XMPP Service Operators - 2020-01-11

  1. 404.city

    yes

  2. 404.city

    tom I'll try to write you tomorrow

  3. tom

    That was weird, I somehow added a muc as a contact

  4. tom

    Why is xmpp.org's xmpp server on a nonstandard port 2605:da00:5222:5269::3:1:9269

  5. tom

    ?

  6. tom

    $ host -t srv _xmpp-server._tcp.xmpp.org _xmpp-server._tcp.xmpp.org has SRV record 1 1 9269 xmpp.xmpp.org.

  7. tom

    It's strange

  8. tom

    It's a good thing I didn't deploy egress filtering yet

  9. stpeter

    tom: I can't recall. When we deployed it originally, it might have been running on a machine that was already using the standard port. We change probably change it to the standard port now.

  10. stpeter

    s/change/can/

  11. Frinkel

    Curious, what's the issue with using a nonstandard port as long as the appropriate SRV records exist?

  12. stpeter

    I suspect that tom wanted to set up a firewall rule that allowed only well-defined ports.

  13. tom

    I saw a weird connection I didn't recognize in netstat

  14. tom

    I didn't recognize it because the port number was nonstandard

  15. tom

    I was originally going to setup egress filtering, where the xmpp daemon user could only make external requests on certain ports, namely xmpp-server

  16. tom

    Now I'm not so sure that's a good idea if people are running their s2s connections on nonstandard ports often

  17. tom

    Do I need to setup a STUN server if I want Jingle to work reliably? Is that not covered by the socks proxy XEP-0065?

  18. rom1dep

    > Now I'm not so sure that's a good idea if people are running their s2s connections on nonstandard ports often You can often see non standard s2s ports for direct tls for instance

  19. tom

    Ah

  20. tom

    So I should let prosody open whatever port it wants to external hosts

  21. tom

    As long as it's TCP

  22. Ge0rG

    Also don't forget UDP for DNS lookups

  23. tom

    That shouldn't be coming from the xmpp daemon

  24. Ge0rG

    I'm not so sure about that

  25. Martin

    I would also guess it uses the local dns.

  26. Martin

    Why should they nih a dns resolver?

  27. MattJ

    Martin: because the system resolver often doesn't support async or SRV

  28. MattJ

    If you run a resolver on 127.0.0.1, fine

  29. MattJ

    If not, UDP out is required

  30. Martin

    I have unbound listening on 127.0.0.1 and that's the only dns referred in resolv.conf. So prosody should be happy. :)

  31. MattJ

    Yep

  32. Ge0rG

    Martin: but don't dare stopping it for some minutes

  33. Martin

    Why should I?

  34. Ge0rG

    Martin: beause you do a package update?

  35. Martin

    That will stop it for minutes?

  36. Ge0rG

    maybe long enough for prosody to freak out about the DNS server being gone

  37. Martin

    I will see :)