[ejabberd] reject s2s from IP addresses?

Jesse Thompson jesse.thompson at doit.wisc.edu
Fri Jan 25 21:44:18 MSK 2008

Badlop wrote:
> 2008/1/24, Peter Saint-Andre <stpeter at stpeter.im>:
>> Is it possible to configure ejabberd 1.1.4 (or forthcoming 2.0.0) so
>> that it will not accept s2s connections from xmpp services where the
>> domain identifier is an IP address (i.e., not a FQDN)?
> As Christophe explained, ejabberd 2.0.0 includes a new feature to
> allow or deny S2S connections based in the domain name:
> %%
> %% S2S whitelist or blacklist
> %%
> %% Default s2s policy for undefined hosts.
> %%
> {s2s_default_policy, allow}.
> %%
> %% Allow or deny communication with specific servers.
> %%
> {{s2s_host, "badhost.org"}, deny}.
> {{s2s_host, "spammer.com"}, deny}.
> However, this feature doesn't allow to define domain names using
> regexp. So, this isn't possible (offtopic: this expression is not
> valid, but anyway...):
> {{s2s_host, "[0-9]+.[0-9]+.[0-9]+.[0-9]+"}, deny}.
> Another proposal is to implement a new keyword:
> {s2s_default_policy, allow_only_fqdn}.
> In your case both proposals are good. The second one seems less
> powerful, but easier to setup.
> Are you interested in any of these?

How about adding a hook to call out to an external script (like the
external authentication feature) for each s2s connection request?  You
could pass it the domain name, IP address, presented certificate, etc.
Then the script can be custom designed to perform the necessary checks
(regexp, blacklists, CRL checks, etc).


> _______________________________________________
> ejabberd mailing list
> ejabberd at jabber.ru
> http://lists.jabber.ru/mailman/listinfo/ejabberd
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3340 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.jabber.ru/pipermail/ejabberd/attachments/20080125/9d675589/attachment.bin 

More information about the ejabberd mailing list