XMPP Service Operators - 2019-04-06

  1. Douglas Terabyte

    Is it okay to ask unrelated questions in here?

  2. Douglas Terabyte

    Is it okay to ask unrelated tech questions in here?

  3. Douglas Terabyte

    Is it okay to ask unrelated tech questions in here? I'm pulling by hair out over SIP port forwarding.

  4. Licaon_Kter

    Douglas Terabyte: server setup?

  5. tom

    If I'm setting up a a Prosody server using a Let's Encrypt certificate, do I need to set prosody to use the normal .crt cert or the fullchain .pem cert?

  6. tom


  7. tom

    When I try to connect to my new prosody server I get a error

  8. tom

    <!-- In Fri 05 Apr 2019 09:24:03 PM PDT --> <?xml version='1.0'?> <stream:stream xmlns:stream='http://etherx.jabber.org/streams' xml:lang='en' from='nuegia.net' id='2620d872-c35b-41c0-9f30-fb78b26b1022' version='1.0' xmlns='jabber:client'> <stream:error> <undefined-condition xmlns='urn:ietf:params:xml:ns:xmpp-streams'/> <text xmlns='urn:ietf:params:xml:ns:xmpp-streams'>No stream features to proceed with</text> </stream:error> </stream:stream>

  9. tom

    any idea what could cause this?

  10. tom


  11. tom


  12. tom

    xmpp# doas -u _prosody /bin/cat /etc/ssl/private/xmpp.nuegia.net.key cat: /etc/ssl/private/xmpp.nuegia.net.key: Permission denied xmpp# ls -la /etc/ssl/private/xmpp.nuegia.net.key -rw-r----- 1 root _prosody 3272 Apr 5 20:47 /etc/ssl/private/xmpp.nuegia.net.key xmpp#

  13. tom

    xmpp# doas -u _prosody "/usr/bin/id" uid=638(_prosody) gid=638(_prosody) groups=638(_prosody)

  14. tom

    So if both the user and group is _prosody, why wouldn't _prosody be able to read the key?

  15. Licaon_Kter

    tom: can it read the folder?

  16. Licaon_Kter

    *and execute

  17. tom

    it needs to execute the key?

  18. tom

    also, would chmod 0710 /etc/ssl/private be safe?

  19. tom

    *chmod 0701

  20. Licaon_Kter

    tom: folder...it needs to be able to read&execute the folder in order to read the file

  21. Licaon_Kter

    750 folder

  22. Licaon_Kter

    And all the folders in the path...actually...

  23. tom

    well the folder the key is in is owned by root:wheel , so I don't see how the 5 would be neccecary

  24. Licaon_Kter

    tom: so _prosody can read the folder Folders need execute to be able to "enter" them

  25. Licaon_Kter

    *can't read

  26. tom

    the groups over in #openbsd@freenode.net tell me that it's not correct to have a 5

  27. Licaon_Kter

    tom: good luck

  28. tom

    thanks Link Mauve

  29. tom


  30. tom

    scratch that

  31. tom

    Is there any way to have Prosody run as root and then drop privileges?

  32. tom

    so that it can read the private keys on startup?

  33. tom


  34. tom

    if I have SRV records to my domain pointing to xmpp.mydomain.net

  35. tom

    so that I can have my JID and my email be the same thing

  36. tom

    Do I need to have the TLS certificate registered to xmpp.mydomain.net or mydomain.net?

  37. tom

    also, is it required there to be an alternative name conference.mydomain.net for tls cert ?

  38. MattJ

    tom: if mydomain.net is the identity you are hosting, that's what you need a certificate for

  39. MattJ

    The network hostname of the machine can be different and doesn't need a certificate, it isn't used within XMPP

  40. MattJ

    And generally, yes, you also need to include any services you host such as MUC domains

  41. madmalkav

    To be honest, I always want to investigate about the reason for those services to require it's own subdomains but I always remember when I'm busy with other stuff

  42. tom

    well for email, DNS has the MX record

  43. tom

    I don't think something like an MX record exists for XMPP

  44. MattJ

    It does

  45. MattJ

    It's called an SRV record

  46. MattJ

    But email doesn't do TLS very well

  47. MattJ

    DNS is not secure, so using the hostname you discover in the MX record to verify the certificate is insecure

  48. tom

    when I try to contact a friend on 404.city I get an error ‎error while sending test ( Messages from strangers are rejected )

  49. tom

    he says he never turned 'messages from strangers' off and doesn't know to to fix that

  50. tom

    does anyone here have any idea how to fix that?

  51. tom

    or what the problem could be?

  52. Douglas Terabyte

    Yeah, I could totally use help with that.

  53. Douglas Terabyte

    I checked my settings and nothing seems to be out of place to cause this.

  54. Douglas Terabyte

    Also Hi Tom

  55. MattJ

    Maybe contact your server admin

  56. muppeth

    tom: afaik its server wide setting on 404. Your friend has to add you to his buddies first

  57. muppeth

    Or you need to send subscription request to him

  58. muppeth

    Its very extreme (imo) way to prevent spam but at the same time makes usage annoying for normal users

  59. tom

    oh my, if that's so I might have accidently ignored someone

  60. tom

    I got a subscribe request one say, And I usually don't accept those unless I chat first

  61. tom

    but the other person never responded to anything I'd say to eventually i denied the request

  62. Licaon_Kter

    tom: subs req and the server side req about strangers are not related

  63. tom

    does 404.city really get so much xmpp spam to warent that?

  64. Licaon_Kter

    tom: its admin complains a lot so I guess s/he got fed up

  65. tom

    strange, I didn't even think XMPP spam was really a thing.

  66. tom

    anyways, Maybe I can ask 404's admin to whitelist my server

  67. Licaon_Kter

    tom: its either spimpocalypse or never saw one

  68. tom

    I see

  69. tom

    damn spimps

  70. madmalkav

    Going to ser up a personal xmpp instance soon . Info about srv records on dns says the target must be an A record. Do you know if this includes ANAME records or not?

  71. Jonny

    why not point in SRV directly to the A record behind the NAME record?

  72. Jonny

    I have setup A record for xmpp.rimkus.it

  73. Jonny

    and SRV record in rimkus.it pointing to it

  74. tom

    madmalkav, not exactly true. my SRC records point to xmpp.mydomain.net, and xmpp.mydomain.net is a A record

  75. tom

    and the rest of the domains, pubsub, upload, conference, etc are CNAMEs to xmpp.mydomain.com

  76. tom

    then for TLS certs you can add alternative names as long as they resolve

  77. tom

    Whenever I try to use http upload on my new server in a external muc, I get an error

  78. tom

    Can not request upload slot

  79. tom

    Access denied by service policy

  80. tom

    however http upload seems to work fine for 1 on 1 private chats

  81. tom

    any idea what could cause this? I'm not seeing any warnings in prosody.err