Skip to content


Subversion checkout URL

You can clone with
Download ZIP
branch: master
Fetching contributors…

Cannot retrieve contributors at this time

41 lines (37 sloc) 2.789 kb
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' ''>
<html xmlns='' xml:lang='en' lang='en'>
<title>Verifying a Public XMPP Service</title>
<!--#include virtual="/includes/head.txt" -->
<h2>Verifying a Public XMPP Service</h2>
<p>When someone <a href='register.shtml'>registers</a> an XMPP service with us, here is how we verify the registration...</p>
<p>Ensure that the request is approved by one of the official representatives for the <em>root</em> domain by forwarding the message sent on the <a href=''> list</a> to (1) the email address(es) listed in the whois record for the root domain and (2) the hostmaster/postmaster/webmaster email addresses for the root domain. (By "root domain" we mean the lowest-level domain that can be looked up in whois -- e.g., if the XMPP service is running at then we contact the owners and admins for</p>
<p>Typically the message we send includes a unique identifier for tracking purposes and says something like this:</p>
<blockquote><p>"Please affirm that you approve of the following request to add the service to the list at ..."</p></blockquote>
<p>Check for appropriate DNS SRV records using the dig command, such as:</p>
<blockquote><p>dig +short -t SRV</p>
<p>dig +short -t SRV</p></blockquote>
<p>Verify that there is indeed an XMPP service running at the domain for server-to-server and client-to-server communications using telnet to the ports discovered via SRV lookups, such as:</p>
<blockquote><p>telnet 5222</p>
<p>telnet 5269</p></blockquote>
<p>We also probe the legacy SSL-only port 5223, because we check that in the next step:</p>
<blockquote><p>telnet 5223</p></blockquote>
<p>Validate the certificate against the root cert of the security provider to make sure that secure connections can be established without errors. We do this by checking port 5223 using the OpenSSL s_client feature, such as:</p>
<blockquote><p>openssl s_client -connect -CAfile startcom.crt</p></blockquote>
<p>This check also helps to ensure backward-compatibility with clients that cannot yet support STARTTLS.</li>
<p>Visit the website of the service to make sure that it is accurate, provides contact information, etc.</p>
<p>Communicate with the service administrator via XMPP.</p>
<!--#include virtual="/includes/foot.txt" -->
Jump to Line
Something went wrong with that request. Please try again.