XMPP Service Operators - 2021-10-19

So I configured stun/turn on my server, configured the ports in the router, range too, but can only call out if im on my local network. Any ideas?

Can receive calls from server while off my local network but only from someone on my local network...

Probably the ports aren't open with your isp

Whaaat?

They do that too???

rob: Could you DM me please? ✏

> Whaaat? > They do that too??? Alll the time. For your protection <3

edhelas: we can talk here since it's ontopic

Re: movim.eu rejecting my cert that has DST X3 as an expired intermediate

Secret test who is using outdated server software 😀

Licaon_Kter: I haven't been able to communicate with movim.eu at all for a few weeks now.

Is anyone running a proxy in front of their XMPP server that handles XMPP up through at least auth (or possibly all the way through resource binding, but whichever)? I'd be curious to see how you have your server configured.

I merely run a haproxy for the TCP connections without SRV.

Same but with traefik

traefik does TCP?

And UDP

moparisthebest see Sam ^^^

Sam, like https://github.com/moparisthebest/xmpp-proxy ? kinda

moparisthebest: yes, but I'm thinking about doing auth at this level too and was wondering if anyone is doing that

what's the use case behind it / the greater picture?

something like dovecot's submissiond?

(though it's unclear to me what that would be in the XMPP context)

Sam, which kind of auth, if you mean s2s cert auth, I plan to implement that, if you mean checking client passwords, I do not plan to implement that

right now since SASL EXTERNAL etc isn't implemented, anything behind it has to do dialback

I don't know submissiond, but yes, this is client auth. I have an existing DB of usernames and passwords and I'd like this to handle xmpp auth using that DB, then proxy the connection to the server (presumably using some trusted auth that fills in the sasl identity with the person it has authed as).

I was just curious if anyone was already doing this or if I'd need to write some custom auth plugin for ejabberd and prosody

instead of the proxy approach prosody can just handle xmpp auth using your existing DB, that's how I have mine set up

I assume ejabberd can too

Prosody can't have access to this db for <reasons>

can you extract only the data prosody needs on a schedule, or provide it a view it can access, something like that ?

mostly those reasons are "I don't want to write this in Lua or Elixir or Erlang" but there may be other constraints around vetting the codebase that can access it too.

That seems more difficult than just proxying auth and writing a small "trusted user auth" plugin for whatever the server ends up being

let me just tell you about my setup and it may or may not be helpful to you idea-wise :)

I have a mysql database managed by https://github.com/postfixadmin/postfixadmin , it ends up creating rows with usernames and password hashes

dovecot+postfix+prosody with a slightly modified https://modules.prosody.im/mod_auth_sql.html query that for auth

but, I also want nginx to only let those users log in to web interfaces for some things using the same username+password, it's annoying to get it hooked directly to the database, but by default it can look at username+hash pairs in a .htpasswd file, so I have a bash script ran every X minutes as a cronjob that queries the mysql database and dumps it to a .htpasswd file

if you wanted to get fancier you could run that as a change event rather than on a schedule, but, in my setup I don't care

moparisthebest, have you ever considered switching from sql to LDAP as a auth backend for all your services?

but that's how I have a bunch of different systems use the same auth...

could do, but no real reason I guess

I have had similar setups, but it is far less painful and less work to have LDAP as backend auth… should have done the move to LDAP years before

it's worth saying you might not design a system like this from scratch :) in my case I set up postfix+dovecot+postfixadmin and didn't add XMPP until years later

same over here, but with exim+dovecot and my own admin UI…

EXIM

is that the one of choice for recovering qmailers?

Sam, are you aware of https://modules.prosody.im/mod_auth_http.html?

*selfish mode on* but if you come up with a way for a proxy to communicate auth status back to prosody please let me know Sam cause I'll need that :D

I just planned on not letting any connections get through to prosody that aren't properly authed instead, and a module for prosody to just trust everything that does get through

extend mod_net_proxy to support more metadata?

moparisthebest: will do; I was just going to allow only connections from the proxy at a firewall level and have it do SASL with the identity set (then write a custom module for Prosody or Ejabberd that uses that instead of its own builtin SASL)

jonas’: that could be a viable way to set this up, although I don't really see a point in introducing HTTP (although it does already exist, so it would be easy to let the auth service do that, maybe it's worth a shot). Thanks for the link

Sam: I use ejabberd with an authenticator written in PHP..., there's an "external auth" module in ejabberd that defines a simplistic protocol for communication between ejabberd and an arbitrary other program....

And yes, I should probably just have a bunch of these services use LDAP....

There's one set that I wish I could get to authenticate against a Google domain—if anyone has ideas on how to make ejabberd do that....

php has smtp libraries, modify your program to try to log into google's smtp server with the provided username+password to check validity

Note that if a given account has 2fa enabled (which google probably forced on it), this requires use of an "app password"

https://modules.prosody.im/mod_auth_imap - I think dovecot can do this too if ejabberd can auth against that