james分布式版本部署二

一些配置

OpenSearch

OpenSearch 要确保把SSL访问关闭，且安全认证取消，不然James是无法访问的。

docker

如果通过命令 docker exec -it opensearch bash 进入到 OpenSearch 客户端，运行命令

#进入到 OpenSearch 客户端
docker exec -it opensearch bash
vi /config/opensearch.yml
#修改配置信息如下：
network.host: 0.0.0.0
#放开，去掉注释，注意格式，空格
discovery.type: single-node
#新增
plugins.security.disabled: true
plugins.security.ssl.http.enabled: false

退出容器

使用 exit 或 Ctrl + D 退出并停止容器。
使用 Ctrl + P + Q 退出但不停止容器。
使用 docker ps 检查容器状态

重启容器

1	docker restart opensearch

手动

手动安装的OpenSearch无需配置，在前面安装的时候已经配置好了

DNS 配置

添加以下配置可以成功发送Gmail邮箱，否则会被Gmail退信

添加或更新 SPF 记录：在你的域的 DNS 管理界面中，添加或更新 SPF 记录（即添加TXT解析）
以包含发件 IP 地址 x.x.x.x。以下是一个示例 SPF 记录：
添加TXT解析，名称为@ 值为：v=spf1 a mx ip4:x.x.x.x -all
添加TXT解析，名称为mail 值为：v=spf1 a mx ip4:x.x.x.x -all
添加A解析，名称为mail 值为：服务器ip
v=spf1 表示这是一个 SPF 记录。
ip4:x.x.x.x 允许 x.x.x.x 代表域名.后缀发送邮件。
-all 表示仅允许明确列出的 IP 地址发送邮件，其他 IP 地址将被拒绝。

验证 SPF 记录是否生效：等待 DNS 记录生效（通常几分钟到 48 小时），在服务器中输入命令

dig +short TXT 域名.后缀
#示例
root@mail-test:/data/james/james382/conf# dig +short TXT 域名.后缀
"pf1 a mx ip4:x.x.x.x  -all"
root@mail-test:/data/james/james382/conf#

配置 DMARC

添加 DMARC 记录到 DNS：在你的 DNS 中添加 DMARC TXT 记录
名称：_dmarc
值例如：

1	v=DMARC1; p=quarantine; rua=mailto:postmaster@域名.后缀; pct=100; adkim=s; aspf=s

p=reject 表示未通过 SPF/DKIM 的邮件将被拒收。
rua=mailto:dmarc-reports@域名.后缀表示将 DMARC 报告发送到指定邮箱

验证 DMARC 是否生效

mxtoolbox

输入域名（域名.后缀），点击MX Lookup验证

nginx配置文件参考

root@mail:/# nginx -v
nginx version: nginx/1.18.0 (Ubuntu)
root@mail:/# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@mail:/#

这个是配置文件路径： /etc/nginx/nginx.conf 下面是配置

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        # server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;

        # gzip_vary on;
        # gzip_proxied any;
        # gzip_comp_level 6;
        # gzip_buffers 16 8k;
        # gzip_http_version 1.1;
        # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}


#mail {
#       # See sample authentication script at:
#       # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#       # auth_http localhost/auth.php;
#       # pop3_capabilities "TOP" "USER";
#       # imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#       server {
#               listen     localhost:110;
#               protocol   pop3;
#               proxy      on;
#       }
# 
#       server {
#               listen     localhost:143;
#               protocol   imap;
#               proxy      on;
#       }
#}

查看后发现不对，切换路径

cd /etc/nginx/sites-available
root@mail:/etc/nginx/sites-available# ls
default
root@mail:/etc/nginx/sites-available# cat default

输出如下

# 全局 HTTPS 重定向配置
server {
    listen 80;
    server_name 域名.ai www.域名.ai www.域名.com backend.域名.com 域名.com 域名.ai www.域名.ai teman.域名.ai;
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

# 配置官网静态文件服务
server {
    listen 443 ssl;
    server_name temail.ai www.域名.ai;
    ssl_certificate /etc/letsencrypt/live/temail.ai/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/temail.ai/privkey.pem; # managed by Certbot

    root /data/apps/website;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }


}

# 配置邮箱客户端前端服务
server {
    listen 443 ssl;
    server_name www.域名.com 域名.com;

    ssl_certificate     /etc/letsencrypt/live/mail.域名.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mail.域名.com/privkey.pem;

    root /data/apps/webmail/dist;
    index index.html;

    # 自定义错误页面配置
    error_page 404 /index.html;

    location / {
        try_files $uri $uri/ =404;
    }
    # 处理自定义 404 页面
    location = /404.html {
        root /data/apps/webmail;
        internal;
    }
}

# 配置邮箱后台服务
server {
    listen 443 ssl;
    server_name teman.域名.ai;

    ssl_certificate     /etc/letsencrypt/live/teman.域名.ai/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/teman.域名.ai/privkey.pem;

    root /data/apps/webadmin/dist;
    index index.html;

    # 自定义错误页面配置
    error_page 404 /index.html;

    location / {
        try_files $uri $uri/ =404;
    }
    # 处理自定义 404 页面
    location = /404.html {
        root /data/apps/webadmin;
        internal;
    }
}

# 配置邮箱客户端后端服务
server {
    listen 443 ssl;
    server_name backend.域名.com;
    client_max_body_size 30M;

    ssl_certificate     /etc/letsencrypt/live/mail.域名.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mail.域名.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:6001;  # 转发到本地监听的服务
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

测试服配置示例，共启用了
home.kretest.com
www.kretest.com
backend.kretest.com
kretest.com
teman.kretest.com
mail.kretest.com
这些域名，可以先提前解析好，后面生成证书的时候需要用到

# 全局 HTTPS 重定向配置
server {
    listen 80;
    server_name home.kretest.com www.kretest.com  backend.kretest.com kretest.com   teman.kretest.com;
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

# 配置官网静态文件服务
server {
    listen 443 ssl;
    server_name home.kretest.com;
    ssl_certificate /etc/letsencrypt/live/mail.kretest.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mail.kretest.com/privkey.pem; # managed by Certbot

    root /data/apps/website;
    index index.html;

    location / {
        try_files $uri $uri/ =404;
    }


}

# 配置邮箱客户端前端服务
server {
    listen 443 ssl;
    server_name www.kretest.com kretest.com;

    ssl_certificate     /etc/letsencrypt/live/mail.kretest.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mail.kretest.com/privkey.pem;

    root /data/apps/webmail/dist;
    index index.html;

    # 自定义错误页面配置
    error_page 404 /index.html;

    location / {
        try_files $uri $uri/ =404;
    }
    # 处理自定义 404 页面
    location = /404.html {
        root /data/apps/webmail;
        internal;
    }
}

# 配置邮箱后台服务
server {
    listen 443 ssl;
    server_name teman.kretest.com;

    ssl_certificate     /etc/letsencrypt/live/mail.kretest.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mail.kretest.com/privkey.pem;

    root /data/apps/webadmin/dist;
    index index.html;

    # 自定义错误页面配置
    error_page 404 /index.html;

    location / {
        try_files $uri $uri/ =404;
    }
    # 处理自定义 404 页面
    location = /404.html {
        root /data/apps/webadmin;
        internal;
    }
}

# 配置邮箱客户端后端服务
server {
    listen 443 ssl;
    server_name backend.kretest.com;
    client_max_body_size 30M;

    ssl_certificate     /etc/letsencrypt/live/mail.kretest.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/mail.kretest.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:6001;  # 转发到本地监听的服务
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

修改后重启nginx

1	sudo systemctl restart nginx

安装 James

James 下载地址：https://dlcdn.apache.org/james/server/3.8.2/james-server-distributed-guice.zip

如果链接无法访问，可能是官方更新了版本，浏览器访问 https://dlcdn.apache.org/james/server/ 查看版本

1	wget https://dlcdn.apache.org/james/server/3.8.2/james-server-distributed-guice.zip

我之前下载james的安装包丢在home/james下面

mv james-server-distributed-guice.zip /data/james/
unzip james-server-distributed-guice.zip
root@mail-test:/data/james# ls
james-server-distributed-app  james-server-distributed-guice.zip
root@mail-test:/data/james# rm -rf james-server-distributed-guice.zip 
root@mail-test:/data/james# ls
james-server-distributed-app
root@mail-test:/data/james# mv james-server-distributed-app james382
root@mail-test:/data/james# ls
james382
root@mail-test:/data/james#

配置 james

ssl证书方式（推荐）

证书安装

1 2	sudo apt update sudo apt install certbot python3-certbot-nginx

在申请证书前，请确保要申请的域名（例如 example.com 或 www.example.com ）已经解析到服务器的 IP 地址，否则验证会失败

1	sudo certbot --nginx -d xx.com -d mail.xx.com -d www.xx.com

有几个域名就-d几次,根据上面nginx配置的域名示例

1	sudo certbot --nginx -d home.kretest.com -d www.kretest.com -d backend.kretest.com -d kretest.com -d mail.xx.com -d teman.kretest.com

可能报错一：

这里执行报nginx相关的错误，启动nginx报错，80端口被占用

root@mail-test:/etc/letsencrypt# sudo lsof -i :80
COMMAND      PID     USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
google_gu 548101     root    3u  IPv4 2625353      0t0  TCP mail-test.us-west1-b.c.atouch-live-20240921.internal:54170->metadata.google.internal:http (ESTABLISHED)
google_os 553385     root    3u  IPv4 2630491      0t0  TCP mail-test.us-west1-b.c.atouch-live-20240921.internal:48900->metadata.google.internal:http (ESTABLISHED)
apache2   597884     root    4u  IPv6 2813783      0t0  TCP *:http (LISTEN)
apache2   597886 www-data    4u  IPv6 2813783      0t0  TCP *:http (LISTEN)
apache2   597887 www-data    4u  IPv6 2813783      0t0  TCP *:http (LISTEN)

google_gu 和 google_os：
这些进程是 Google Cloud 的元数据服务客户端，用于与 Google Cloud 的元数据服务器 (metadata.google.internal) 通信。
它们使用的是出站连接（从你的服务器到 Google 的元数据服务器），而不是监听 80 端口。因此，它们不会影响 Nginx 启动。
可以忽略这些进程。
apache2：
apache2 是 Apache HTTP 服务器，它正在监听 80 端口（TCP *:http 表示监听所有 IPv4 和 IPv6 地址的 80 端口）。
这是导致 Nginx 无法启动的原因，因为 Apache 已经占用了 80 端口。

sudo systemctl stop apache2          # 停止 Apache
sudo systemctl disable apache2       # 禁用 Apache，防止它开机自启
sudo systemctl start nginx
systemctl status nginx                 # 查看nginx启动状态

如果nginx已经启动成功，但是生成证书操作还报红色错误说nginx配置不对，则打开nginx配置文件，把所有关于ssl和443的配置注释掉再来执行生成证书操作。

可能报错二：

root@mail-test:/data/runTime/james/james382# sudo certbot --nginx -d home.kretest.com -d www.kretest.com -d backend.kretest.com -d kretest.com -d mail.kretest.com -d teman.kretest.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running nginx -c /etc/nginx/nginx.conf -t.

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/home.kretest.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/home.kretest.com/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

The nginx plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running nginx -c /etc/nginx/nginx.conf -t.\n\nnginx: [emerg] cannot load certificate "/etc/letsencrypt/live/home.kretest.com/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(\'/etc/letsencrypt/live/home.kretest.com/fullchain.pem\',\'r\') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed\n')

这是因为之前nginx中配置了证书，但是现在找不到证书,这里先一撸到底，全删掉，等下又设置回来

# 全局 HTTPS 重定向配置
server {
    listen 80;
    server_name home.kretest.com www.kretest.com  backend.kretest.com kretest.com   teman.kretest.com;
    location /.well-known/acme-challenge/ {
        root /var/www/html;
    }

    location / {
        return 301 https://$host$request_uri;
    }
}

执行如下

root@mail-test:/etc/nginx/sites-available# sudo certbot --nginx -d home.kretest.com -d www.kretest.com -d backend.kretest.com -d kretest.com -d mail.kretest.com -d teman.kretest.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxx@gmail.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf. You must agree in
order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: a

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: n
Obtaining a new certificate
Performing the following challenges:

可能出现的问题，创建命令里面有多个域名，但是最终只生成出来了1个证书，这是因为申请的是一个多域名证书（SAN证书），即在一个证书中包含了多个域名的信息

Certbot 已生成 Let’s Encrypt 证书，路径如下：
• 公钥证书：/etc/letsencrypt/live/域名/fullchain.pem
• 私钥：/etc/letsencrypt/live/域名/privkey.pem

确保 James 用户对这些文件有读取权限

root@mail-test:/etc/nginx/sites-available# cd /etc/letsencrypt/live/mail.kretest.com
root@mail-test:/etc/letsencrypt/live/mail.kretest.com# ls
README  cert.pem  chain.pem  fullchain.pem  privkey.pem
root@mail-test:/etc/letsencrypt/live/mail.kretest.com# ll
total 12
drwxr-xr-x 2 root root 4096 Feb 13 08:34 ./
drwx------ 3 root root 4096 Feb 13 08:33 ../
-rw-r--r-- 1 root root  692 Feb 13 08:33 README
lrwxrwxrwx 1 root root   40 Feb 13 08:34 cert.pem -> ../../archive/mail.kretest.com/cert2.pem
lrwxrwxrwx 1 root root   41 Feb 13 08:34 chain.pem -> ../../archive/mail.kretest.com/chain2.pem
lrwxrwxrwx 1 root root   45 Feb 13 08:34 fullchain.pem -> ../../archive/mail.kretest.com/fullchain2.pem
lrwxrwxrwx 1 root root   43 Feb 13 08:34 privkey.pem -> ../../archive/mail.kretest.com/privkey2.pem
root@mail-test:/etc/letsencrypt/live/mail.kretest.com# cd ../../archive/mail.kretest.com/
root@mail-test:/etc/letsencrypt/archive/mail.kretest.com# ls
cert1.pem  cert2.pem  chain1.pem  chain2.pem  fullchain1.pem  fullchain2.pem  privkey1.pem  privkey2.pem
root@mail-test:/etc/letsencrypt/archive/mail.kretest.com# ll
total 40
drwxr-xr-x 2 root root 4096 Feb 13 08:34 ./
drwx------ 3 root root 4096 Feb 13 08:33 ../
-rw-r--r-- 1 root root 1773 Feb 13 08:33 cert1.pem
-rw-r--r-- 1 root root 1895 Feb 13 08:34 cert2.pem
-rw-r--r-- 1 root root 1801 Feb 13 08:33 chain1.pem
-rw-r--r-- 1 root root 1801 Feb 13 08:34 chain2.pem
-rw-r--r-- 1 root root 3574 Feb 13 08:33 fullchain1.pem
-rw-r----- 1 root root 3696 Feb 13 08:34 fullchain2.pem
-rw------- 1 root root 1704 Feb 13 08:33 privkey1.pem
-rw-r----- 1 root root 1704 Feb 13 08:34 privkey2.pem
root@mail-test:/etc/letsencrypt/archive/mail.kretest.com# sudo chmod 640 privkey2.pem 
root@mail-test:/etc/letsencrypt/archive/mail.kretest.com# sudo chmod 640 fullchain2.pem

sudo chmod 640 /etc/letsencrypt/live/域名/privkey.pem
sudo chmod 640 /etc/letsencrypt/live/域名/fullchain.pem

#检测组名是否存在
getent group james
#如果组名不存在则创建
sudo groupadd james

sudo chown root:james /etc/letsencrypt/live/域名/privkey.pem
sudo chown root:james /etc/letsencrypt/live/域名/fullchain.pem

在james项目的根目录新建文件夹encrypt，把生成的证书移动进来

mkdir encrypt
#mv /etc/letsencrypt/live/域名.com/privkey.pem /data/james/james382/encrypt/
#mv /etc/letsencrypt/live/域名.com/fullchain.pem /data/james/james382/encrypt/
chmod 777 encrypt

#注意要看看，/etc/letsencrypt/live/域名.com/下的证书是不是真的文件，如是一个相对路径的软连接，删除或者复制都无效了。那么则需要进入真实路径去复制或者移动

#cp -L /etc/letsencrypt/live/kretest.com/privkey.pem /data/james/james382/encrypt/
#cp -L /etc/letsencrypt/live/kretest.com/fullchain.pem /data/james/james382/encrypt/

cp 证书真实绝对路径  /data/james/james382/encrypt/
chmod 777 privkey.pem
chmod 777 fullchain.pem

示例

root@mail-test:/data/runTime/james/james382# cp /etc/letsencrypt/archive/mail.kretest.com/privkey2.pem /data/runTime/james/james382/encrypt/privkey.pem
root@mail-test:/data/runTime/james/james382# cp /etc/letsencrypt/archive/mail.kretest.com/fullchain2.pem /data/runTime/james/james382/encrypt/fullchain.pem
root@mail-test:/data/runTime/james/james382# cd encrypt/
root@mail-test:/data/runTime/james/james382/encrypt# ls
fullchain.pem  privkey.pem
root@mail-test:/data/runTime/james/james382/encrypt# chmod 777 privkey.pem
root@mail-test:/data/runTime/james/james382/encrypt# chmod 777 fullchain.pem

修改 James 配置

James默认配置文件在系统文件位于 ./conf 文件夹下

blob.properties

主要需要调整 ObjectStorage on S3 模块，将之前搭建好的 S3 服务器配置信息填上去

bjectstorage.s3.endPoint=https://xx-xx.s3.amazonaws.com/mail/ # S3 的读取器地址，换成自己的IP和端口
objectstorage.s3.bucketName=xx-xx（这个可能需要新增）
objectstorage.s3.region=us-east-1
objectstorage.s3.accessKeyId=accessKey1 # S3 的accessKey（创建的时候有指定）
objectstorage.s3.secretKey=secretKey1 # S3 的secretKey（创建的时候有指定）

修改后的blob.properties文件参考

# ============================================= BlobStore Implementation ==================================
# Read https://james.apache.org/server/config-blobstore.html for further details

# Choose your BlobStore implementation
# Mandatory, allowed values are: cassandra, s3
# *WARNING*: JAMES-3591 Cassandra is not made to store large binary content, its use will be suboptimal compared to
# alternatives (namely S3 compatible BlobStores backed by for instance S3, MinIO or Ozone)
implementation=s3

# ========================================= Deduplication ========================================
# If you choose to enable deduplication, the mails with the same content will be stored only once.
# Warning: Once this feature is enabled, there is no turning back as turning it off will lead to the deletion of all
# the mails sharing the same content once one is deleted.
# Mandatory, Allowed values are: true, false
deduplication.enable=false

# deduplication.family needs to be incremented every time the deduplication.generation.duration is changed
# Positive integer, defaults to 1
# deduplication.gc.generation.family=1

# Duration of generation.
# Deduplication only takes place within a singe generation.
# Only items two generation old can be garbage collected. (This prevent concurrent insertions issues and
# accounts for a clock skew).
# deduplication.family needs to be incremented everytime this parameter is changed.
# Duration. Default unit: days. Defaults to 30 days.
# deduplication.gc.generation.duration=30days

# ========================================= Encryption ========================================
# If you choose to enable encryption, the blob content will be encrypted before storing them in the BlobStore.
# Warning: Once this feature is enabled, there is no turning back as turning it off will lead to all content being
# encrypted. This comes at a performance impact but presents you from leaking data if, for instance the third party
# offering you a S3 service is compromised.
# Optional, Allowed values are: true, false, defaults to false
encryption.aes.enable=false

# Mandatory (if AES encryption is enabled) salt and password. Salt needs to be an hexadecimal encoded string
#encryption.aes.password=xxx
#encryption.aes.salt=73616c7479
# Optional, defaults to PBKDF2WithHmacSHA512
#encryption.aes.private.key.algorithm=PBKDF2WithHmacSHA512

# ========================================= Cassandra BlobStore Cache ======================================
# A cassandra cache can be enabled to reduce latency when reading small blobs frequently
# A dedicated keyspace with a replication factor of one is then used
# Cache eviction policy is TTL based
# Only blobs below a given threshold will be stored.
# To be noted that blobs are stored within a single Cassandra row, hence a low threshold should be used.

# Enable the cache? Optional and default to false. Must be a boolean.
cache.enable=false

# Cache eviction policy is TTL based. Optional and defaults to 7 days. Must be a duration.
# Valid units: ms, sec, min, hour, day, week, month, year
# cache.cassandra.ttl=7days

# Timeout after which this cache should be bypassed. Optional and defaults to 100ms. Can not exceed 1 hour.
# Must be a duration Valid units: ms, sec, min, hour, day, week, month, year
# cache.cassandra.timeout=100ms

# Maximum size of stored objects expressed in bytes. Must be strictly positive. Defaults to 8192.
# Units: bytes, Kib, MiB, GiB, TiB
# cache.sizeThresholdInBytes=8 KiB

# ============================================== ObjectStorage ============================================

# ========================================= ObjectStorage Buckets ==========================================
# bucket names prefix
# Optional, default no prefix
# objectstorage.bucketPrefix=prod-

# Default bucket name
# Optional, default is bucketPrefix + `default`
# objectstorage.namespace=james

# ========================================= ObjectStorage on S3 =============================================
# Mandatory if you choose s3 storage service, S3 authentication endpoint
#objectstorage.s3.endPoint=http://xx.xx.0.6:8000/

objectstorage.s3.endPoint=https://xxx-mail.s3.amazonaws.com/mail/
# AWS S3 åå¨æ¡¶åç§°
objectstorage.s3.bucketName=xxx-mail
# Mandatory if you choose s3 storage service, S3 region
#objectstorage.s3.region=eu-west-1
objectstorage.s3.region=us-east-1

# Mandatory if you choose aws-s3 storage service, access key id configured in S3
objectstorage.s3.accessKeyId=xxx

# Mandatory if you choose s3 storage service, secret key configured in S3
objectstorage.s3.secretKey=xx/xxx

# Optional if you choose s3 storage service: The trust store file, secret, and algorithm to use
# when connecting to the storage service. If not specified falls back to Java defaults.
#objectstorage.s3.truststore.path=
#objectstorage.s3.truststore.type=JKS
#objectstorage.s3.truststore.secret=
#objectstorage.s3.truststore.algorithm=SunX509


# optional: Object read in memory will be rejected if they exceed the size limit exposed here. Size, exemple `100M`.
# Supported units: K, M, G, defaults to B if no unit is specified. If unspecified, big object won't be prevented
# from being loaded in memory. This settings complements protocol limits.
# objectstorage.s3.in.read.limit=50M

# ============================================ Blobs Exporting ==============================================
# Read https://james.apache.org/server/config-blob-export.html for further details

# Choosing blob exporting mechanism, allowed mechanism are: localFile, linshare
# LinShare is a file sharing service, will be explained in the below section
# Optional, default is localFile
blob.export.implementation=localFile

# ======================================= Local File Blobs Exporting ========================================
# Optional, directory to store exported blob, directory path follows James file system format
# default is file://var/blobExporting
blob.export.localFile.directory=file://var/blobExporting

# ======================================= LinShare File Blobs Exporting ========================================
# LinShare is a sharing service where you can use james, connects to an existing LinShare server and shares files to
# other mail addresses as long as those addresses available in LinShare. For example you can deploy James and LinShare
# sharing the same LDAP repository
# Mandatory if you choose LinShare, url to connect to LinShare service
# blob.export.linshare.url=http://linshare:8080

# ======================================= LinShare Configuration BasicAuthentication ===================================
# Authentication is mandatory if you choose LinShare, TechnicalAccount is need to connect to LinShare specific service.
# For Example: It will be formalized to 'Authorization: Basic {Credential of UUID/password}'

# blob.export.linshare.technical.account.uuid=Technical_Account_UUID
# blob.export.linshare.technical.account.password=password

cassandra.properties

这里用的是容器里的环境，先获取cassandra的ip，如果是手动安装的直接输入对应的ip和端口

root@mail-test:/data/james/james382/conf# docker ps
CONTAINER ID   IMAGE                                COMMAND                  CREATED          STATUS          PORTS                                                                                                                                                 NAMES
13447441cafe   apache/tika                          "/bin/sh -c 'exec ja…"   41 minutes ago   Up 41 minutes   0.0.0.0:9998->9998/tcp, :::9998->9998/tcp                                                                                                             tika
ec1302b389dd   zenko/cloudserver:8.2.6              "/usr/src/app/docker…"   42 minutes ago   Up 42 minutes   8000/tcp                                                                                                                                              s3
c25c0f731ca5   rabbitmq:3.9.18-management           "docker-entrypoint.s…"   43 minutes ago   Up 43 minutes   4369/tcp, 5671/tcp, 0.0.0.0:5672->5672/tcp, :::5672->5672/tcp, 15671/tcp, 15691-15692/tcp, 25672/tcp, 0.0.0.0:15672->15672/tcp, :::15672->15672/tcp   rabbitmq
d4fcf76d86f9   opensearchproject/opensearch:2.1.0   "./opensearch-docker…"   2 hours ago      Up 2 hours      9300/tcp, 9600/tcp, 0.0.0.0:9200->9200/tcp, :::9200->9200/tcp, 9650/tcp                                                                               opensearch
7efb7cd0942e   cassandra:3.11.10                    "docker-entrypoint.s…"   2 hours ago      Up 2 hours      7000-7001/tcp, 7199/tcp, 9160/tcp, 0.0.0.0:9042->9042/tcp, :::9042->9042/tcp                                                                          cassandra
root@mail-test:/data/james/james382/conf#

root@mail-test:/data/james/james382/conf# docker ps -q | xargs -n 1 docker inspect --format '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}} {{.Name}}' | sed 's/ \// /'
172.17.0.2 tika
172.18.0.5 s3
172.18.0.4 rabbitmq
172.18.0.3 opensearch
172.18.0.2 cassandra

1
2
3

cassandra.nodes=cassandra # cassandra 的服务器地址信息，如172.19.0.2:9042
#集群的话用逗号隔开，例如 x.x.x.6:9042,x.x.x.7:9042,x.x.x.8:9042
#cassandra.replication.factor=1这个数字等于机器数量，假设上面的集群3台机器，这里就写3

imapserver.xml

主要调整SSL信息，注意会有2处配置

<tls socketTLS="false" startTLS="true">
            <!-- To create a new keystore execute:
              keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
             -->
            <!--<keystore>file://conf/keystore</keystore>
            <keystoreType>PKCS12</keystoreType>
            <secret>123456</secret>
            <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>-->

            <!-- Alternatively TLS keys can be supplied via PEM files -->
             <privateKey>file://encrypt/privkey.pem</privateKey>
             <certificates>file://encrypt/fullchain.pem</certificates>
            <!-- An optional secret might be specified for the private key -->
            <!-- <secret>james72laBalle</secret> -->
        </tls>
        
 <imapserver enabled="true">
        <jmxName>imapserver-ssl</jmxName>
        <bind>0.0.0.0:993</bind>
        <connectionBacklog>200</connectionBacklog>
        <tls socketTLS="true" startTLS="false">
            <!-- To create a new keystore execute:
              keytool -genkey -alias james -keyalg RSA -storetype PKCS12 -keystore /path/to/james/conf/keystore
             -->
            <!--<keystore>file://conf/keystore</keystore>
            <keystoreType>PKCS12</keystoreType>
            <secret>123456</secret>
            <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>-->

            <!-- Alternatively TLS keys can be supplied via PEM files -->
            <privateKey>file://encrypt/privkey.pem</privateKey>
            <certificates>file://encrypt/fullchain.pem</certificates>
            <!-- An optional secret might be specified for the private key -->
            <!-- <secret>james72laBalle</secret> -->
        </tls>
        <connectionLimit>0</connectionLimit>
        <connectionLimitPerIP>0</connectionLimitPerIP>
        <idleTimeInterval>120</idleTimeInterval>
        <idleTimeIntervalUnit>SECONDS</idleTimeIntervalUnit>
        <enableIdle>true</enableIdle>
        <auth>
            <plainAuthEnabled>true</plainAuthEnabled>
        </auth>
    </imapserver>
</imapservers>

opensearch.properties

1 2	opensearch.masterHost=opensearch # opensearch的服务器连接IP和端口 opensearch.port=9200

pop3server.xml

主要调整SSL信息

<pop3servers>
    <pop3server enabled="false">
        <jmxName>pop3server</jmxName>
        <bind>0.0.0.0:110</bind>
        <connectionBacklog>200</connectionBacklog>
        <tls socketTLS="false" startTLS="false">
            <privateKey>file://encrypt/privkey.pem</privateKey>
            <certificates>file://encrypt/fullchain.pem</certificates>
        </tls>
        <connectiontimeout>1200</connectiontimeout>
        <connectionLimit>0</connectionLimit>
        <connectionLimitPerIP>0</connectionLimitPerIP>
        <handlerchain>
            <handler class="org.apache.james.pop3server.core.CoreCmdHandlerLoader"/>
        </handlerchain>
    </pop3server>
</pop3servers>

rabbitmq.properties

1 2	uri=amqp://rabbitmq:5672 # rabbitmq的服务器连接IP和端口 management.uri=http://rabbitmq:15672 # rabbitmq的服务器连接IP和端口

smtpserver.xml

主要调整SSL秘钥信息，注意会有3处配置，记得把mail.域名.xx解析到服务器，注意格式

<connectionBacklog>200</connectionBacklog>
        <tls socketTLS="false" startTLS="true">
            <privateKey>file://encrypt/privkey.pem</privateKey>
            <certificates>file://encrypt/fullchain.pem</certificates>
        </tls>
        <helo>
            <autodetect>false</autodetect>
            <autodetectIP>false</autodetectIP>
            <defaultFQDN>mail.域名.xx</defaultFQDN>
        </helo>
        <connectiontimeout>360</connectiontimeout>

tika.properties

1	tika.host=tika # tika的服务器连接IP和端口

webadmin.properties

修改IP和端口

  port=8000
  #这里写0000就可以
  host=0.0.0.0
  #在文件最下面追加
  # 启用功能模块
mailbox.enabled=true
message.enabled=true

# 启用扩展路由（包括邮件操作 API）
extensions.routes=org.apache.james.webadmin.routes.MailboxesRoutes,org.apache.james.webadmin.routes.MessagesRoutes

jmap.properties

# Configuration file for JMAP
# Read https://james.apache.org/server/config-jmap.html for further details

enabled=true
jmap.port=3000

# tls.keystoreURL=file://conf/keystore
# tls.secret=123456

# Alternatively TLS keys can be supplied via PEM files
tls.privateKey=file://encrypt/privkey.pem
tls.certificates=file://encrypt/fullchain.pem
# An optional secret might be specified for the private key
# tls.secret=james72laBalle

#
# If you wish to use OAuth authentication, you should provide a valid JWT public key.
# The following entry specify the link to the URL of the public key file,
# which should be a PEM format file.
#
# jwt.publickeypem.url=file://conf/jwt_publickey

# Should simple Email/query be resolved against a Cassandra projection, or should we resolve them against OpenSearch?
# This enables a higher resilience, but the projection needs to be correctly populated. False by default.
# view.email.query.enabled=true

# If you want to specify authentication strategies for Jmap draft version
# For custom Authentication Strategy not inside package "org.apache.james.jmap.http", you have to specify its FQDN
# authentication.strategy.draft=AccessTokenAuthenticationStrategy,JWTAuthenticationStrategy,QueryParameterAccessTokenAuthenticationStrategy

# If you want to specify authentication strategies for Jmap rfc-8621 version
# For custom Authentication Strategy not inside package "org.apache.james.jmap.http", you have to specify its FQDN
# authentication.strategy.rfc8621=JWTAuthenticationStrategy,BasicAuthenticationStrategy

# Prevent server side request forgery by preventing calls to the private network ranges. Defaults to true, can be disabled for testing.
# webpush.prevent.server.side.request.forgery=false

启动脚本

james项目根目录新建bin目录，james-server.sh文件，代码如下

注意：
1.JAMES_HOME最后面不要带斜杠
2.提前创建好logs文件夹

#!/bin/bash

# 配置路径
JAMES_HOME="/data/runTime/james/james382"
JAMES_CMD="java -Xms4g -Xmx8g -XX:MetaspaceSize=256m -XX:MaxMetaspaceSize=512m \
-XX:+UseG1GC -XX:InitiatingHeapOccupancyPercent=40 -XX:+ParallelRefProcEnabled \
-XX:+UseStringDeduplication -Dworking.directory=. -Dlogback.configurationFile=conf/logback.xml \
-Djdk.tls.ephemeralDHKeySize=2048 -jar james-server-distributed-app.jar"
JAMES_LOG="$JAMES_HOME/logs/james.log"
PID_FILE="$JAMES_HOME/james.pid"

# 检查 PID 文件是否存在且有效
is_running() {
    if [ -f "$PID_FILE" ]; then
        PID=$(cat "$PID_FILE")
        if kill -0 "$PID" 2>/dev/null; then
            return 0  # 服务正在运行
        else
            rm -f "$PID_FILE"  # 清理无效的 PID 文件
        fi
    fi
    return 1  # 服务未运行
}

# 启动服务
start() {
    if is_running; then
        echo "James is already running with PID $(cat "$PID_FILE")."
        exit 1
    fi

    echo "Starting James..."
    cd "$JAMES_HOME" || exit 1
    # 使用 setsid 启动服务并重定向日志
    setsid $JAMES_CMD >> "$JAMES_LOG" 2>&1 &
    echo $! > "$PID_FILE"
    sleep 20

    if is_running; then
        echo "James started successfully with PID $(cat "$PID_FILE")."
    else
        echo "Failed to start James. Check logs for details: $JAMES_LOG"
        exit 1
    fi
}

# 停止服务
stop() {
    if ! is_running; then
        echo "James is not running."
        exit 1
    fi

    echo "Stopping James..."
    kill "$(cat "$PID_FILE")"
    sleep 3

    if ! is_running; then
        echo "James stopped successfully."
        rm -f "$PID_FILE"
    else
        echo "Failed to stop James."
        exit 1
    fi
}

# 重启服务
restart() {
    stop
    sleep 2
    start
}

# 检查服务状态
status() {
    if is_running; then
        echo "James is running with PID $(cat "$PID_FILE")."
    else
        echo "James is not running."
    fi
}

# 清理旧日志
cleanup_logs() {
    echo "Cleaning up old logs..."
    find "$JAMES_HOME/logs" -type f -name "*.log" -mtime +7 -exec rm -f {} \;
    echo "Log cleanup completed."
}

# 主逻辑
case "$1" in
    start) start ;;
    stop) stop ;;
    restart) restart ;;
    status) status ;;
    cleanup-logs) cleanup_logs ;;
    *)
        echo "Usage: $0 {start|stop|restart|status|cleanup-logs}"
        exit 1
        ;;
esac

为脚本添加执行权限

1	sudo chmod +x bin/james-server.sh

启动James 服务

1	./bin/james-server.sh start

或者重启James 服务

1	./bin/james-server.sh restart

如果启动报错，查看一下证书

root@mail-test:/data/james/james382# cd encrypt/
root@mail-test:/data/james/james382/encrypt# ll
total 8
drwxrwxrwx 2 root root 4096 Feb 11 03:15 ./
drwxr-xr-x 7 root root 4096 Feb 11 02:46 ../
lrwxrwxrwx 1 root root   45 Feb 11 03:15 fullchain.pem -> ../../archive/kretest.com-0001/fullchain1.pem
lrwxrwxrwx 1 root root   43 Feb 11 03:15 privkey.pem -> ../../archive/kretest.com-0001/privkey1.pem
root@mail-test:/data/james/james382/encrypt#

可以发现encrypt文件下的证书文件有问题，并不是真的存在，而是类似于一个软连接，且连接地址并不存在，倒回查看证书生成操作

手动启动

根目录执行

1	./bin/james-server.sh start

开机启动

james开机启动可能会有问题，导致服务不停重启

可以考虑上面的手动启动

检查 james 是否已设置为开机自启

1	sudo systemctl is-enabled james

1	sudo nano /etc/systemd/system/james.service

添加内容

1
2
3
4
[Service]
# 请确认系统中有该用户，或修改为合适的用户
# Type=simple
# User=james

[Unit]
Description=Apache James Mail Server
After=network.target
Requires=network.target

[Service]
Type=forking
User=root
Group=root
WorkingDirectory=/data/runTime/james/james382

# 使用脚本的参数启动服务
ExecStart=/bin/bash /data/runTime/james/james382/bin/james.sh start
ExecStop=/bin/bash /data/runTime/james/james382/bin/james.sh stop
ExecReload=/bin/bash /data/runTime/james/james382/bin/james.sh restart

PIDFile=/data/runTime/james/james382/james.pid

Restart=on-failure
RestartSec=5
StartLimitIntervalSec=300
StartLimitBurst=5

[Install]
WantedBy=multi-user.target

重载 systemd 配置

1	sudo systemctl daemon-reload

开机启动并启动服务

1 2	sudo systemctl enable james sudo systemctl start james

关闭开机启动

1	sudo systemctl disable james

检查 james 是否已设置为开机自启

1	sudo systemctl is-enabled james

检查服务状态

1	sudo systemctl status james

如果启动失败，则查看日志

1	sudo journalctl -u james.service --since "2 hours ago" --no-pager

配置自动续期

Let’s Encrypt 证书默认有效期为 90 天，Certbot 会自动续期。为了确保 James 使用的证书始终是最新的，需要在续期后重新加载 James

自动续期状态检测

1	sudo certbot renew --dry-run

root@mail-test:/# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/kretest.com-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 65, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 465, in __init__
    self._check_symlinks()
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/kretest.com-0001/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/kretest.com-0001.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/kretest.com-0002.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kretest.com
http-01 challenge for www.kretest.com
Waiting for verification...
Cleaning up challenges
Dry run: skipping deploy hook command: /etc/letsencrypt/renewal-hooks/deploy/restart-james.sh

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/kretest.com-0002/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/kretest.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 65, in _reconstitute
    renewal_candidate = storage.RenewableCert(full_path, config)
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 465, in __init__
    self._check_symlinks()
  File "/usr/lib/python3/dist-packages/certbot/storage.py", line 522, in _check_symlinks
    raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/kretest.com/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/kretest.com.conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/kretest.com-0002/fullchain.pem (success)

Additionally, the following renewal configurations were invalid: 
  /etc/letsencrypt/renewal/kretest.com-0001.conf (parsefail)
  /etc/letsencrypt/renewal/kretest.com.conf (parsefail)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 2 parse failure(s)

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
root@mail-test:/#

从输出日志中可以看出，Certbot 在尝试续期时遇到了两个问题：

/etc/letsencrypt/renewal/kretest.com-0001.conf 和 /etc/letsencrypt/renewal/kretest.com.conf 配置文件损坏：
错误信息表明，Certbot 期望 /etc/letsencrypt/live/kretest.com-0001/cert.pem 和 /etc/letsencrypt/live/kretest.com/cert.pem 是符号链接（symlink），但实际不是。
这可能是由于手动修改了证书文件或符号链接被意外删除。
kretest.com-0002 证书续期成功：
该证书的续期测试成功，说明 Certbot 的配置和运行环境没有问题

删除损坏的配置文件

如果不需要这些证书，可以直接删除损坏的配置文件

1 2	rm /etc/letsencrypt/renewal/kretest.com-0001.conf rm /etc/letsencrypt/renewal/kretest.com.conf

重新获取证书（如果需要）

如果证书已损坏且无法修复，可以删除旧证书并重新获取

1 2	sudo certbot delete --cert-name kretest.com-0001 sudo certbot delete --cert-name kretest.com

再次执行

root@mail-test:/# sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/kretest.com-0002.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for kretest.com
http-01 challenge for www.kretest.com
Waiting for verification...
Cleaning up challenges
Dry run: skipping deploy hook command: /etc/letsencrypt/renewal-hooks/deploy/restart-james.sh

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/kretest.com-0002/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/kretest.com-0002/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@mail-test:/#

强制续期

1	sudo certbot renew --force-renewal

续期钩子重启james

自动续期后重启 James 编辑 Certbot 的续期钩子脚本

1	sudo nano /etc/letsencrypt/renewal-hooks/deploy/restart-james.sh

如果不存在这个脚本，则新建1个，restart-james.sh完整代码如下

#!/bin/bash

# 定义源和目标路径
TARGET_DIR="/data/runTime/james/james382/encrypt/"
CERT_DIR="/etc/letsencrypt/live/mail.xx.com/"

# 定义文件名
FILES=("fullchain.pem" "privkey.pem")

# 遍历文件列表并复制
for FILE in "${FILES[@]}"; do
    # 如果目标文件已存在，先删除旧文件（可选）
    if [ -f "${TARGET_DIR}${FILE}" ]; then
        rm -f "${TARGET_DIR}${FILE}"
    fi

    # 复制新文件
    cp -f "${CERT_DIR}${FILE}" "${TARGET_DIR}${FILE}"

    # 设置文件权限
    chmod 600 "${TARGET_DIR}${FILE}"
done

# 重启 James 服务
systemctl restart james

echo "SSL 文件已更新并重启 James 服务"

为脚本添加执行权限

1	sudo chmod +x /etc/letsencrypt/renewal-hooks/deploy/restart-james.sh

密钥库方式（弃用）

生成密钥库

1	keytool -genkey -alias james -keyalg RSA -keystore conf/keystore

这里为了方便测试密码设置的是 q12345678

root@mail-test:/data/james/james382# keytool -genkey -alias james -keyalg RSA -keystore conf/keystore
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  xen
What is the name of your organizational unit?
  [Unknown]:  xen
What is the name of your organization?
  [Unknown]:  xen
What is the name of your City or Locality?
  [Unknown]:  xen
What is the name of your State or Province?
  [Unknown]:  xen
What is the two-letter country code for this unit?
  [Unknown]:  xen
Is CN=xen, OU=xen, O=xen, L=xen, ST=xen, C=xen correct?
  [no]:  yes

root@mail-test:/data/james/james382#

修改配置

James默认配置文件在系统文件位于 ./conf 文件夹下

blob.properties

主要需要调整 ObjectStorage on S3 模块，将之前搭建好的 S3 服务器配置信息填上去

bjectstorage.s3.endPoint=https://xx-xx.s3.amazonaws.com/mail/ # S3 的读取器地址，换成自己的IP和端口
objectstorage.s3.bucketName=xx-xx
objectstorage.s3.region=us-east-1
objectstorage.s3.accessKeyId=accessKey1 # S3 的accessKey（创建的时候有指定）
objectstorage.s3.secretKey=secretKey1 # S3 的secretKey（创建的时候有指定）

修改后的blob.properties文件参考

# ============================================= BlobStore Implementation ==================================
# Read https://james.apache.org/server/config-blobstore.html for further details

# Choose your BlobStore implementation
# Mandatory, allowed values are: cassandra, s3
# *WARNING*: JAMES-3591 Cassandra is not made to store large binary content, its use will be suboptimal compared to
# alternatives (namely S3 compatible BlobStores backed by for instance S3, MinIO or Ozone)
implementation=s3

# ========================================= Deduplication ========================================
# If you choose to enable deduplication, the mails with the same content will be stored only once.
# Warning: Once this feature is enabled, there is no turning back as turning it off will lead to the deletion of all
# the mails sharing the same content once one is deleted.
# Mandatory, Allowed values are: true, false
deduplication.enable=false

# deduplication.family needs to be incremented every time the deduplication.generation.duration is changed
# Positive integer, defaults to 1
# deduplication.gc.generation.family=1

# Duration of generation.
# Deduplication only takes place within a singe generation.
# Only items two generation old can be garbage collected. (This prevent concurrent insertions issues and
# accounts for a clock skew).
# deduplication.family needs to be incremented everytime this parameter is changed.
# Duration. Default unit: days. Defaults to 30 days.
# deduplication.gc.generation.duration=30days

# ========================================= Encryption ========================================
# If you choose to enable encryption, the blob content will be encrypted before storing them in the BlobStore.
# Warning: Once this feature is enabled, there is no turning back as turning it off will lead to all content being
# encrypted. This comes at a performance impact but presents you from leaking data if, for instance the third party
# offering you a S3 service is compromised.
# Optional, Allowed values are: true, false, defaults to false
encryption.aes.enable=false

# Mandatory (if AES encryption is enabled) salt and password. Salt needs to be an hexadecimal encoded string
#encryption.aes.password=xxx
#encryption.aes.salt=73616c7479
# Optional, defaults to PBKDF2WithHmacSHA512
#encryption.aes.private.key.algorithm=PBKDF2WithHmacSHA512

# ========================================= Cassandra BlobStore Cache ======================================
# A cassandra cache can be enabled to reduce latency when reading small blobs frequently
# A dedicated keyspace with a replication factor of one is then used
# Cache eviction policy is TTL based
# Only blobs below a given threshold will be stored.
# To be noted that blobs are stored within a single Cassandra row, hence a low threshold should be used.

# Enable the cache? Optional and default to false. Must be a boolean.
cache.enable=false

# Cache eviction policy is TTL based. Optional and defaults to 7 days. Must be a duration.
# Valid units: ms, sec, min, hour, day, week, month, year
# cache.cassandra.ttl=7days

# Timeout after which this cache should be bypassed. Optional and defaults to 100ms. Can not exceed 1 hour.
# Must be a duration Valid units: ms, sec, min, hour, day, week, month, year
# cache.cassandra.timeout=100ms

# Maximum size of stored objects expressed in bytes. Must be strictly positive. Defaults to 8192.
# Units: bytes, Kib, MiB, GiB, TiB
# cache.sizeThresholdInBytes=8 KiB

# ============================================== ObjectStorage ============================================

# ========================================= ObjectStorage Buckets ==========================================
# bucket names prefix
# Optional, default no prefix
# objectstorage.bucketPrefix=prod-

# Default bucket name
# Optional, default is bucketPrefix + `default`
# objectstorage.namespace=james

# ========================================= ObjectStorage on S3 =============================================
# Mandatory if you choose s3 storage service, S3 authentication endpoint
#objectstorage.s3.endPoint=http://xx.xx.0.6:8000/

objectstorage.s3.endPoint=https://xxx-mail.s3.amazonaws.com/mail/
# AWS S3 åå¨æ¡¶åç§°
objectstorage.s3.bucketName=xxx-mail
# Mandatory if you choose s3 storage service, S3 region
#objectstorage.s3.region=eu-west-1
objectstorage.s3.region=us-east-1

# Mandatory if you choose aws-s3 storage service, access key id configured in S3
objectstorage.s3.accessKeyId=xxx

# Mandatory if you choose s3 storage service, secret key configured in S3
objectstorage.s3.secretKey=xx/xxx

# Optional if you choose s3 storage service: The trust store file, secret, and algorithm to use
# when connecting to the storage service. If not specified falls back to Java defaults.
#objectstorage.s3.truststore.path=
#objectstorage.s3.truststore.type=JKS
#objectstorage.s3.truststore.secret=
#objectstorage.s3.truststore.algorithm=SunX509


# optional: Object read in memory will be rejected if they exceed the size limit exposed here. Size, exemple `100M`.
# Supported units: K, M, G, defaults to B if no unit is specified. If unspecified, big object won't be prevented
# from being loaded in memory. This settings complements protocol limits.
# objectstorage.s3.in.read.limit=50M

# ============================================ Blobs Exporting ==============================================
# Read https://james.apache.org/server/config-blob-export.html for further details

# Choosing blob exporting mechanism, allowed mechanism are: localFile, linshare
# LinShare is a file sharing service, will be explained in the below section
# Optional, default is localFile
blob.export.implementation=localFile

# ======================================= Local File Blobs Exporting ========================================
# Optional, directory to store exported blob, directory path follows James file system format
# default is file://var/blobExporting
blob.export.localFile.directory=file://var/blobExporting

# ======================================= LinShare File Blobs Exporting ========================================
# LinShare is a sharing service where you can use james, connects to an existing LinShare server and shares files to
# other mail addresses as long as those addresses available in LinShare. For example you can deploy James and LinShare
# sharing the same LDAP repository
# Mandatory if you choose LinShare, url to connect to LinShare service
# blob.export.linshare.url=http://linshare:8080

# ======================================= LinShare Configuration BasicAuthentication ===================================
# Authentication is mandatory if you choose LinShare, TechnicalAccount is need to connect to LinShare specific service.
# For Example: It will be formalized to 'Authorization: Basic {Credential of UUID/password}'

# blob.export.linshare.technical.account.uuid=Technical_Account_UUID
# blob.export.linshare.technical.account.password=password

cassandra.properties

如果用的是Docker容器里的环境，先获取cassandra的ip，否则直接写对应的环境ip

root@mail-test:/data/james/james382/conf# docker ps
CONTAINER ID   IMAGE                                COMMAND                  CREATED          STATUS          PORTS                                                                                                                                                 NAMES
13447441cafe   apache/tika                          "/bin/sh -c 'exec ja…"   41 minutes ago   Up 41 minutes   0.0.0.0:9998->9998/tcp, :::9998->9998/tcp                                                                                                             tika
ec1302b389dd   zenko/cloudserver:8.2.6              "/usr/src/app/docker…"   42 minutes ago   Up 42 minutes   8000/tcp                                                                                                                                              s3
c25c0f731ca5   rabbitmq:3.9.18-management           "docker-entrypoint.s…"   43 minutes ago   Up 43 minutes   4369/tcp, 5671/tcp, 0.0.0.0:5672->5672/tcp, :::5672->5672/tcp, 15671/tcp, 15691-15692/tcp, 25672/tcp, 0.0.0.0:15672->15672/tcp, :::15672->15672/tcp   rabbitmq
d4fcf76d86f9   opensearchproject/opensearch:2.1.0   "./opensearch-docker…"   2 hours ago      Up 2 hours      9300/tcp, 9600/tcp, 0.0.0.0:9200->9200/tcp, :::9200->9200/tcp, 9650/tcp                                                                               opensearch
7efb7cd0942e   cassandra:3.11.10                    "docker-entrypoint.s…"   2 hours ago      Up 2 hours      7000-7001/tcp, 7199/tcp, 9160/tcp, 0.0.0.0:9042->9042/tcp, :::9042->9042/tcp                                                                          cassandra
root@mail-test:/data/james/james382/conf#

root@mail-test:/data/james/james382/conf# docker ps -q | xargs -n 1 docker inspect --format '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}} {{.Name}}' | sed 's/ \// /'
172.17.0.2 tika
172.18.0.5 s3
172.18.0.4 rabbitmq
172.18.0.3 opensearch
172.18.0.2 cassandra

1
2
3

cassandra.nodes=cassandra # cassandra 的服务器地址信息，如172.19.0.2:9042
#集群的话用逗号隔开，例如 x.x.x.6:9042,x.x.x.7:9042,x.x.x.8:9042
#cassandra.replication.factor=1这个数字等于机器数量，假设上面的集群3台机器，这里就写3

imapserver.xml

主要调整SSL秘钥信息，注意会有2处配置（秘钥信息请看步骤3）

<keystore>file://conf/keystore</keystore>
<keystoreType>PKCS12</keystoreType>
#改这个密码
<secret>james72laBalle</secret>

opensearch.properties

1 2	opensearch.masterHost=opensearch # opensearch的服务器连接IP和端口 opensearch.port=9200

pop3server.xml

主要调整SSL秘钥信息（秘钥信息请看步骤3）

<keystore>file://conf/keystore</keystore>
<keystoreType>PKCS12</keystoreType>
#改这个密码
<secret>james72laBalle</secret>

rabbitmq.properties

1 2	uri=amqp://rabbitmq:5672 # rabbitmq的服务器连接IP和端口 management.uri=http://rabbitmq:15672 # rabbitmq的服务器连接IP和端口

smtpserver.xml

主要调整SSL秘钥信息，注意会有多处配置（秘钥信息请看步骤3）

1
2
3

<keystore>file://conf/keystore</keystore>
<keystoreType>PKCS12</keystoreType>
<secret>james72laBalle</secret>

tika.properties

1	tika.host=tika # tika的服务器连接IP和端口

webadmin.properties

修改IP和端口

  port=8000
  #这里写0000就可以
  host=0.0.0.0
  #在文件最下面追加
  # 启用功能模块
mailbox.enabled=true
message.enabled=true

# 启用扩展路由（包括邮件操作 API）
extensions.routes=org.apache.james.webadmin.routes.MailboxesRoutes,org.apache.james.webadmin.routes.MessagesRoutes

jmap.properties

tls.keystoreURL=file://conf/keystore （秘钥信息请看步骤3）
#改这个密码
tls.secret=james72laBalle
#加上这个
jmap.port=3000

启动 James

进入到 James 项目根目录执行命令

1	java -Dworking.directory=. -Dlogback.configurationFile=conf/logback.xml -Djdk.tls.ephemeralDHKeySize=2048 -jar james-server-distributed-app.jar &

配置 DKIM

生成 DKIM 密钥对：在 James 服务器上生成一个 DKIM 密钥对

在James的根目录执行

1 2	openssl genrsa -out private.key 2048 openssl rsa -in private.key -pubout -out public.key

配置 James 使用 DKIM 签名

将生成的 private.key 和 public.key 移动到conf目录中

配置 conf/dkim.properties 没有就创建

vim conf/dkim.properties
dkim.domain=域名.后缀
dkim.selector=default
dkim.privateKeyPath=./conf/private.key

添加 DKIM 公钥到 DNS

将 public.key 的内容添加到域名的 DNS TXT 记录中。
TXT 记录的名称为：default._domainkey
TXT 记录的值：
v=DKIM1; k=rsa; p=

值示例:
v=DKIM1; k=rsa; p=公钥的内容

验证 DKIM 是否生效：使用 DKIM 验证工具（如 DKIM Core）测试 DNS 配置是否正确

1	dig default._domainkey.域名.后缀 TXT

修改/data/runTime/james/james382/conf目录下的配置文件mailetcontainer.xml

在配置文件中找到
在它下面新增这一段，私钥左对齐， d=kretest.com这里需要更改为实际域名

 <mailet match="All" class="org.apache.james.jdkim.mailets.DKIMSign">
                <signatureTemplate>v=1; s=default; d=kretest.com; h=from : to : subject : date : message-id; a=rsa-sha256; bh=; b=;</signatureTemplate>
                <privateKey>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA04P/Qkn33jmKI19rp8cs9XLNKEUvFNl5YCJdMg1TtBFvN98q
mWcxvkbanlxLSIrdO4hJpmMP8E171/aO/ZfWGrVExbmC/Y8fFi29kmBPvyTcgPmD
ryAQvlC4eRldOGaUNYQmUIql/zFNzC35nESAgaTeNCP68qlHwtXj0nonmPooWZOl
A5L+y5+dq6WNi43QXnA4DMqPQ+nMwBYpXjcgTePb10sJqtC1K6R7iEy6Prjbg9jk
Llh/YQti81hCV5/ZTtFtqVb2AheQmHbj2hgMHc2dJIGjFfRJOvVulMI8twxpBcwf
ZymDwC3KLfcNYP630ddH6EQvtJT29sJfpGJME05epH5Z4pIAUeBVvQ+AO7MAn7Ji
H5fuXBsgxrZ7rFjrjNBUgCjHwoOjVk06FcRj9YAL1a78a4cR6UzuzDfhw+Of0/+a
Di2jHoHwfOoJIasYRIgzb+J2bnnQxQxaKbFqQgMCgYEAuqn9tNcwEmCXBUEhBgnW
+FGUnSSHlXsYhqv7kRcRTo5nGV6di6eNXKGzE85aZ/uIKCsC6WES/oRtk2nvArAr
IfdLXrVXIf8h1R9DAfMPdu2i3ReQuDtc3QjMEgKpLIwwuq/YW1KyrZhkyQhdvBdv
pmGdL97zIekNpvOSKIJba38CgYBTcpjDRkMN6SV8u0HKuuxoC6ZaXPFsByGopd6+
9tidpe/j+ovYj8Pb4rKCERnq+flFwnk36U1VAY+cATKxnvX/SxE/MYR25tgfJl9L
xs01O7hXc/tTvbTo0LqG6xs01CsWknoE/RNPWb+TKg05nKAW7eekWpCZiDFx2qKH
93Mx7QKBgQDb6yo7Y7EqhF88ht7NSFLF0QVSaQFhzQYhShQv0soZj//2n1FIVFKn
l1u3kAd3UUwYc93zoWKrRIAzmVrQ/QYPGo3N9mADUBLjX84eQsywVjRhvuiCNRex
nq2fbAR8ef49TIos3PJN8EJO6Q+uCeN5sEaFC5XJqL0W1IFIts/ojQ==
-----END RSA PRIVATE KEY-----
</privateKey>
</mailet>

完整配置参考

<?xml version="1.0"?>

<!--
  Licensed to the Apache Software Foundation (ASF) under one
  or more contributor license agreements.  See the NOTICE file
  distributed with this work for additional information
  regarding copyright ownership.  The ASF licenses this file
  to you under the Apache License, Version 2.0 (the
  "License"); you may not use this file except in compliance
  with the License.  You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing,
  software distributed under the License is distributed on an
  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  KIND, either express or implied.  See the License for the
  specific language governing permissions and limitations
  under the License.
 -->

<!-- Read https://james.apache.org/server/config-mailetcontainer.html for further details -->

<mailetcontainer enableJmx="true">

    <context>
        <!-- When the domain part of the postmaster mailAddress is missing, the default domain is appended.
        You can configure it to (for example) <postmaster>postmaster@myDomain.com</postmaster> -->
        <postmaster>postmaster</postmaster>
    </context>

    <spooler>
        <threads>20</threads>
        <errorRepository>cassandra://var/mail/error/</errorRepository>
    </spooler>

    <processors>
        <processor state="root" enableJmx="true">
            <mailet match="All" class="PostmasterAlias"/>
            <mailet match="RelayLimit=30" class="Null"/>
            <mailet match="All" class="ToProcessor">
                <processor>transport</processor>
            </mailet>
        </processor>

        <processor state="error" enableJmx="true">
            <mailet match="All" class="MetricsMailet">
                <metricName>mailetContainerErrors</metricName>
            </mailet>
            <mailet match="All" class="Bounce">
                <onMailetException>ignore</onMailetException>
            </mailet>
            <mailet match="All" class="ToRepository">
                <repositoryPath>cassandra://var/mail/error/</repositoryPath>
                <onMailetException>propagate</onMailetException>
            </mailet>
        </processor>

        <processor state="transport" enableJmx="true">

                <!--
            <mailet match="All" class="org.apache.james.jdkim.mailets.DKIMSign">
                <signatureTemplate>v=1; s=default; d=touchsmail.com; h=from:to:received:received; a=rsa-sha256; bh=; b=;</signatureTemplate>
                <privateKeyFilepath>file://dkim/dkim_private.key</privateKeyFilepath>
                <forceCRLF>false</forceCRLF>
                <debug>true</debug>
                </mailet>-->

            <mailet match="All" class="org.apache.james.jdkim.mailets.DKIMSign">
                <signatureTemplate>v=1; s=default; d=xxx.com; h=from : to : subject : date : message-id; a=rsa-sha256; bh=; b=;</signatureTemplate>
                <privateKey>
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEA5C+HETgshKcHrSuuodJYph+3j4eHkrcvALTKsnGqDPrR4V0C
RsofqHlgO4JyDuZLKcwVj6J7R34b0L2se8+CIkakpllFXkZ7FfAw/71yCzJJ5KhL
EoZIwE5G+ay8R3On7TDjIDeMRKTtxkYEa/2MlOyG5T4x6cW82mT1oYWz7WMBOOeT
TRTa/e0KNkvLzuGpLSETyOn0qKXmVe0JyTtCqQx9fgToIIUbCNXCTmei3U3eEajj
Xa1KhmyeKSL+L0M6Gdj5B267NGTXVQlLTBwOLFduGpkNJIKeQk7EOo7FvKYVFct/
UZd90ygTSTQ0GR4QUP1Wup2ESXSvYBie0idkJGiLrtEWpWsFbiyH+CbajMypaGSq
5U0OmtFbbDZ++8T724/mvDThTwbhVIaw+d9NZr60Yg6B91rPaUoCpxAsXK8WkrZo
UEmL/mS6M2jrLOX7tiYJdwKBgQCvhnSJNWngeg9VjIRWEc80kiNsbqOnHpbePgvj
Qw1h0LkCAffQ9uq2U13IUMZYOdpgvgykLVeCAzrQAzjvS/GyuurFXRZ2EhXphVvk
j/q4/y0ZkNO3veYB+lICwJtXfwlqzKgIcKX2j7c7RcEUxFoKInR9A+YsLX8DDEel
KHKmGQKBgQCD+7xpDVpR6N082QPl7A4IEh2S9bRz1b135ipbi4Oks8Xgu+JxWMq0
J7uAAA258xD2T5REfW4fKuIXzSNBo2ovEHcpqSt6jGvc5rCBYPV6Q3CDmRMu8pSV
agtW9gaNnxJUo3BYc55L+sPNjDZsmZSe+TekJZ9tCgGBcosZM+PMwQ==
-----END RSA PRIVATE KEY-----
</privateKey>
</mailet>

            <matcher name="relay-allowed" match="org.apache.james.mailetcontainer.impl.matchers.Or">
                <matcher match="SMTPAuthSuccessful"/>
                <matcher match="SMTPIsAuthNetwork"/>
                <matcher match="SentByMailet"/>
                <matcher match="org.apache.james.jmap.mailet.SentByJmap"/>
            </matcher>

            <mailet match="All" class="RemoveMimeHeader">
                <name>bcc</name>
                <onMailetException>ignore</onMailetException>
            </mailet>
            <mailet match="All" class="RecipientRewriteTable">
                <errorProcessor>rrt-error</errorProcessor>
            </mailet>
            <mailet match="RecipientIsLocal" class="ToProcessor">
                <processor>local-delivery</processor>
            </mailet>
            <mailet match="HostIsLocal" class="ToProcessor">
                <processor>local-address-error</processor>
                <notice>550 - Requested action not taken: no such user here</notice>
            </mailet>
            <mailet match="relay-allowed" class="ToProcessor">
                <processor>relay</processor>
            </mailet>
            <mailet match="All" class="ToProcessor">
                <processor>relay-denied</processor>
            </mailet>
        </processor>

        <processor state="local-delivery" enableJmx="true">
            <mailet match="All" class="VacationMailet">
                <onMailetException>ignore</onMailetException>
            </mailet>
            <mailet match="All" class="Sieve">
                <onMailetException>ignore</onMailetException>
            </mailet>
            <mailet match="All" class="AddDeliveredToHeader"/>
            <mailet match="All" class="org.apache.james.jmap.mailet.filter.JMAPFiltering">
                <onMailetException>ignore</onMailetException>
            </mailet>
            <mailet match="All" class="LocalDelivery"/>
        </processor>

        <processor state="relay" enableJmx="true">
            <mailet match="All" class="RemoteDelivery">
                <outgoingQueue>outgoing</outgoingQueue>
                <delayTime>5000, 100000, 500000</delayTime>
                <maxRetries>3</maxRetries>
                <maxDnsProblemRetries>0</maxDnsProblemRetries>
                <deliveryThreads>10</deliveryThreads>
                <sendpartial>true</sendpartial>
                <bounceProcessor>bounces</bounceProcessor>
            </mailet>
        </processor>

        <processor state="local-address-error" enableJmx="true">
            <mailet match="All" class="MetricsMailet">
                <metricName>mailetContainerLocalAddressError</metricName>
            </mailet>
            <mailet match="All" class="Bounce">
                <attachment>none</attachment>
            </mailet>
            <mailet match="All" class="ToRepository">
                <repositoryPath>cassandra://var/mail/address-error/</repositoryPath>
            </mailet>
        </processor>

        <processor state="relay-denied" enableJmx="true">
            <mailet match="All" class="MetricsMailet">
                <metricName>mailetContainerRelayDenied</metricName>
            </mailet>
            <mailet match="All" class="Bounce">
                <attachment>none</attachment>
            </mailet>
            <mailet match="All" class="ToRepository">
                <repositoryPath>cassandra://var/mail/relay-denied/</repositoryPath>
                <notice>Warning: You are sending an e-mail to a remote server. You must be authenticated to perform such an operation</notice>
            </mailet>
        </processor>

        <processor state="bounces" enableJmx="true">
            <mailet match="All" class="MetricsMailet">
                <metricName>bounces</metricName>
            </mailet>
            <mailet match="All" class="DSNBounce">
                <passThrough>false</passThrough>
            </mailet>
        </processor>

        <processor state="rrt-error" enableJmx="false">
            <mailet match="All" class="ToRepository">
                <repositoryPath>cassandra://var/mail/rrt-error/</repositoryPath>
                <passThrough>true</passThrough>
            </mailet>
            <mailet match="IsSenderInRRTLoop" class="Null"/>
            <mailet match="All" class="Bounce"/>
        </processor>

    </processors>

</mailetcontainer>

修改后重启james

1 2	./bin/james-server.sh stop ./bin/james-server.sh start

安装 James 客户端

James 客户端需要 James 源代码中自己编译打包后运行，步骤如下

源码包

下载

1	wget https://dlcdn.apache.org/james/server/3.8.2/james-project-3.8.2-source-release.zip

解压并进入目录

root@mail-test:/data/james# unzip james-project-3.8.2-source-release.zip
root@mail-test:/data/james# mv james-project-3.8.2 james-project
root@mail-test:/data/james# ls
james-project  james-project-3.8.2-source-release.zip  james382
root@mail-test:/data/james# cd james-project/server/apps/webadmin-cli
root@mail-test:/data/james/james-project/server/apps/webadmin-cli#

打包编译

1	mvn clean package -Dmaven.test.skip=true

进入客户端目录

root@mail-test:/data/james/james-project# cd server/apps/webadmin-cli/
root@mail-test:/data/james/james-project/server/apps/webadmin-cli# ls
README.md  james-cli  pom.xml  src  target
root@mail-test:/data/james/james-project/server/apps/webadmin-cli#

添加域

1	./james-cli --url http://127.0.0.1:9999 domain create <domainToBeCreated>

执行之前先确认james服务正在运行，我执行报错了，且确认james服务正在运行中，报错信息如下

root@mail-test:/data/james/james-project/server/apps/webadmin-cli# ./james-cli --url http://127.0.0.1:9999 domain create kretest.com
SLF4J: No SLF4J providers were found.
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details.
feign.RetryableException: Unexpected end of file from server executing PUT http://127.0.0.1:9999/domains/kretest.com
        at feign.FeignException.errorExecuting(FeignException.java:268)
        at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:131)
        at feign.SynchronousMethodHandler.invoke(SynchronousMethodHandler.java:91)
        at feign.ReflectiveFeign$FeignInvocationHandler.invoke(ReflectiveFeign.java:100)
        at com.sun.proxy.$Proxy9.createADomain(Unknown Source)
        at org.apache.james.webadmin.httpclient.DomainClient.createADomain(DomainClient.java:43)
        at org.apache.james.cli.domain.DomainCreateCommand.call(DomainCreateCommand.java:41)
        at org.apache.james.cli.domain.DomainCreateCommand.call(DomainCreateCommand.java:28)
        at picocli.CommandLine.executeUserObject(CommandLine.java:1953)
        at picocli.CommandLine.access$1300(CommandLine.java:145)
        at picocli.CommandLine$RunLast.executeUserObjectOfLastSubcommandWithSameParent(CommandLine.java:2358)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2352)
        at picocli.CommandLine$RunLast.handle(CommandLine.java:2314)
        at picocli.CommandLine$AbstractParseResultHandler.execute(CommandLine.java:2179)
        at picocli.CommandLine$RunLast.execute(CommandLine.java:2316)
        at picocli.CommandLine.execute(CommandLine.java:2078)
        at org.apache.james.cli.WebAdminCli.execute(WebAdminCli.java:79)
        at org.apache.james.cli.WebAdminCli.main(WebAdminCli.java:67)
Caused by: java.net.SocketException: Unexpected end of file from server
        at java.base/sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:917)
        at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:724)
        at java.base/sun.net.www.http.HttpClient.parseHTTPHeader(HttpClient.java:914)
        at java.base/sun.net.www.http.HttpClient.parseHTTP(HttpClient.java:724)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1652)
        at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1557)
        at java.base/java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:527)
        at feign.Client$Default.convertResponse(Client.java:110)
        at feign.Client$Default.execute(Client.java:106)
        at feign.SynchronousMethodHandler.executeAndDecode(SynchronousMethodHandler.java:121)
        ... 16 more

查看之前配置的webadmin.properties文件，发现我配置的端口是8000，修改后执行如下

root@mail-test:/data/james/james-project/server/apps/webadmin-cli# ./james-cli --url http://127.0.0.1:8000 domain create kretest.com
SLF4J: No SLF4J providers were found.
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details.
root@mail-test:/data/james/james-project/server/apps/webadmin-cli#

查看域列表

1	./james-cli --url http://127.0.0.1:8000 domain list

root@mail-test:/data/james/james-project/server/apps/webadmin-cli# ./james-cli --url http://127.0.0.1:8000 domain list
SLF4J: No SLF4J providers were found.
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details.
kretest.com
localhost
root@mail-test:/data/james/james-project/server/apps/webadmin-cli#

添加用户

1	./james-cli --url http://127.0.0.1:9999 user create <username> --password

示例

root@mail-test:/data/james/james-project/server/apps/webadmin-cli# ./james-cli --url http://127.0.0.1:8000 user create x@xx.com --password
Enter value for --password (Password): 
SLF4J: No SLF4J providers were found.
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See https://www.slf4j.org/codes.html#noProviders for further details.
The user was created successfully

查看用户列表

1	./james-cli --url http://127.0.0.1:8000 user list

测试James

这里用的thunderbird客户端

thunderbird

打开客户端输入昵称

输入上面创建的邮箱账号

输入邮箱密码

登陆测试

第一次发送邮件测试报错，报错信息为证书不匹配之类的错误，后面又发送了几次，除开第一次，其他的都成功了

如果收件箱没看到邮箱，可以看一下垃圾箱

测试完发件功能，测试收件，发现收不到邮件

防火墙需要打开以下端口

25,110,143,465,587,993,995

opensearch查看邮件

curl -X POST "http://mail.xx.ai:9200/mailbox_v1/_search" -H "Content-Type: application/json" -d '{"aggregations":{"unique_message_count":{"cardinality":{"field":"mimeMessageID"}}},"collapse":{"field":"mimeMessageID"},"from":0,"query":{"bool":{"minimum_should_match":"1","should":[{"term":{"from.address.raw":{"value":"test007@xx.ai"}}},{"term":{"to.address.raw":{"value":"test007@xx.ai"}}},{"term":{"cc.address.raw":{"value":"test007@xx.ai"}}},{"term":{"bcc.address.raw":{"value":"test007@xx.ai"}}},{"nested":{"path":"headers","query":{"bool":{"must":[{"term":{"headers.name":{"value":"delivered-to"}}},{"term":{"headers.value":{"value":"test007@xx.ai"}}}]}}}}]}},"size":5,"sort":[{"date":{"order":"desc"}}]}'

james分布式版本部署二

一些配置

OpenSearch

docker

手动

DNS 配置

配置 DMARC

nginx配置文件参考

安装 James

配置 james

ssl证书方式（推荐）

证书安装

修改 James 配置

blob.properties

cassandra.properties

imapserver.xml

opensearch.properties

pop3server.xml

rabbitmq.properties

smtpserver.xml

tika.properties

webadmin.properties

jmap.properties

启动脚本

为脚本添加执行权限

启动James 服务

或者重启James 服务

如果启动报错，查看一下证书

手动启动

开机启动

配置自动续期

自动续期状态检测

强制续期

续期钩子重启james

为脚本添加执行权限

密钥库方式（弃用）

生成密钥库

修改配置

blob.properties

cassandra.properties

imapserver.xml

opensearch.properties

pop3server.xml

rabbitmq.properties

smtpserver.xml

tika.properties

webadmin.properties

jmap.properties

启动 James

配置 DKIM

安装 James 客户端

下载

解压并进入目录

打包编译

进入客户端目录

添加域

查看域列表

添加用户

查看用户列表

更多指令

测试James

opensearch查看邮件