James 1.2.1 - Using TLS

This document explains how to enable JAMES 1.2.1 to use Transport Layer Security (TLS) (ie SSL).

Obtain JSSE

Obtain JSSE source from java.sun.com. Follow their installation directions. We assume that you install JSSE as a standard extension, with a static provider definition. (See notes with JSSE distribution)

Note that the US export restrictions still apply to JSSE (at version 1.0.2), so while both the international and domestic versions offer the same level of crypto, the international version does not take alternative providers.

Enable TLS

Using JAMES with TLS. You need to do three things over and above the normal operation of James:

  • In Avalon.conf.xml, uncomment the TLS listener defintion.
  • In JAMES.conf.xml, uncomment the <useTLS>TRUE</useTLS> element for the service you want to use TLS. It is currently available for remote manager and POP3. (If using POP3 over TLS, it is probably best to change port to 995, which is the IANA designated POP3S port).
  • Ensure that avalonTestKeys is in the conf directory. You may need to manually extract this from the Avalon.jar (with: jar xvf Avalon.jar conf/avalonTestKeys). Note that this is a self-signed certificate for test purposes only. You can specify a different server certificate in the Avalon.conf.xml file.

Start James

Verify TLS-enabled JAMES

(Positive Test) Use an SSL client to open a socket to the appropriate port. I used openssl from www.openssl.org to test this. E.g. openssl s_client -connect localhost:4555. You should see the normal remote manager or POP3 server greeting and have normal operation.
- If, using openssl s_client, you get a connection refused/ error no 111, just try again. This probably means you got to the port before it was ready.

(Negative Test) telnet to port 4555 (ie without SSL). This should hang the telnet client. It should also lock port 4555 until the connection times out, I think.