James Email Sever 3 with Let`s Encrypt


#1

Hello. I have an issue with James email server 3. I want to make him work over the TLS. And for this he need certificate, in official documentation of says that user must provide keystore with signed certificate in JKS format. I have a lets encrypt certificate generated with certbot for site. I tried to convert him into needed format and done this. And I even can connect to the james email smtp port over TLS. But when I connect to james smtp secured port I see certificate and other information, and I have a doubts about line which says that “Verify return code: 21 (unable to verify the first certificate)”. And when I send email to for example gmail.com it says that message does`t encrypted. So what can I do in this situation?


#2

I believe by default, if you’re using OpenSSL’s s_client to connect, it needs you to specify the default certificate bundle to use for verification. You can read a bit about that at https://www.pistolfly.com/weblog/en/2015/01/testing-ssl-certificate-with-openssl.html

For the Google badge, it’s a little different. You don’t need a certificate on your side. You do need to configure your mail system to connect to Google’s using TLS. For that, you will need to check the documentation on your mail system and figure out how to enable that.

Edit: Assuming I found the right documentation, if you look at the RemoteDelivery section at https://james.apache.org/server/dev-provided-mailets.html you need to potentially set startTLS and sslEnable to true.


#3

hi @motoko

I am going to disagree on one point. You should not provide an Intermediate Cert in my opinion.

The server should do this. If you are testing with an intermediate cert you are making an assumption that clients outside your network will have this.

I do agree that you need to provide a root CA bundle so the chain of trust can be built.

Andrei


#4

I think the certificate bundle @motoko is referring to is a root certificate store. We saw at least on Windows that you might need to tell openssl which root CAs to trust because it may not have an OS-provided trusted root certificate store available.


#5

Sorry for being unclear. I did mean a root certificate bundle. Testing using the Let’s Encrypt provided roots and intermediate directly won’t pick up some common misconfiguration issues.

Most Linux systems will have a root certificate bundle. OS X has one located at /etc/ssl/cert.pem for newer versions (the paths in the linked article are for older OS X versions). Windows doesn’t have one, but you also have to install OpenSSL tools manually there anyway.

If you’re not sure what to use, or want to make sure you’re using something up-to-date, the developers of the cURL library and tool have a file that mirrors the root certificates included in Firefox at https://curl.haxx.se/docs/caextract.html. Just download the latest cacert.pem and use that for the CAfile when verifying.


#6

hi @motoko and @schoen

Thanks for clarifying :smiley:

Andrei


#7

Thanx for you reply. But I have already enabled sslEnable option. And second is Email sending flow: UI -> JavaApp -> JamesMailServer -> Gmail. And I need to send message to JamesMailServer over SSL and it must to send email to google over ssl. So I need a certificate provided by JamesMailServer to connect with him by SSL.


#8

No you do not

If you are using SMTP over SSL Google will Provide the certificate for you

You will need to make sure that James Email Server can use these certificates.

You can OPTIONALLY submit a client certificate as a secondary method of authentication but this is not a requirement from google it’s an option

https://support.google.com/a/answer/2520500?hl=en

https://support.google.com/a/answer/176600?hl=en

Andrei


#9

@ahaw021 is right: in TLS the certificate is (usually!) provided by the server, not the client. Thus when you connect to Gmail (delivering e-mail from your site to Gmail), Gmail provides the certificate. When Gmail connects to you (delivering e-mail from Gmail to your site), you provide the certificate.

In order to have secure e-mail in both directions, two different certificates will be used. :slight_smile:

Although TLS does also support the concept of client certificates, they are very rarely used and almost never for public Internet services like e-mail. As an additional complexity, most mail software has historically not even verified the certificates on the STARTTLS command because the old standard defining it said that certificates should not be verified in this context. This is changing, but I think rather slowly.


#10

Thanx for answer. If I want to send email to my own mail server, it must provide certificate to me. How to integrate let`s encrypt certificate and James email server which need JKS certificate Keystores.


#11

You can use the java keytool command and the openssl tool to import the certificate components into a java keystore (jks) file. Because keytool can’t import private keys directly, you’ll need to first create a PKCS #12 file from the pem files created by certbot or the tool you are using. The command will look similar to the following:

openssl pkcs12 -export -out keystore.p12 -inkey privkey.pem -in cert.pem -certfile chain.pem

Remember the password you used on the prompt, it will be needed for the second step. For illustration purposes, I used password “1234” and you’ll see that in the next command.

You can then take the “keystore.p12” file and convert it into a java keystore file with a command like the following:

keytool -importkeystore -deststorepass changeme -destkeypass changeme -destkeystore keystore.jks -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass 1234

Obviously you will want to use different passwords in the second command.

In the documentation, it looks like you can specify a store type. It’s worth trying to set a type of “PKCS12” instead of “JKS” and just use the file made with the first command. If that works, you can avoid the second step completely.


#12

Thanx I will try to do this.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.