![]() Adding an account is rather simple, and thanks to the SRV accounts we set up earlier, set-up will be automatic, with no need to put in the custom server we've set up for our domain. I'd recommend using Gajim to connect to it, for it's fantastic OMEMO support. Pass in on $ext_if inet proto tcp from any to any port $ports_xmpp keep state If you don't have a fancy network setup like mine you can do a simple pass rule: ports_xmpp="" Sin.zm.is has IPv6 address fd20:cead:faff::4 I've also got the bonus (last 2 lines) of being able to reach my XMPP server from within my VPN, since I've got split-horizon DNS: ~ » host sin.zm.is Rdr pass on $br_if inet6 proto tcp from $net_v_v6 to fd20:cead:faff::4 port $ports_xmpp -> $xmpp_v6 Rdr pass on $br_if inet proto tcp from $net_v to 10.1.0.4 port $ports_xmpp -> $xmpp Rdr pass on $ext_if inet6 proto tcp from ! to $ext_if_v6 port $ports_xmpp -> $xmpp_v6 Rdr pass on $ext_if inet proto tcp from ! to $ext_if port $ports_xmpp -> $xmpp Now, let's open 5222, 5269, 54 in our firewall in order to let it talk out. You'll want to change all the IP addresses and the admin JID - (message me!). # vim: set filetype=yaml tabstop=8 /usr/local/etc/ejabberd/ejabberd.yml See the Jabber SPAM Manifesto for details: # Think twice before enabling registration from any # network (see access_rules section above). # Only accept registration requests from the "trusted" # Avoid buggy clients to make their bookmarks public Uncomment this when you have SQL configured:Īccess_max_user_messages: max_user_offline_messages # For small servers SQLite is a good fit and is very easy # Mnesia is limited to 2GB, better to use an SQL backend # /.well-known/acme-challenge: ejabberd_acme # If you already have certificates, list them here Ldap_filter: "(memberOf=cn=xmpp,ou=groups,dc=xf)" Ldap_tls_cacertfile: "/etc/ssl/ldapcert.pem" # ******* MAKE SURE YOU INDENT SECTIONS CORRECTLY ******* # ******* YAML IS INDENTATION SENSITIVE ******* # The configuration file is written in YAML. # The parameters used in this configuration file are explained at The protocol options are industry standard, and the cipher selected is either CHACHA20-POLY1305 or AES256-SHA384 - arguably the best options out there. We're going to harden TLS a bit with the following lines in each listen stanza (don't copy this into any configs, see below for full config): protocol_options:Ĭiphers: "ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384" Ldap_filter: "(memberOf=cn=xmpp,ou=groups,dc=xf)" # check group membership (optional) /usr/local/etc/ejabberd/ejabberd.yml Ldap_base: "ou=users,dc=xf" # where to search Ldap_password: "hunter2" # password for said DN Ldap_rootdn: "cn=passdn,ou=admin,dc=xf" # what DN to bind as uid # which attribute in LDAP is the username Ldap_tls_cacertfile: "/etc/ssl/ldapcert.pem" # replace with your cert path Let's test one of these out: omega# dig srv _xmpp-server._tcp.zm.is +shortĪfter issuing certificates with acme.sh and copying them into my FreeBSD jail every day with CRON (out of scope of this article), let's update the config with the LDAP definition: host_config: I'll be adding these to point to sin.zm.is. Let's get those out of the way now so they have time to propagate. We'll want to create some DNS records to tell people where to look for our XMPP service. The following 14 package(s) will be affected (of 0 checked): Let's install ejabberd: # pkg install ejabberd I'm setting this up on FreeBSD, so let's install all the relevant packages. I'm really not sure how many more witty intros I can do on these articles.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |