[ejabberd] Seeking information for building a modular ansible role

Holger Weiß holger at zedat.fu-berlin.de
Wed May 15 14:56:48 MSK 2019


* Hartmut Goebel <h.goebel at crazy-compilers.com> [2019-05-15 13:31]:
> This would enable more people to run a xmpp server on their own.

Recent ejabberd releases should already make that quite easy, though :-)

> 1) What are the features required to run a state-of-the-art XMPP server?
> (E.g. Is file upload, pubsub, proxy65, muc, or bosh required,
> recommended or optional?)

Currently I would recommend all of those you mentioned (pubsub can be
PEP-only if you don't support 'social' clients such as Movim; proxy65
only to support traditional clients; BOSH only to support web clients
such as Converse.js that don't do XEP-0198 over WebSocket).

You could use https://compliance.conversations.im/add/ to check your
configurations.

> 2a) Regarding hostnames: Are different hostnames required for upload,
> proxy, pubsub (as [1] sec. 3.3 shows), or can this be the same hostname
> as the "base" XMPP server ("my-club.org")?

It can't be the same hostname, but DNS records aren't strictly required
for services that are only offered to local users (as ejabberd doesn't
perform DNS lookups for local services).

> 2b) If any, which of these hostnames are to be read or typed in be user
> and which can be just meaningless (ajkdfha.my-club.org)

Usually, nothing but "my-club.org" should be exposed to the user.  Plus
possibly the MUC domain if users explicitly join (public) rooms by their
room address (as opposed to creating private group chats and inviting
others).

> 3a) Regarding TLS certificates: I assume the TLS certificates need to
> cover all the hostnames 8as in question 2). Is this correct?

They should, though the answer is the same as for question 2: Hostnames
for services that are only offered to local users don't *need* to be
added to certificates (but omitting them can yield warnings in log
files).

> 3b) Let's assume I have a SRV record for "my-club.org" pointing to "...
> some.server.net". Does the certificate need to include "my-club.org" or
> "some.server.net" or both?

Only "my-club.org" (except that some obscure clients, such as some Apple
Messages versions, incorrectly check against "some.server.net").

> 4) Which are the modules to be activated for a state-of-the-art XMPP server?

See the current default configuration:

https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example

> 5) If you have a basic XMPP server, what has to be changed/added in
> configuration options to activate for each of  muc, in-band
> registration, registration via web, file upload, pubsub, proxy65, muc,
> bosh, etc. I need this information to allow enabling or disable features
> as described at the top of this posting.

Except for web/in-band registration, the features you mentioned are all
enabled in the default configuration.  You will want to make sure not to
offer open registration without at least requiring CAPTCHAs by default.

https://compliance.conversations.im/add/ will give hints regarding how
to add missing features.

> 6a) Regarding DNS: Which SRV records are required to be set up? I
> assume  {_xmpp,_xmpps}.{_client,_server}.my-club.org.

_xmpp-{client,server}._tcp are required if the A record of "my-club.org"
doesn't point to the XMPP server and/or if you'd like to use non-default
ports.  _xmpps-{client,server}._tcp are optional but kinda recommended.

> 6b) Are there any SRV records required for other hostnames (according to
> in question 2)? Of course A/AAAA/CNAME records need to be defined for
> all of theses hostnames.

No (assuming you're not also offering STUN, TURN, and/or SIP services).

> https://www.kuketz-blog.de/ejabberd-installation-und-betrieb-eines-xmpp-servers/

I would recommend against the strict TLS settings suggested in that
article, by the way.

Holger


More information about the ejabberd mailing list