Mule & Anypoint Platform

Reading mail with Mule POP3S transport from server with selfsigned certificate

Mule ESB makes it very easy to process incomming e-mail messages using the POP3 protocol. Here is a simple example that will check for new e-mail messages evry 10 seconds and print some basic header information together with the body.

Mule ESB makes it very easy to process incomming e-mail messages using the POP3 protocol.

Here is a simple example that will check for new e-mail messages evry 10 seconds and print some basic header information together with the body.

However since POP3 is a clear text protcoll you should always make sure to secure it using Transport Layer Security (TLS). Fortuantly in Mule ESB equaly easy to use TLS secured POP3 (also known as POP3S). The flow below does the same as the previous but now the communication is secured.

However if your POP3 server does not have a certificate signed by a well-known Root Certificate Authority (CA) that are trusted by the default keystore shiped with your Java JDK you will get the following error message:

1
2
3
4
5
6

ERROR 2015-02-14 23:23:59,232 [main] org.mule.module.launcher.DefaultArchiveDeployer:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Failed to deploy artifact 'pop3example', see below +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
org.mule.module.launcher.DeploymentStartException: SunCertPathBuilderException: unable to find valid certification path to requested target
....

Why is that ? Well since the certificate, or it’s issuer, that your POP3 server use is not trusted by the default trust store Mule (or rather the Java runtime) can not validate the certificate which means that it can not setup a reliably secure connection. It could be that somebody is targeting you for a man-in-the-middle attack.

So what can we do about this ? Well either you can switch to use a well-known Root Certificate Authority or you will need to tell Mule that your certificate is trusted. Lets take a closer look at the later option.

First you will need to get the certificate that your POP3 server is using. Using OpenSSL the command below will help you do this.

1

openssl s_client -showcerts -connect pop3.myserver.com:995 /dev/null|openssl x509 -outform PEM > mycertfile.pem

Most Linux based system either have openssl preinstalled or has packages that you can install. If you are running Windows you can find openssl binaries here.

Unfortunately Java does not understand the PEM file format so you will have to import the certificate into a Java keystore file. This is done using the keytool that comes with the JDK, remember the password you set for this new keystore.

1
2
3

keytool -import -alias mypop3server -file mycertfile.pem -keystore mytruststore.keystore
Enter keystore password:
Re-enter new password:

Place the keystore file (mytruststore.keystore) into your mule project under the src/main/resources folder. And then tell the POP3S connector to use this new keystore instead of the default one (use the storePassword you provided in the step above).

Done! Now the flow should work again.