XMPP Service Operators - 2021-04-04

» <rob> Keep your data in sight Unless you live in the US I would argue. Or any other anti-privacy country.

thndrbvr: in the US specifically you should keep your data under your control: https://en.wikipedia.org/wiki/Third-party_doctrine

TFC's server is in Iceland.

Where the NSA and friends can hack it legally :)

But, it is outside their jurisdiction so they can't demand Iceland to hand over anything. Besides, it's got pre-boot encryption and only one SSH key is allowed in. I've got the passphrase memorized. They'd have to scan my mind.

https://restoreprivacy.com/5-eyes-9-eyes-14-eyes/ | https://flokinet.is/about.php

they are legally allowed to hack it though, where as if you are a US citizen and host your own stuff at your own house, they 1) aren't allowed to hack it 2) aren't allowed any access at all without a warrant served to you

Legally is the key word there. Lol. They can still easily raid, confiscate, and put you in jail. Especially if you're not an affulent white person.

not without a warrant

pre-boot encryption means that if it's powered off you're screwed?

No matter where data is located or being transferred, the US gov't & contractors will be sniffing all the info they can by all means necessary. I also don't think it's too hard to obtain a warrant depending on who you know and how many times an agent says "kiddie pr0n!!!!!!1111111111" or "t3rr0r1zmmmmm!!!!!" or even these days "conspiary" >__>;

would you need a trip to iceland to power it back on?

I think it's a Ubuntu server running in a VM on a Ubuntu server. Lol. I'm not sure.

Nah, Flokinet handles everything for me. They've been great with everything these last several months. Quick and knowledgable.

meh that's fine, warrants are covered by due process and such, what isn't fine is 3rd party doctrine / warrantless searches when your data is at a 3rd party

Does that protect people and non-profit orgs?

a VM, so they could easily target the hypervisor and that pre-boot encryption is worthless

Also, with all the anti free speech and attempts at outlawing encryption all together or requiring backdoors. I'm not really sure I feel comfortable living in the US or Canada.

due process is still a thing

xorman: I'm not sure exactly how it works. It might not be a VM. Might just be standard LUKS.

what does it protect you from?

Hm?

a sudden raid? where you quickly unplug the box

US still has the absolute best free speech protections of any country

I guess if you need the best protection against a raid it probably involves keeping it near you and under some thermite

It sounds like there are some Nordic countries that are a bit freer and also less anti-piracy.

my threat model hasn't reached level thermite as of yet

thermite in the worst country beats 3rd party hosting in the best country

I'd just have another key pair for stuff with a huge passphrase, if I actually had anything to hide

Regular encrypted emails

I suppose the worst case is that I just have a backup of the site, software, and usernames and make everyone reset their passwords and their chat histories and maybe images/other files would be gone. I'm using Wasabi for FunkWhale & PeerTube uploads which is in the US anyway but my server has a llimited amount of storage space and my personal ISP rather sucks and has a cap even if they didn't suck.

Like, if suddenly the server disappeared for whatever reason.

This "you are not allowed to snoop on your own people" is easy to solve.... (there was a lot in the newspapers after Snowden) USA works with other countries... and USA snoops on Canadians, and UK's services snoop on USA citizens. And then the data is shared fairly. And if by mistake a citizen of the USA is involved... well... can happen.

Yeah, the 14 eyes countries as I linked earlier. Asia has their own similar thing.

hiya.. im adam.. just figuring out this whole environment.. I mean.. I thought I knew a lot . but shit I think I just know enough to be a dangerous amateur

Welcome & good luck. Lol

Welcome

https://xmpp.org/extensions/attic/xep-0205-0.3.html SHOULD NOT specify limiting the XML stanza size. Since people have started doing that I've had lots of federation issues. # grep "stanza is too big" /var/log/prosody/prosody.log | wc -l 260 Just in the last 24 hours I've had 260 federation drop outs due to this recommendation.

tom, you mean https://xmpp.org/extensions/xep-0205.html#rec-stanzasize ? and things absolutely should do that

Yes, it's dropping the s2s connection out

would you prefer your entire server crash or

https://0x0.st/-cKv.txt

I would prefer the server proccess the request

Instead of dropping out

you should set the same defaults ejabberd uses in your prosody

in fact, the entire network should

What is that?

Whatever it is, it's WAAAY too small

https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example#L32

262144 for c2s, twice that for s2s

but your inband stickers!

creep.im conversations.im xabber.org onionmessenger.com yourdata.forsale trashserver.net dismail.de jabber.uk 404.city a3.pm kitty.social Please increase your max stanza size

(Movim i think?

please do not, please instead everyone using prosody decrease your max stanza size

honeypot.im

moparisthebest: I'm not sending out malicious stanzas and it's causing service disruption

The point of this is to prevent service disruptions is it not?

Well

yes, and you'll need to do this to prevent service disruptions, trust me

It's failing at that job and doing the opposite, degrading service. So please increase your stanza sizes

Dont be a troll

I'm just trying to help

Your not helping

Your accusing me of trying to ddos people

*dos

no, I'm trying to prevent people from ddos'ing you

ejabberd has 265kb and prodody has 10MB.. one too small and one too big IMHO

Well i'm not having ddos problems moparisthebest so stop

how sure are you about that

100%

hehe

tom: moparisthebest cannot simply change the network. And doesn't want to... this is not a decision you can just make now... except of course for your own server that you reduce it to 254kb

Firstly, I'm not having dos issues

And secondly, if I do that legitimate stanzas would be dropped

well, then everything is fine

And I'd start contributing to the federation problems

254kb is too small

That does sound small. That sounds like it's from the days of dial-up. Lol

hm.. 512kb sound ok for me.. should be enough for stickers... soo. what are people sending that this error occurs?

the user avatar?

and ejabberd has 512 for s2s... so maybe I will set it to this.. not that encounter that error...

menel: I'd argue 10MB

512 still seems way too small

This isn't something you want to set conservatively

» <menel> the user avatar? Probably. You also have to keep in mind XMPP has pubsub now too, and is being used for blogging

Realtime news alerts

Weather reports

Key exhcange

And the filesizes of everything are getting bigger and bigger. Resolution for screens and cameras higher. RAM on lay person's PCs more than adequate. More stuff supporting markdown of some sort.

Nevertheless the defaults shouldn't assume the server is your grandpa's Pentium2 33MHz

Just saw this in my logs and thought it was interesting. "Apr 04 05:25:39 thefreaks.club named[1311]: client @0x7ff5dc000cd0 89.40.70.51#50225 (peacecorps.gov): query (cache) 'peacecorps.gov/ANY/IN' denied" Anyone else have the peacecorps trying to access their site? Lol..

What is peacecorps thndrbvr?

Something with the US military. They generally go to other countries and do "good" things for the communities there. That's about all I know.

Any idea what that has to do with your server?

Nothing which is why it's strange that would appear in my logs.

I was looking through trying to figure out why nginx is giving me grief. " nginx: [emerg] "server" directive is not allowed here in xmpp.S.conf line 1. Just got new certs from LE and updated all the confs. They were good before..

Was missing an http { before that. Dunno where it went but okay! Lol

tom: > I'd argue 10MB > 512 still seems way too small What can you put in a stanza right now to fill 10Mb exactly?

A video ?

ernst.on.tour: in the actual stanza...no http used, no jingle p2p?....which client can do that (except gajim xml console lol)?

But this issue is indeed interesting.. Maybe the xsf could publish a recommendation for better interop

Licaon_Kter: C in newest version ? Somebody tried to send video and http_upload_max_file_size was 20MB, but was limited by stanza_size 10MB

ernst.on.tour: which xep tells you how encode a file and send it in a stanza?

http_upload does not care about stanza sizes ✏

ernst.on.tour: are you talking prosody and didn't change http_max_content_size (default 10m). Thats the only 10m limit for http upload with the number 10 I know of

I will have a look, but need some time, got worst access via ssh to server. But got following line in debug-log > Somebody tried to send video and http_max_file_size was 20MB, but was limited by stanza_size 10MB

But even if your partner does not have http_upload and not SOCKS5 Bytestreams. (proxy65) the inband(XEP-0047: In-Band Bytestreams) would split the file to smaller pieces to fit in the stanza.. So I suppose the debut lognis just about wording/naming thst we don't understand. And not a issue with the stanza size

(And everyone *should* use http upload or SOCS5) thst has nothing to do with the stanza size anyways

Maybe... Just give me 20min to get well working internet

Yes :-) and then install a mosh client if you use mobile ;-)

Got following debug-line > Apr 01 04:15:09 domain.tld:http_upload warn http_upload_file_size_limit exceeds HTTP parser limit on body size, capping file size to 10485760 B > Apr 01 16:02:51 domain.tld:http_upload debug File too large (15673208 > 10485760)

Is is prodoy with the module: https://modules.prosody.im/mod_http_upload.html ?

If yes your config *must* contain a line to set http_max_content_size = the same size then http_upload_file_size_limit. But read what's in the link about not setting it to big. ( is saves the whole file in ram )

If you need to do more than 10mb http upload with current release of prosody you basically need to use mod_http_upload_external ernst.on.tour

If its annother issue maybe it should be discussed in the room of the server you are using

I should have a look about http_upload_external But as I understand, Conversations will prepare a p2p-Session to up/download the file if it hits max_file_size_limit

Yes, which doesn't work for multi client but otherwise is fine

But please install proxy65 for that.. Its better then inband

Okay, you mean in muc it isn't going that way ?

Will also have a look about proxy65

ernst.on.tour: yes muc only works with http

But I'd you have some free ram you can easily increase the http limit to 20m if you want and try it.. The prosody devs just dont want to be blamed if you have issues then. I used successfully 50mb without problems with that method. Before switching to the external variant just for fun

menel, moparisthebest: Okay, just enable proxy65 to fullfit p2p proxy65 just do XEP-0065, for XEP-0047 I should use mod_tcpproxy ? There is only an old version and I hope this will be include in prosody_0.11.7 Now I will have to wait for response from video-sharer ....

No, nothing for xep-0047.

menel: mosh is read to be fine, but need an old version for my Android4, Termux didn't support less then Android5 and JuiceSSH isn't found on F-Droid, but will have a look about it.

And if you have proxy65 most Clients will never use xep-0047 anyways

OKay, then there should be no need for 0047

Yes

0047 is a client thing and every server "supports" it (I think)

There was/is a mod_tcpproxy for prosody 0.7, but doesn't see it for 0.11.7

Just forget that

Hey. Anyone have a link to what's the most ideal privacy+security jabber server setup?

x187x: prosody or ejabberd?

Define "threat model" first :)

Enable anonymous open registration and log nothing 😃 ( please don't )

Host it yourself in your closet is my advice :)

Hopeing there is a some good resources so I can't fuck it up ;) . any help would be appreciated. I'm looking for only open source projects we can trust

x187x: if your use case is family/friends I'd highly recommend Snikket

+1 there

Maybe the confusion was because you said "most privacy" did you mean good and reasonable privacy and security?

> x187x: prosody or ejabberd? > Define "threat model" first :) Anti-government ! Libertarians Paradise sever

A "normal" setup would be enough then maybe.. Or do you think the government will come after you?

> Maybe the confusion was because you said "most privacy" did you mean good and reasonable privacy and security? Im uber paranoid. I'm not sure what the current benchmark is for a top tier encryptes xmpp server setup. I been working on a signal messenger fork based off usernames which I will be publishing open source once the time comes. But seems like the interoperability of xmpp servers will be a must have for a "secure" devics toolkit . I'm using grapheme right now

x187x: host your own Snikket on a server in your house with an encrypted disk

I appreciate your guys replys. I was considering prosody and ejabberd . of course i need to run omemo encryption as standard .

> x187x: host your own Snikket on a server in your house with an encrypted disk I'll look into snikket thank you. I was thinking run a ejabber on raspberry pies

Truth is. Current server are most secure if you host yourself.. (Because metadata) And ejabberd and prosody are both very well tested and secure.

But if you say privacy must br infinite you need p2p clients. https://github.com/maqp/tfc

Yeah I must host myself. And want to have it at scale so I can onboard my friends easy.

> But if you say privacy must br infinite you need p2p clients. https://github.com/maqp/tfc First time I heard of this one. thank you kindly for sharing !!

And I say thanks moparisthebest for sharing it first. Was an interesting read :-) whole now scale.. 😀 ( not that I hope to be ever unlucky enough to need such a thing )

x187x: you honestly can't go wrong with prosody or ejabberd, both run fine on an RPI, Snikket too which is just a well packaged prosody configured for friends and family

I appreciate you guys. Thank you so much for your help. I send my love and respect

x187x: > I appreciate your guys replys. I was considering prosody and ejabberd . of course i need to run omemo encryption as standard . OMEMO is a client feature, you can't force it :))

but it does require server support (PEP)

xorman: right, useless if your clients chose otherwise

Yes. Both valid points

Omemo (exp-0384)

x187x: > I been working on a signal messenger fork based off usernames which I will be publishing open source once the time comes. Was it hard to host the Signal Server? ✏

> x187x: > Was it hard to host the Signal Server? My friend who is more skilled then me set it up so I can't speak on his behalf. But We got the original messaging server setup pretty fast working with usernames . still need to setup the attachment server to allow sending of pictures/videos etc but shouldn't be too hard. We are working on cutting out all the sms/gsm integration And creating a more liteweight client . we are calling it the global privacy network. Will release it open source once its working properly. Hopefully no more then 1-2months

x187x: is there any advantage at all vs just using XMPP?