XMPP Service Operators - 2021-04-04

  1. thndrbvr

    ยป <rob> Keep your data in sight Unless you live in the US I would argue. Or any other anti-privacy country.

  2. moparisthebest

    thndrbvr: in the US specifically you should keep your data under your control: https://en.wikipedia.org/wiki/Third-party_doctrine

  3. thndrbvr

    TFC's server is in Iceland.

  4. moparisthebest

    Where the NSA and friends can hack it legally :)

  5. thndrbvr

    But, it is outside their jurisdiction so they can't demand Iceland to hand over anything. Besides, it's got pre-boot encryption and only one SSH key is allowed in. I've got the passphrase memorized. They'd have to scan my mind.

  6. thndrbvr

    https://restoreprivacy.com/5-eyes-9-eyes-14-eyes/ | https://flokinet.is/about.php

  7. moparisthebest

    they are legally allowed to hack it though, where as if you are a US citizen and host your own stuff at your own house, they 1) aren't allowed to hack it 2) aren't allowed any access at all without a warrant served to you

  8. thndrbvr

    Legally is the key word there. Lol. They can still easily raid, confiscate, and put you in jail. Especially if you're not an affulent white person.

  9. moparisthebest

    not without a warrant

  10. xorman

    pre-boot encryption means that if it's powered off you're screwed?

  11. thndrbvr

    No matter where data is located or being transferred, the US gov't & contractors will be sniffing all the info they can by all means necessary. I also don't think it's too hard to obtain a warrant depending on who you know and how many times an agent says "kiddie pr0n!!!!!!1111111111" or "t3rr0r1zmmmmm!!!!!" or even these days "conspiary" >__>;

  12. xorman

    would you need a trip to iceland to power it back on?

  13. thndrbvr

    I think it's a Ubuntu server running in a VM on a Ubuntu server. Lol. I'm not sure.

  14. thndrbvr

    Nah, Flokinet handles everything for me. They've been great with everything these last several months. Quick and knowledgable.

  15. moparisthebest

    meh that's fine, warrants are covered by due process and such, what isn't fine is 3rd party doctrine / warrantless searches when your data is at a 3rd party

  16. thndrbvr

    Does that protect people and non-profit orgs?

  17. xorman

    a VM, so they could easily target the hypervisor and that pre-boot encryption is worthless

  18. thndrbvr

    Also, with all the anti free speech and attempts at outlawing encryption all together or requiring backdoors. I'm not really sure I feel comfortable living in the US or Canada.

  19. xorman

    due process is still a thing

  20. thndrbvr

    xorman: I'm not sure exactly how it works. It might not be a VM. Might just be standard LUKS.

  21. xorman

    what does it protect you from?

  22. thndrbvr


  23. xorman

    a sudden raid? where you quickly unplug the box

  24. moparisthebest

    US still has the absolute best free speech protections of any country

  25. moparisthebest

    I guess if you need the best protection against a raid it probably involves keeping it near you and under some thermite

  26. thndrbvr

    It sounds like there are some Nordic countries that are a bit freer and also less anti-piracy.

  27. moparisthebest

    my threat model hasn't reached level thermite as of yet

  28. xorman

    thermite in the worst country beats 3rd party hosting in the best country

  29. rob

    I'd just have another key pair for stuff with a huge passphrase, if I actually had anything to hide

  30. rob

    Regular encrypted emails

  31. thndrbvr

    I suppose the worst case is that I just have a backup of the site, software, and usernames and make everyone reset their passwords and their chat histories and maybe images/other files would be gone. I'm using Wasabi for FunkWhale & PeerTube uploads which is in the US anyway but my server has a llimited amount of storage space and my personal ISP rather sucks and has a cap even if they didn't suck.

  32. thndrbvr

    Like, if suddenly the server disappeared for whatever reason.

  33. menel

    This "you are not allowed to snoop on your own people" is easy to solve.... (there was a lot in the newspapers after Snowden) USA works with other countries... and USA snoops on Canadians, and UK's services snoop on USA citizens. And then the data is shared fairly. And if by mistake a citizen of the USA is involved... well... can happen.

  34. thndrbvr

    Yeah, the 14 eyes countries as I linked earlier. Asia has their own similar thing.

  35. adam carter

    hiya.. im adam.. just figuring out this whole environment.. I mean.. I thought I knew a lot . but shit I think I just know enough to be a dangerous amateur

  36. thndrbvr

    Welcome & good luck. Lol

  37. rob


  38. tom

    https://xmpp.org/extensions/attic/xep-0205-0.3.html SHOULD NOT specify limiting the XML stanza size. Since people have started doing that I've had lots of federation issues. # grep "stanza is too big" /var/log/prosody/prosody.log | wc -l 260 Just in the last 24 hours I've had 260 federation drop outs due to this recommendation.

  39. moparisthebest

    tom, you mean https://xmpp.org/extensions/xep-0205.html#rec-stanzasize ? and things absolutely should do that

  40. tom

    Yes, it's dropping the s2s connection out

  41. moparisthebest

    would you prefer your entire server crash or

  42. tom


  43. tom

    I would prefer the server proccess the request

  44. tom

    Instead of dropping out

  45. moparisthebest

    you should set the same defaults ejabberd uses in your prosody

  46. moparisthebest

    in fact, the entire network should

  47. tom

    What is that?

  48. tom

    Whatever it is, it's WAAAY too small

  49. moparisthebest


  50. moparisthebest

    262144 for c2s, twice that for s2s

  51. menel

    but your inband stickers!

  52. tom

    creep.im conversations.im xabber.org onionmessenger.com yourdata.forsale trashserver.net dismail.de jabber.uk 404.city a3.pm kitty.social Please increase your max stanza size

  53. menel

    (Movim i think?

  54. moparisthebest

    please do not, please instead everyone using prosody decrease your max stanza size

  55. tom


  56. tom

    moparisthebest: I'm not sending out malicious stanzas and it's causing service disruption

  57. tom

    The point of this is to prevent service disruptions is it not?

  58. tom


  59. moparisthebest

    yes, and you'll need to do this to prevent service disruptions, trust me

  60. tom

    It's failing at that job and doing the opposite, degrading service. So please increase your stanza sizes

  61. tom

    Dont be a troll

  62. moparisthebest

    I'm just trying to help

  63. tom

    Your not helping

  64. tom

    Your accusing me of trying to ddos people

  65. tom


  66. moparisthebest

    no, I'm trying to prevent people from ddos'ing you

  67. menel

    ejabberd has 265kb and prodody has 10MB.. one too small and one too big IMHO

  68. tom

    Well i'm not having ddos problems moparisthebest so stop

  69. moparisthebest

    how sure are you about that

  70. tom


  71. moparisthebest


  72. menel

    tom: moparisthebest cannot simply change the network. And doesn't want to... this is not a decision you can just make now... except of course for your own server that you reduce it to 254kb

  73. tom

    Firstly, I'm not having dos issues

  74. tom

    And secondly, if I do that legitimate stanzas would be dropped

  75. menel

    well, then everything is fine

  76. tom

    And I'd start contributing to the federation problems

  77. tom

    254kb is too small

  78. thndrbvr

    That does sound small. That sounds like it's from the days of dial-up. Lol

  79. thndrbvr goes back into his cave.

  80. menel

    hm.. 512kb sound ok for me.. should be enough for stickers... soo. what are people sending that this error occurs?

  81. menel

    the user avatar?

  82. menel

    and ejabberd has 512 for s2s... so maybe I will set it to this.. not that encounter that error...

  83. tom

    menel: I'd argue 10MB

  84. tom

    512 still seems way too small

  85. tom

    This isn't something you want to set conservatively

  86. tom

    ยป <menel> the user avatar? Probably. You also have to keep in mind XMPP has pubsub now too, and is being used for blogging

  87. tom

    Realtime news alerts

  88. tom

    Weather reports

  89. tom

    Key exhcange

  90. thndrbvr

    And the filesizes of everything are getting bigger and bigger. Resolution for screens and cameras higher. RAM on lay person's PCs more than adequate. More stuff supporting markdown of some sort.

  91. tom

    Nevertheless the defaults shouldn't assume the server is your grandpa's Pentium2 33MHz

  92. thndrbvr

    Just saw this in my logs and thought it was interesting. "Apr 04 05:25:39 thefreaks.club named[1311]: client @0x7ff5dc000cd0 (peacecorps.gov): query (cache) 'peacecorps.gov/ANY/IN' denied" Anyone else have the peacecorps trying to access their site? Lol..

  93. tom

    What is peacecorps thndrbvr?

  94. thndrbvr

    Something with the US military. They generally go to other countries and do "good" things for the communities there. That's about all I know.

  95. tom

    Any idea what that has to do with your server?

  96. thndrbvr

    Nothing which is why it's strange that would appear in my logs.

  97. thndrbvr

    I was looking through trying to figure out why nginx is giving me grief. " nginx: [emerg] "server" directive is not allowed here in xmpp.S.conf line 1. Just got new certs from LE and updated all the confs. They were good before..

  98. thndrbvr

    Was missing an http { before that. Dunno where it went but okay! Lol

  99. Licaon_Kter

    tom: > I'd argue 10MB > 512 still seems way too small What can you put in a stanza right now to fill 10Mb exactly?

  100. ernst.on.tour

    A video ?

  101. Licaon_Kter

    ernst.on.tour: in the actual stanza...no http used, no jingle p2p?....which client can do that (except gajim xml console lol)?

  102. menel

    But this issue is indeed interesting.. Maybe the xsf could publish a recommendation for better interop

  103. ernst.on.tour

    Licaon_Kter: C in newest version ? Somebody tried to send video and http_upload_max_file_size was 20MB, but was limited by stanza_size 10MB

  104. Licaon_Kter

    ernst.on.tour: which xep tells you how encode a file and send it in a stanza?

  105. Licaon_Kter

    http_upload does not care about stanza

  106. Licaon_Kter

    http_upload does not care about stanza sizes

  107. menel

    ernst.on.tour: are you talking prosody and didn't change http_max_content_size (default 10m). Thats the only 10m limit for http upload with the number 10 I know of

  108. ernst.on.tour

    I will have a look, but need some time, got worst access via ssh to server. But got following line in debug-log > Somebody tried to send video and http_max_file_size was 20MB, but was limited by stanza_size 10MB

  109. menel

    But even if your partner does not have http_upload and not SOCKS5 Bytestreams. (proxy65) the inband(XEP-0047: In-Band Bytestreams) would split the file to smaller pieces to fit in the stanza.. So I suppose the debut lognis just about wording/naming thst we don't understand. And not a issue with the stanza size

  110. menel

    (And everyone *should* use http upload or SOCS5) thst has nothing to do with the stanza size anyways

  111. ernst.on.tour

    Maybe... Just give me 20min to get well working internet

  112. menel

    Yes :-) and then install a mosh client if you use mobile ;-)

  113. ernst.on.tour

    Got following debug-line > Apr 01 04:15:09 domain.tld:http_upload warn http_upload_file_size_limit exceeds HTTP parser limit on body size, capping file size to 10485760 B > Apr 01 16:02:51 domain.tld:http_upload debug File too large (15673208 > 10485760)

  114. menel

    Is is prodoy with the module: https://modules.prosody.im/mod_http_upload.html ?

  115. menel

    If yes your config *must* contain a line to set http_max_content_size = the same size then http_upload_file_size_limit. But read what's in the link about not setting it to big. ( is saves the whole file in ram )

  116. moparisthebest

    If you need to do more than 10mb http upload with current release of prosody you basically need to use mod_http_upload_external ernst.on.tour

  117. menel

    If its annother issue maybe it should be discussed in the room of the server you are using

  118. ernst.on.tour

    I should have a look about http_upload_external But as I understand, Conversations will prepare a p2p-Session to up/download the file if it hits max_file_size_limit

  119. moparisthebest

    Yes, which doesn't work for multi client but otherwise is fine

  120. menel

    But please install proxy65 for that.. Its better then inband

  121. ernst.on.tour

    Okay, you mean in muc it isn't going that way ?

  122. ernst.on.tour

    Will also have a look about proxy65

  123. menel

    ernst.on.tour: yes muc only works with http

  124. menel

    But I'd you have some free ram you can easily increase the http limit to 20m if you want and try it.. The prosody devs just dont want to be blamed if you have issues then. I used successfully 50mb without problems with that method. Before switching to the external variant just for fun

  125. ernst.on.tour

    menel, moparisthebest: Okay, just enable proxy65 to fullfit p2p proxy65 just do XEP-0065, for XEP-0047 I should use mod_tcpproxy ? There is only an old version and I hope this will be include in prosody_0.11.7 Now I will have to wait for response from video-sharer ....

  126. menel

    No, nothing for xep-0047.

  127. ernst.on.tour

    menel: mosh is read to be fine, but need an old version for my Android4, Termux didn't support less then Android5 and JuiceSSH isn't found on F-Droid, but will have a look about it.

  128. menel

    And if you have proxy65 most Clients will never use xep-0047 anyways

  129. ernst.on.tour

    OKay, then there should be no need for 0047

  130. menel


  131. menel

    0047 is a client thing and every server "supports" it (I think)

  132. ernst.on.tour

    There was/is a mod_tcpproxy for prosody 0.7, but doesn't see it for 0.11.7

  133. menel

    Just forget that

  134. x187x

    Hey. Anyone have a link to what's the most ideal privacy+security jabber server setup?

  135. Licaon_Kter

    x187x: prosody or ejabberd?

  136. Licaon_Kter

    Define "threat model" first :)

  137. menel

    Enable anonymous open registration and log nothing ๐Ÿ˜ƒ ( please don't )

  138. moparisthebest

    Host it yourself in your closet is my advice :)

  139. x187x

    Hopeing there is a some good resources so I can't fuck it up ;) . any help would be appreciated. I'm looking for only open source projects we can trust

  140. moparisthebest

    x187x: if your use case is family/friends I'd highly recommend Snikket

  141. rob

    +1 there

  142. menel

    Maybe the confusion was because you said "most privacy" did you mean good and reasonable privacy and security?

  143. x187x

    > x187x: prosody or ejabberd? > Define "threat model" first :) Anti-government ! Libertarians Paradise sever

  144. menel

    A "normal" setup would be enough then maybe.. Or do you think the government will come after you?

  145. x187x

    > Maybe the confusion was because you said "most privacy" did you mean good and reasonable privacy and security? Im uber paranoid. I'm not sure what the current benchmark is for a top tier encryptes xmpp server setup. I been working on a signal messenger fork based off usernames which I will be publishing open source once the time comes. But seems like the interoperability of xmpp servers will be a must have for a "secure" devics toolkit . I'm using grapheme right now

  146. moparisthebest

    x187x: host your own Snikket on a server in your house with an encrypted disk

  147. x187x

    I appreciate your guys replys. I was considering prosody and ejabberd . of course i need to run omemo encryption as standard .

  148. x187x

    > x187x: host your own Snikket on a server in your house with an encrypted disk I'll look into snikket thank you. I was thinking run a ejabber on raspberry pies

  149. menel

    Truth is. Current server are most secure if you host yourself.. (Because metadata) And ejabberd and prosody are both very well tested and secure.

  150. menel

    But if you say privacy must br infinite you need p2p clients. https://github.com/maqp/tfc

  151. x187x

    Yeah I must host myself. And want to have it at scale so I can onboard my friends easy.

  152. x187x

    > But if you say privacy must br infinite you need p2p clients. https://github.com/maqp/tfc First time I heard of this one. thank you kindly for sharing !!

  153. menel

    And I say thanks moparisthebest for sharing it first. Was an interesting read :-) whole now scale.. ๐Ÿ˜€ ( not that I hope to be ever unlucky enough to need such a thing )

  154. moparisthebest

    x187x: you honestly can't go wrong with prosody or ejabberd, both run fine on an RPI, Snikket too which is just a well packaged prosody configured for friends and family

  155. x187x

    I appreciate you guys. Thank you so much for your help. I send my love and respect

  156. Licaon_Kter

    x187x: > I appreciate your guys replys. I was considering prosody and ejabberd . of course i need to run omemo encryption as standard . OMEMO is a client feature, you can't force it :))

  157. xorman

    but it does require server support (PEP)

  158. Licaon_Kter

    xorman: right, useless if your clients chose otherwise

  159. x187x

    Yes. Both valid points

  160. x187x

    Omemo (exp-0384)

  161. Licaon_Kter

    x187x: > I been working on a signal messenger fork based off usernames which I will be publishing open source once the time comes. Was it hard to host Signal?

  162. Licaon_Kter

    x187x: > I been working on a signal messenger fork based off usernames which I will be publishing open source once the time comes. Was it hard to host the Signal Server?

  163. x187x

    > x187x: > Was it hard to host the Signal Server? My friend who is more skilled then me set it up so I can't speak on his behalf. But We got the original messaging server setup pretty fast working with usernames . still need to setup the attachment server to allow sending of pictures/videos etc but shouldn't be too hard. We are working on cutting out all the sms/gsm integration And creating a more liteweight client . we are calling it the global privacy network. Will release it open source once its working properly. Hopefully no more then 1-2months

  164. moparisthebest

    x187x: is there any advantage at all vs just using XMPP?