[ejabberd] reject s2s from IP addresses?

Peter Saint-Andre stpeter at stpeter.im
Fri Jan 25 21:50:17 MSK 2008


Badlop wrote:
> 2008/1/24, Peter Saint-Andre <stpeter at stpeter.im>:
>> Is it possible to configure ejabberd 1.1.4 (or forthcoming 2.0.0) so
>> that it will not accept s2s connections from xmpp services where the
>> domain identifier is an IP address (i.e., not a FQDN)?
> 
> As Christophe explained, ejabberd 2.0.0 includes a new feature to
> allow or deny S2S connections based in the domain name:
> 
> %%
> %% S2S whitelist or blacklist
> %%
> %% Default s2s policy for undefined hosts.
> %%
> {s2s_default_policy, allow}.
> 
> %%
> %% Allow or deny communication with specific servers.
> %%
> {{s2s_host, "badhost.org"}, deny}.
> {{s2s_host, "spammer.com"}, deny}.
> 
> 
> However, this feature doesn't allow to define domain names using
> regexp. So, this isn't possible (offtopic: this expression is not
> valid, but anyway...):
> {{s2s_host, "[0-9]+.[0-9]+.[0-9]+.[0-9]+"}, deny}.
> 
> Another proposal is to implement a new keyword:
> {s2s_default_policy, allow_only_fqdn}.
> 
> In your case both proposals are good. The second one seems less
> powerful, but easier to setup.
> 
> Are you interested in any of these?

Personally I am interested in allowing only FQDNs. It's not powerful in 
the sense of regexp, but it's powerful in the sense of disallowing some 
potentially bad actors from connecting to my service. :)

Peter

-- 
Peter Saint-Andre
https://stpeter.im/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 7338 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.jabber.ru/pipermail/ejabberd/attachments/20080125/fb8b4678/attachment-0001.bin 


More information about the ejabberd mailing list