[ejabberd] Dialback settings for ejabberd_s2s_in

Shaun Kruger shaun.kruger at gmail.com
Mon Oct 10 18:33:26 MSD 2011


On Mon, Oct 10, 2011 at 4:06 AM, Badlop <badlop at gmail.com> wrote:
> So, with that option enabled, ejabberd will accept connections also to
> iamafakedns.com ?

That is correct.  Though, in my use case that is only because my proxy
server is now responsible for doing dialback.

>
> Isn't this a better idea?
> {dialback_verify_disable, "gmail.com"}.
> {dialback_verify_disable, "jabber.org"}.
> %% All the other servers require dialback

I can make this change.  I can definitely see how that would allow a
more fine grained approach to dealing with dialback issues.  The
system I am setting up would still need a method for disabling
dialback for all domains because I don't know which domains will be
sending to me before hand.

>>> I have determined that this patch allows me to communicate between
>> gmail.com and my ejabberd hosted domain through my proxy server
>> without any difficulty.
>
> And have you investigated the potential security problems that it could rise?

I believe the potential security problems are a matter to be dealt
with in my proxy server.  This is only the inbound half of dialback we
are working with so the only part that needs to be authenticated is
the sender.  If I authenticate the sender's dialback key at the proxy
I really don't see other security problems.  I am however open to
suggestion on this.  I have read the RFC and the relevant XEPs and I
have found nothing that indicates there are more security issues to be
concerned with.

>
>> I do hope you will consider this patch for inclusion in ejabberd3 as
>> this change may make XMPP federation easier in some unique use cases.
>
> Including such option without prior review, and a detailed
> documentation to discourage its abuse by administrators, would provoke
> that a lot of troubled administrators would enable the option. That
> would produce many ejabberd servers without dialback defense, and open
> for spam.

Ok then.  Let's call this the opening of the review process.  What
specifically would you like to review?  How do I get involved in
proposing documentation changes that properly warn admins about the
use of this option?

I would very much like to work with others on the ejabberd project as
I see myself using it quite a bit in the future and I would like to
build a relationship where I can suggest things from time to time for
inclusion in the project.

Shaun


More information about the ejabberd mailing list