ejabberd

Marcel Waldvogel edited this page Oct 14, 2018 · 9 revisions

Configuring ejabberd (without authentication)

If you have two machines, this is all done on the XMPP server, obviously.

(Authentication will be completed once Nextcloud is ready, in Adding authentication to Prosody.)

Access to certificate and private key

ejabberd cannot deal with separate private key/certificate files

cd /etc/ejabberd
cat /etc/letsencrypt/live/example.org/{privkey,fullchain}.pem > ejabberd.pem
chown ejabberd:ejabberd ejabberd.pem
chmod 640 ejabberd.pem

To make sure this is also executed on every Let's Encrypt certificate update, service prosody reload in the Let's Encrypt cron job should be replaced by the code above, followed by service ejabberd reload.

:warning: Starting with ejabberd 17.06 (has a security problem, please update to 17.07), ejabberd uses a built-in authentication cache, which is enabled by default, but not (yet) documented in the ejabberd configuration documentation. This cache interferes with multiple valid passwords (app passwords, tokens) and thus needs to be deactivated with auth_use_cache: false.

/etc/ejabberd/ejabberd.yml

If you run a recent ejabberd, replace its configuration file with the following contents. If you run an older version, just apply the diffs below), as e.g. the shaping/access syntax has changed.

###
###               ejabberd configuration file
###
###

### The parameters used in this configuration file are explained in more detail
### in the ejabberd Installation and Operation Guide.
### Please consult the Guide in case of doubts, it is included with
### your copy of ejabberd, and is also available online at
### http://www.process-one.net/en/ejabberd/docs/

### The configuration file is written in YAML.
### Refer to http://en.wikipedia.org/wiki/YAML for the brief description.
### However, ejabberd treats different literals as different types:
###
### - unquoted or single-quoted strings. They are called "atoms".
###   Example: dog, 'Jupiter', '3.14159', YELLOW
###
### - numeric literals. Example: 3, -45.0, .0
###
### - quoted or folded strings.
###   Examples of quoted string: "Lizzard", "orange".
###   Example of folded string:
###   > Art thou not Romeo,
###     and a Montague?

###   =======
###   LOGGING

##
## loglevel: Verbosity of log files generated by ejabberd.
## 0: No ejabberd log at all (not recommended)
## 1: Critical
## 2: Error
## 3: Warning
## 4: Info
## 5: Debug
##
loglevel: 4

##
## rotation: Describe how to rotate logs. Either size and/or date can trigger
## log rotation. Setting count to N keeps N rotated logs. Setting count to 0
## does not disable rotation, it instead rotates the file and keeps no previous
## versions around. Setting size to X rotate log when it reaches X bytes.
## To disable rotation set the size to 0 and the date to ""
## Date syntax is taken from the syntax newsyslog uses in newsyslog.conf.
## Some examples:
##  $D0     rotate every night at midnight
##  $D23    rotate every day at 23:00 hr
##  $W0D23  rotate every week on Sunday at 23:00 hr
##  $W5D16  rotate every week on Friday at 16:00 hr
##  $M1D0   rotate on the first day of every month at midnight
##  $M5D6   rotate on every 5th day of the month at 6:00 hr
##
log_rotate_size: 10485760
log_rotate_date: ""
log_rotate_count: 1

##
## overload protection: If you want to limit the number of messages per second
## allowed from error_logger, which is a good idea if you want to avoid a flood
## of messages when system is overloaded, you can set a limit.
## 100 is ejabberd's default.
log_rate_limit: 100

##
## watchdog_admins: Only useful for developers: if an ejabberd process
## consumes a lot of memory, send live notifications to these XMPP
## accounts.
##
## watchdog_admins:
##   - "bob@example.org"


###   ================
###   SERVED HOSTNAMES

##
## hosts: Domains served by ejabberd.
## You can define one or several, for example:
## hosts:
##   - "example.net"
##   - "example.com"
##   - "example.org"
##
hosts:
  - "example.org"

##
## route_subdomains: Delegate subdomains to other XMPP servers.
## For example, if this ejabberd serves example.org and you want
## to allow communication with an XMPP server called im.example.org.
##
## route_subdomains: s2s

###   ===============
###   LISTENING PORTS

## The HTTP hosts which are allowed to forward packets
## (Forwarding is not disallowed for others, but only for those, the address
## in the `X-Forwarded-For:` header is taken as the real originator for
## access control and logging purposes.)
## Depending on your environment, one of these values will work, none hurts.
trusted_proxies:
  - "127.0.0.1"
  - "::1"
  - "localhost"
  - "::FFFF:127.0.0.1"

##
## listen: The ports ejabberd will listen on, which service each is handled
## by and what options to start it with.
##
listen:
  -
    port: 5222
    inet6: true
    module: ejabberd_c2s
    ##
    ## If TLS is compiled in and you installed a SSL
    ## certificate, specify the full path to the
    ## file and uncomment these lines:
    ##
    ## certfile: "/path/to/ssl.pem"
    ## starttls: true
    ##
    certfile: "/etc/ejabberd/ejabberd.pem"
    #starttls: true
    starttls_required: true
    ## To enforce TLS encryption for client connections,
    ## use this instead of the "starttls" option:
    ##
    ## starttls_required: true
    ##
    ## Custom OpenSSL options
    ##
    protocol_options:
      - "no_sslv3"
    ##   - "no_tlsv1"
    max_stanza_size: 65536
    shaper: c2s_shaper
    access: c2s
  -
    port: 5223
    ip: "::"
    module: ejabberd_c2s
    tls: true
    protocol_options: 'TLSOPTS'
    dhfile: 'DHFILE'
    ciphers: 'CIPHERS'
    ##
    ## To enforce TLS encryption for client connections,
    ## use this instead of the "starttls" option:
    ##
    ## starttls_required: true
    ##
    ## Stream compression
    ##
    ## zlib: true
    ##
    max_stanza_size: 65536
    shaper: c2s_shaper
    access: c2s
  -
    port: 5269
    inet6: true
    module: ejabberd_s2s_in
  ##
  ## ejabberd_service: Interact with external components (transports, ...)
  ##
  ## -
  ##   port: 8888
  ##   module: ejabberd_service
  ##   access: all
  ##   shaper_rule: fast
  ##   ip: "127.0.0.1"
  ##   hosts:
  ##     "icq.example.org":
  ##       password: "secret"
  ##     "sms.example.org":
  ##       password: "secret"

  ##
  ## ejabberd_stun: Handles STUN Binding requests
  ##
  ## -
  ##   port: 3478
  ##   transport: udp
  ##   module: ejabberd_stun

  ##
  ## To handle XML-RPC requests that provide admin credentials:
  ##
  ## -
  ##   port: 4560
  ##   module: ejabberd_xmlrpc
  -
    port: 5280
    inet6: true
    module: ejabberd_http
    ## request_handlers:
    ##   "/pub/archive": mod_http_fileserver
    web_admin: true
    http_poll: true
    http_bind: true
    ## register: true
    captcha: false
  -
    port: 5281
    inet6: true
    tls: true
    module: ejabberd_http
    request_handlers:
      "/websocket": ejabberd_http_ws
    ##  "/pub/archive": mod_http_fileserver
    web_admin: true
    http_bind: true
    ## register: true
    captcha: false

###.  ==================
###'  S2S GLOBAL OPTIONS

##
## s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
## Allowed values are: false optional required required_trusted
## You must specify a certificate file.
##
s2s_use_starttls: required

##
## s2s_certfile: Specify a certificate file.
##
s2s_certfile: "/etc/ejabberd/ejabberd.pem"

## Custom OpenSSL options
##
s2s_protocol_options:
  - "no_sslv3"
##   - "no_tlsv1"

##
## domain_certfile: Specify a different certificate for each served hostname.
##
## host_config:
##   "example.org":
##     domain_certfile: "/path/to/example_org.pem"
##   "example.com":
##     domain_certfile: "/path/to/example_com.pem"

##
## S2S whitelist or blacklist
##
## Default s2s policy for undefined hosts.
##
## s2s_access: s2s

##
## Outgoing S2S options
##
## Preferred address families (which to try first) and connect timeout
## in milliseconds.
##
## outgoing_s2s_families:
##   - ipv4
##   - ipv6
## outgoing_s2s_timeout: 10000

###   ==============
###   AUTHENTICATION

##
## auth_method: Method used to authenticate the users.
## The default method is the internal.
## If you want to use a different method,
## comment this line and enable the correct ones.
##
## auth_method: internal

##
## Store the plain passwords or hashed for SCRAM:
## auth_password_format: plain
## auth_password_format: scram
##
## Define the FQDN if ejabberd doesn't detect it:
## fqdn: "server3.example.com"

##
## Authentication using external script
## Make sure the script is executable by ejabberd.
##
## auth_method: external
## extauth_program: "/path/to/authentication/script"
auth_method: external
extauth_program: "/usr/bin/socket localhost 23662"
use_auth_cache: false

##
## Authentication using ODBC
## Remember to setup a database in the next section.
##
## auth_method: odbc

##
## Authentication using PAM
##
## auth_method: pam
## pam_service: "pamservicename"

##
## Authentication using LDAP
##
## auth_method: ldap
##
## List of LDAP servers:
## ldap_servers:
##   - "localhost"
##
## Encryption of connection to LDAP servers:
## ldap_encrypt: none
## ldap_encrypt: tls
##
## Port to connect to on LDAP servers:
## ldap_port: 389
## ldap_port: 636
##
## LDAP manager:
## ldap_rootdn: "dc=example,dc=com"
##
## Password of LDAP manager:
## ldap_password: "******"
##
## Search base of LDAP directory:
## ldap_base: "dc=example,dc=com"
##
## LDAP attribute that holds user ID:
## ldap_uids:
##   - "mail": "%u@mail.example.org"
##
## LDAP filter:
## ldap_filter: "(objectClass=shadowAccount)"

##
## Anonymous login support:
##   auth_method: anonymous
##   anonymous_protocol: sasl_anon | login_anon | both
##   allow_multiple_connections: true | false
##
## host_config:
##   "public.example.org":
##     auth_method: anonymous
##     allow_multiple_connections: false
##     anonymous_protocol: sasl_anon
##
## To use both anonymous and internal authentication:
##
## host_config:
##   "public.example.org":
##     auth_method:
##       - internal
##       - anonymous

###   ==============
###   DATABASE SETUP

## ejabberd by default uses the internal Mnesia database,
## so you do not necessarily need this section.
## This section provides configuration examples in case
## you want to use other database backends.
## Please consult the ejabberd Guide for details on database creation.

##
## MySQL server:
##
## odbc_type: mysql
## odbc_server: "server"
## odbc_database: "database"
## odbc_username: "username"
## odbc_password: "password"
##
## If you want to specify the port:
## odbc_port: 1234

##
## PostgreSQL server:
##
## odbc_type: pgsql
## odbc_server: "server"
## odbc_database: "database"
## odbc_username: "username"
## odbc_password: "password"
##
## If you want to specify the port:
## odbc_port: 1234
##
## If you use PostgreSQL, have a large database, and need a
## faster but inexact replacement for "select count(*) from users"
##
## pgsql_users_number_estimate: true

##
## ODBC compatible or MSSQL server:
##
## odbc_type: odbc
## odbc_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd"

##
## Number of connections to open to the database for each virtual host
##
## odbc_pool_size: 10

##
## Interval to make a dummy SQL request to keep the connections to the
## database alive. Specify in seconds: for example 28800 means 8 hours
##
## odbc_keepalive_interval: undefined

###   ===============
###   TRAFFIC SHAPERS

shaper:
  ##
  ## The "normal" shaper limits traffic speed to 1000 B/s
  ##
  normal: 1000

  ##
  ## The "fast" shaper limits traffic speed to 50000 B/s
  ##
  fast: 50000

  ##
  ## The "proxy" shaper limits traffic speed to 1 MB/s
  ##
  proxy: 1000000

##
## This option specifies the maximum number of elements in the queue
## of the FSM. Refer to the documentation for details.
##
max_fsm_queue: 1000

###.   ====================
###'   ACCESS CONTROL LISTS
acl:
  ##
  ## The 'admin' ACL grants administrative privileges to XMPP accounts.
  ## You can put here as many accounts as you want.
  ##
  ## admin:
  ##   user:
  ##     - "aleksey": "localhost"
  ##     - "ermine": "example.org"
  ##
  ## Blocked users
  ##
  ## blocked:
  ##   user:
  ##     - "baduser": "example.org"
  ##     - "test"

  ## Local users: don't modify this.
  ##
  local:
    user_regexp: ""

  ##
  ## More examples of ACLs
  ##
  ## jabberorg:
  ##   server:
  ##     - "jabber.org"
  ## aleksey:
  ##   user:
  ##     - "aleksey": "jabber.ru"
  ## test:
  ##   user_regexp: "^test"
  ##   user_glob: "test*"

  ##
  ## Loopback network
  ##
  loopback:
    ip:
      - "127.0.0.0/8"

  ##
  ## Bad XMPP servers
  ##
  ## bad_servers:
  ##   server:
  ##     - "xmpp.zombie.org"
  ##     - "xmpp.spam.com"

  ## Proxy stuff
  proxy65_access:
    local: allow
    all: deny
  proxy65_shaper:
    admin: none
    proxy_users: proxyrate


##
## Define specific ACLs in a virtual host.
##
## host_config:
##   "localhost":
##     acl:
##       admin:
##         user:
##           - "bob-local": "localhost"

###   ============
###   ACCESS RULES
access:
  ## Maximum number of simultaneous sessions allowed for a single user:
  max_user_sessions:
    all: 10
  ## Maximum number of offline messages that users can have:
  max_user_offline_messages:
    admin: 5000
    all: 100
  ## This rule allows access only for local users:
  local:
    local: allow
  ## Only non-blocked users can use c2s connections:
  c2s:
    blocked: deny
    all: allow
  ## For C2S connections, all users except admins use the "normal" shaper
  c2s_shaper:
    admin: none
    all: normal
  ## All S2S connections use the "fast" shaper
  s2s_shaper:
    all: fast
  ## Only admins can send announcement messages:
  announce:
    admin: allow
  ## Only admins can use the configuration interface:
  configure:
    admin: allow
  ## Admins of this server are also admins of the MUC service:
  muc_admin:
    admin: allow
  ## Only accounts of the local ejabberd server can create rooms:
  muc_create:
    local: allow
  ## All users are allowed to use the MUC service:
  muc:
    all: allow
  ## Only accounts on the local ejabberd server can create Pubsub nodes:
  pubsub_createnode:
    local: allow
  ## In-band registration allows registration of any possible username.
  ## To disable in-band registration, replace 'allow' with 'deny'.
  register:
    all: allow
  ## Only allow to register from localhost
  trusted_network:
    loopback: allow
  ## Do not establish S2S connections with bad servers
  ## s2s:
  ##   bad_servers: deny
  ##   all: allow

## By default the frequency of account registrations from the same IP
## is limited to 1 account every 10 minutes. To disable, specify: infinity
## registration_timeout: 600

##
## Define specific Access Rules in a virtual host.
##
## host_config:
##   "localhost":
##     access:
##       c2s:
##         admin: allow
##         all: deny
##       register:
##         all: deny

###   ================
###   DEFAULT LANGUAGE

##
## language: Default language used for server messages.
##
language: "en"

##
## Set a different default language in a virtual host.
##
## host_config:
##   "localhost":
##     language: "ru"

###   =======
###   CAPTCHA

##
## Full path to a script that generates the image.
##
## captcha_cmd: "/lib/ejabberd/priv/bin/captcha.sh"

##
## Host for the URL and port where ejabberd listens for CAPTCHA requests.
##
## captcha_host: "example.org:5280"

##
## Limit CAPTCHA calls per minute for JID/IP to avoid DoS.
##
## captcha_limit: 5

###   =======
###   MODULES

##
## Modules enabled in all ejabberd virtual hosts.
##
modules:
  mod_adhoc: {}
  ## mod_admin_extra: {}
  mod_announce: # recommends mod_adhoc
    access: announce
  mod_avatar: {}
  mod_blocking: {} # requires mod_privacy
  mod_caps: {}
  mod_carboncopy: {}
  mod_client_state:
    drop_chat_states: true
    queue_presence: false
  mod_configure: {} # requires mod_adhoc
  mod_disco:
    server_info:
    -
      modules: all
      name: "abuse-address"
      urls: ["mailto:abuse@example.org"]
  ## mod_echo: {}
  mod_irc: {}
  mod_http_bind: {}
  ## mod_http_fileserver:
  ##   docroot: "/var/www"
  ##   accesslog: "/var/log/ejabberd/access.log"
  mod_last: {}
  mod_muc:
    ## host: "conference.@HOST@"
    access: muc
    access_create: muc_create
    access_persistent: muc_create
    access_admin: muc_admin
  ## mod_muc_log: {}
  mod_offline:
    access_max_user_messages: max_user_offline_messages
  mod_ping: {}
  ## mod_pres_counter:
  ##   count: 5
  ##   interval: 60
  mod_privacy: {}
  mod_private: {}
  # Allow direct file transfer (obsoleted by HTTP upload, but required by the XMPP Compliance Suite)
  # Needs restart, not just reload when changing ip/port
  mod_proxy65:
    host: "proxy.@HOST@"
    name: "File Transfer Proxy"
    ip: "::"
    port: 7777
    max_connections: 10
    auth_type: plain
    access: local
    shaper: proxy65_shaper
  mod_pubsub:
    access_createnode: pubsub_createnode
    ## reduces resource comsumption, but XEP incompliant
    ignore_pep_from_offline: true
    ## XEP compliant, but increases resource comsumption
    ## ignore_pep_from_offline: false
    last_item_cache: false
    plugins:
      - "flat"
      - "hometree"
      - "pep" # pep requires mod_caps
  mod_register:
    ##
    ## Protect In-Band account registrations with CAPTCHA.
    ##
    ## captcha_protected: true

    ##
    ## Set the minimum informational entropy for passwords.
    ##
    ## password_strength: 32

    ##
    ## After successful registration, the user receives
    ## a message with this subject and body.
    ##
    welcome_message:
      subject: "Welcome!"
      body: |-
        Hi.
        Welcome to this XMPP server.

    ##
    ## When a user registers, send a notification to
    ## these XMPP accounts.
    ##
    ## registration_watchers:
    ##   - "admin1@example.org"

    ##
    ## Only clients in the server machine can register accounts
    ##
    ip_access: trusted_network

    ##
    ## Local c2s or remote s2s users cannot register accounts
    ##
    ## access_from: deny

    access: register
  mod_roster:
    versioning: true
    store_current_id: false
  mod_shared_roster: {}
  mod_stats: {}
  mod_time: {}
  mod_vcard: {}
  mod_version: {}

##
## Enable modules with custom options in a specific virtual host
##
## host_config:
##   "localhost":
##     modules:
##       mod_echo:
##         host: "mirror.localhost"

##
## Enable modules management via ejabberdctl for installation and
## uninstallation of public/private contributed modules
## (enabled by default)
##

allow_contrib_modules: true

### Local Variables:
### mode: yaml
### End:
### vim: set filetype=yaml tabstop=8

Diff

Here is the set of changes I applied to the default configuration file. If you installed the above file, you can ignore this.

--- a/etc/ejabberd/ejabberd.yml	2017-06-21 13:00:59.253476222 +0200
+++ b/etc/ejabberd/ejabberd.yml	2017-06-21 13:43:11.760513901 +0200
@@ -70,7 +70,7 @@
 ## accounts.
 ##
 ## watchdog_admins:
-##   - "bob@example.com"
+##   - "bob@example.org"
 
 
 ###   ================
@@ -85,7 +85,7 @@
 ##   - "example.org"
 ##
 hosts:
-  - "localhost"
+  - "example.org"
 
 ##
 ## route_subdomains: Delegate subdomains to other XMPP servers.
@@ -104,6 +104,7 @@
 listen:
   -
     port: 5222
+    inet6: true
     module: ejabberd_c2s
     ##
     ## If TLS is compiled in and you installed a SSL
@@ -113,6 +114,9 @@
     ## certfile: "/path/to/ssl.pem"
     ## starttls: true
     ##
+    certfile: "/etc/ejabberd/ejabberd.pem"
+    #starttls: true
+    starttls_required: true
     ## To enforce TLS encryption for client connections,
     ## use this instead of the "starttls" option:
     ##
@@ -120,14 +124,15 @@
     ##
     ## Custom OpenSSL options
     ##
-    ## protocol_options:
-    ##   - "no_sslv3"
+    protocol_options:
+      - "no_sslv3"
     ##   - "no_tlsv1"
     max_stanza_size: 65536
     shaper: c2s_shaper
     access: c2s
   -
     port: 5269
+    inet6: true
     module: ejabberd_s2s_in
   ##
   ## ejabberd_service: Interact with external components (transports, ...)
@@ -160,6 +165,7 @@
   ##   module: ejabberd_xmlrpc
   -
     port: 5280
+    inet6: true
     module: ejabberd_http
     ## request_handlers:
     ##   "/pub/archive": mod_http_fileserver
@@ -167,24 +173,39 @@
     http_poll: true
     http_bind: true
     ## register: true
-    captcha: true
+    captcha: false
+  - 
+    port: 5281
+    inet6: true
+    tls: true
+    module: ejabberd_http
+    request_handlers:
+      "/websocket": ejabberd_http_ws
+    ##  "/pub/archive": mod_http_fileserver
+    web_admin: true
+    http_bind: true
+    ## register: true
+    captcha: false
+
+###.  ==================
+###'  S2S GLOBAL OPTIONS
 
 ##
 ## s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
 ## Allowed values are: false optional required required_trusted
 ## You must specify a certificate file.
 ##
-## s2s_use_starttls: optional
+s2s_use_starttls: required
 
 ##
 ## s2s_certfile: Specify a certificate file.
 ##
-## s2s_certfile: "/path/to/ssl.pem"
+s2s_certfile: "/etc/ejabberd/ejabberd.pem"
 
 ## Custom OpenSSL options
 ##
-## s2s_protocol_options:
-##   - "no_sslv3"
+s2s_protocol_options:
+  - "no_sslv3"
 ##   - "no_tlsv1"
 
 ##
@@ -223,7 +244,7 @@
 ## If you want to use a different method,
 ## comment this line and enable the correct ones.
 ##
-auth_method: internal
+## auth_method: internal
 
 ##
 ## Store the plain passwords or hashed for SCRAM:
@@ -239,6 +260,9 @@
 ##
 ## auth_method: external
 ## extauth_program: "/path/to/authentication/script"
+auth_method: external
+extauth_program: "/usr/bin/socket localhost 23662"
+use_auth_cache: false
 
 ##
 ## Authentication using ODBC

:warning: Note that in previous versions of this file, store_current_id was set to true. This interferes with shared roster groups. So if you want to have shared roster groups, make sure you have store_current_id: false in your mod_roster config.

Next: Configuring Nextcloud

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.