Email Server SSL Connection Problem

[pablocaamano]

Hi Everybody,

I hope everyone is fine!

I am just trying to make ESJ work with Exchage 10 using SSL.

I followed Deploying an E-Mail System in Secured Mode Procedure of eSerice Deployment guide but it still not working.

I really hope anybody could help me with that.

Here is the configurarion of ESJ:

[pop-client]
address=genesys@_domain
allow-bad-msg-size=FALSE
connect-timeout=00:05:00
cycle-time=00:00:30
delete-bad-formatted-msg=FALSE
delete-big-msg=FALSE
enable-big-msg-stripping=TRUE
enable-client=TRUE
enable-debug=FALSE
endpoint=default
leave-msg-on-server=true
mailbox=genesys
maximum-msg-number=500
maximum-msg-size=5
password=_the_password
pop-connection-security=ssl-tls
port=993
protocol-timeout=00:05:00
server=_the_server
type=IMAP

As Doccumentation suggested I have also include -Djavax.net.ssl.trustStore parameter in JavaEmailServerDriver.ini file.

The .truststore file was generated by client, he also generate a .cer file.
If I try to connect using Thunderbird everything is ok (I know thunderbird use the .cer file instead of .truststore, but al least I could say connectivity is OK)

Here is the emailserver error log:
17:46:04.109 Std 20015 [MsgIn-1] <pop-client> JavaMail Exception.
javax.mail.MessagingException: Unable to establish handshake using SSL - server may be expecting plain text connection;
  nested exception is:
javax.net.ssl.SSLException: Unable to establish handshake using SSL - server may be expecting plain text connection
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:695)
at javax.mail.Service.connect(Service.java:381)
at com.genesyslab.icc.emailserver.MailDeliveryAgentImpl.openConnection(MailDeliveryAgentImpl.java:260)
at com.genesyslab.icc.emailserver.InboundMessagingClient$SessionRunLoop.retrieveMessages(InboundMessagingClient.java:1121)
at com.genesyslab.icc.emailserver.InboundMessagingClient$SessionRunLoop.run(InboundMessagingClient.java:993)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at com.genesyslab.util.concurrent16.NamedThreadFactory$1.run(NamedThreadFactory.java:55)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLException: Unable to establish handshake using SSL - server may be expecting plain text connection
at com.sun.mail.util.SocketFetcher.getSocket(SocketFetcher.java:245)
at com.sun.mail.iap.Protocol.<init>(Protocol.java:116)
at com.sun.mail.imap.protocol.IMAPProtocol.<init>(IMAPProtocol.java:121)
at com.sun.mail.imap.IMAPStore.newIMAPProtocol(IMAPStore.java:710)
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:659)
... 8 more

17:46:04.109 Dbg 23005 [MsgIn-1] <pop-client> Inbound messaging client finished.

Any idea?
Is any way I could verify .truststore file?

Thanks and regards.

[cavagnaro]

Import via the import tool ESJ has on it

[Kubig]

You can check it via standard keytool utility which is provided by Java in general - on internet you can find many step-by-step description how to do it. In other hand, you can enable debugging on IMAP/POP3 protocol level to be able to track the communication between exchange server and ESJ as the client. from the posted log it seems that the used certs not matching or something like that.

[pablocaamano]

Hi kubig,

As far as I could check using keytool, the .truststore I generated (based on .cer) is ok.

Here are the keytool print:
Tipo de almacÚn de claves: JKS
Proveedor de almacÚn de claves: SUN

Su almacÚn de claves contiene entrada 1

exchub01.bancocomercial.com.uy, 01/12/2015, trustedCertEntry,
Huella digital de certificado (MD5): 9D:AF:2F:74:1F:46:57:F4:00:44:2D:E3:1F:16:D
5:F3

(Sorry it is in spanish).

In the JavaEmailServerDriver.ini, the -Djavax.net.ssl.trustStore have to point to .truststore, the path have to include .truststore (file extension)?

I have no idea what else I could check...

[pablocaamano]

[quote author=cavagnaro link=topic=9238.msg41597#msg41597 date=1448918490]
Import via the import tool ESJ has on it
[/quote]

Hi Cavagnaro,
Where can I find import ESJ tool? I searched in installation directory and further inside and I did not find it.
Thanks.

[cavagnaro]

It is the tool you mentioned. Read the documentation and it describes how to do the import.
Or search about java and certificates

[pablocaamano]

As far as I know, ESJ does not have keytool on it. Keytool is a JAVA tool, it does not came with ESJ distribution. Am I correct?

As I mentioned before I have used keytool to import the certificate, I used the keytool from a JAVA distribution that I have installed on my server...

[cavagnaro]

You are right, just checked my ESJ new folders.

Please check my oneNote "notes" about this
[url=http://www.filedropper.com/casodesslenimap4pop3paraemailocualquieraqueusejava]http://www.filedropper.com/casodesslenimap4pop3paraemailocualquieraqueusejava[/url]

[pablocaamano]

Thanks very much Cavagnaro!!

With the .java you shared and the procedure, I was able to add the certificate to my keystore! Definitely I was making some mistake with keytool...
Now it is working okay.
Just for the record, I chose to add the generated truststore to java home directory.

Thanks again!!

Regards,
Pablo.

[rifai]

Dear Pablo,

I am facing the same problem in ESJ dat the server requires plain text connection.  Can you share the steps or procedures which you had done in your ESJ configuration.  Please share that .java too as well

[Kubig]

You can try the Java parameters:

-Dmail.imap.auth.plain.disable

Check the java doc for these parameters.

[cavagnaro]

My procure is there, shared, ready to be downloaded... Can't you read a post above? Arrgggggg how I hate lazy people like this

[rifai]

Yes, I did and I am unable to download the file which u have shared provided the link.  Can you let me know where should i configure or add this

-Dmail.imap.auth.plain.disable

[pablocaamano]

Hi rifai,

Please follow instructions shared by cavagnaro, there you will find everything you need to achieve the connection implementing SSL.
I follow this instructions and Deploying an E-Mail System in Secured Mode Procedure of eService Deployment guide.

If you have any question please post it here.

[Kubig]

Little bit more effort please. Because of the value is Java based, it is necessary to configure it on init level - so, it means on init file level (on Windows platform) or sh file level (on linux platform). It is described in any documentation and of course, it is standard Java-based, nothing special about Genesys itself.