XMPP Service Operators - 2021-03-26

  1. mjk

    csh: https://www.ted.com/talks/james_veitch_this_is_what_happens_when_you_reply_to_spam_email Maybe you weren't friendly enough?

  2. moparisthebest

    don't respond ever

  3. raghavgururajan

    How's jabber.network different from xmpp.net?

  4. menel

    raghavgururajan: the one checks the server xeps the other messures tsl.

  5. menel

    tls

  6. raghavgururajan

    menel: Ah thanks!

  7. tom

    hey btw

  8. tom

    you can also test the server's tls with testssl.sh

  9. tom

    it supports the xmpp STARTTLS variant

  10. jonas’

    yes, but you need a very recent version for s2s tests

  11. tom

    the XMPP observatory seems to have severe threading limitations

  12. jonas’

    the xmpp observatory runs on a very old stack which nobody knows how to maintain anymore

  13. tom

    oh

  14. jonas’

    I do have a rewrite (incidentally based on testssl.sh) in the pipeline :)

  15. tom

    oh neat, thanks jonas’!

  16. tom

    jonas’: what is the old stack?

  17. jonas’

    it is actually mostly done, only needs the DNSSEC and DANE stuff sorted out.

  18. jonas’

    tom, a fork of a subset of prosody’s XMPP stack with some strange patches, surrounded by more bits of lua and php

  19. tom

    jonas’: I would like to follow your work on the rewrite

  20. jonas’

    tom, you’re welcome to: https://github.com/horazont/testxmpp

  21. tom

    thanks

  22. ernst.on.tour

    Whats about: ``` echo | openssl s_client -starttls xmpp -servername domain.tls -connect domain.tld:5222 2>/dev/null | openssl x509 -noout -subject -dates -checkend $(($days*24*60*60)) && echo lives more than $days || echo need new cert ```

  23. tom

    » 2>/dev/null discards stderr, » openssl x509 -noout -subject -dates -checkend $(($days*24*60*60)) && echo lives more than $days || echo need new cert downloads the certificate, checks it's experation date and checks it's it's close to expiring

  24. tom

    » openssl s_client -starttls xmpp -servername domain.tls -connect domain.tld:5222 connects and setups up TLS over the STARTTLS method

  25. ernst.on.tour

    I test my cert with above code, it's a oneliner in crontab

  26. tom

    I just use dyhdrated.sh and a slightly modified quark

  27. tom

    quark can be found on suckless.org

  28. tom

    it's a minimal webserver written in less then 1000LOC

  29. tom

    dehydrated is an ACME implementation written in a few hundred lines of bash

  30. ernst.on.tour

    Change "echo need new cert" to "curl ...." to send via mod_post_msg an xmpp-msg to me

  31. tom

    it's very good and keeping the certs fresh, and even more advanced things like stapling, cipher selection, and alternative names

  32. tom

    there's a line in /etc/aliases the redirects root to postmaster@nuegia.net, and cronic, another small shell script ensures cron only fires an email if there's a problem

  33. tom

    it's a very extensible and simple system

  34. tom

    many daemons and users across the system can use it

  35. ernst.on.tour

    I use https://github.com/srvrco/getssl to generate my certs