLS="true" startTLS="false"> <keystore>file://conf/mykeystore.jks</keystore> <secret>PASSPHRASE</secret> <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider> </tls>
I guess I don’t have
BouncyCastleProviderclass in my classpath but it works.
Configuring SMTPS
-
Make a whole copy of
smtpserverelement insmtpserver.xml. -
Change
jmxNameelement of secondsmtpserverelement:<jmxName>smtpsserver</jmxName>
-
Change port number in
bindelement as well:<bind>0.0.0.0:10465</bind>
-
Edit
tlselement too:<tls socketTLS="true" startTLS="false"> <keystore>file://conf/mykeystore.jks</keystore> <secret>PASSPHRASE</secret> <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider> <algorithm>SunX509</algorithm> </tls>
-
Also enabling of following configuration is required for some mail client such as Apple Mail:
<authRequired>announce</authRequired>
Configuring SMTP
Edit tls element inside first smtpserver element. set true to startTLS:
<tls socketTLS="false" startTLS="true"> <keystore>file://conf/mykeystore.jks</keystore> <secret>PASSPHRASE</secret> <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider> <algorithm>SunX509</algorithm> </tls>
Delete a Mailet from mailetcontainer.xml
There’s a Mailet which needs to get removed when you use SMTP auth. this solves the problem that getting Storing mail … in file://var/mail/relay-denied/. so delete following fragment from $JAMES_HOME/conf/mailetcontainer.xml:
<mailet match="RemoteAddrNotInNetwork=127.0.0.1" class="ToProcessor"> <processor>relay-denied</processor> <notice>550 - Requested action not taken: relaying denied</notice> </mailet>
In my case, a class named AuthRequiredToRelayRcptHook prevents open relay, without that Mailet.
Configuring iptables
An example as follows. write it to /etc/sysconfig/iptables and issue sudo service iptables restart.
*nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -i eth0 -p tcp --dport 25 -j DNAT --to-destination :10025 -A PREROUTING -i eth0 -p tcp --dport 465 -j DNAT --to-destination :10465 -A PREROUTING -i eth0 -p tcp --dport 993 -j DNAT --to-destination :10993 COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 10025 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 10465 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 10993 -j ACCEPT COMMIT
Open relay check of SMTP server
Just in case, do it with testing site like http://www.aupads.org/test-relay.html
Why is it that we need a separate smtp server for SSL connections? Why not just have one that supports it?
Posted by Matthew Delaney on January 20, 2018 at 03:15 AM JST #
