TLS (aka SSL) support in Jsmtpd

TLS/SSL is an encryption mecanism over sockets, using signed certifates. It allows a client to chat with Jsmtpd in a secured way. In a basic SMTP support, mails are delivered in plain text. Jsmtpd provides support for STARTTLS command, it means that the chat between client and server starts in clear,then the client asks to switch to encrypted layer. The chat goes on over a secured channel.

Note:

Applies to current developement version

Keystore

Java provides a keystore program to hold your certificates. Jsmtpd uses this mecanism. A keystore is protected by a password. Sun Java's RE includes the keytool program to manage your keystores.

Creating a certificate

cd to jsmtpd/etc

keytool -genkey -alias jsmtpd -keyalg RSA -keystore keystore

It will generate a file (the keystore), and a RSA key in keystore. Questions asked by the keytool program :

• keystore pass : choose one
• distinguished name/common name (CN): set to the DNS name of your server, example : smtp.jsmtpd.org
• organisation unit
• organisation
• city
• state
• country
• a password for the key (press enter to use the same as the keystore)

Your keystore is now ready. Now you have to choose between :

• Buying a certificate from a certficate authority (CA), like from Verisgn, Thawte
• Create a self signed certificate

You can see what's in a keystore with :

keytool -list -keystore keystore -rfc

Self signed Certificate

cd to jsmtpd/etc

keytool -selfcert -keystore keystore -alias jsmtpd -keyalg RSA

When connecting to a server using a self signed certificate, it'll say that the certificate is not signed with a CA authority. You can export the server's certificate and set it up on the clients :

keytool -export -alias jsmtpd -file jsmtpd-server.cer -keystore keystore

It'll generate the jsmtpd-server.cer certificate to import for your clients.

Import a CA signed certificate

pending

Configuration

pending Restart your jsmtpd daemon.

Multiple Certificates

You can repeat steps "Creating a certificate" and "Self signed Certificate" to use multiple certificates

Configuring clients

• Outlook

tools > accounts. On your mail account go to advanced, the check on smtp : this server requires a secured connection (SSL)

• Evolution
• Thunderbird

Configure Jsmtpd

Locate the element smtpExtension in etc/jsmtpd-plugin-config.xml, and add something like :

		<smtpExtension name="tls" class="org.jsmtpd.plugins.smtpExtension.TLSSwitcher">
			<propertyset name="KeystoreName" value="keystore"/>
			<propertyset name="KeystorePassword" value="demodemo"/> 		
		</smtpExtension>

The property KeystoreName tells the plugin which keystore to use (must be in classpath, a good place is etc/) The KeystorePassword is your keystore password.