XMPP Service Operators - 2021-11-08


  1. Sam

    Are there any operators of large public XMPP servers that would be willing to share some connection stats with me? I'd like to know how many s2s connections you have using dialback vs. SASL EXTERNAL. I've got some older stats for jabber.fr, so other servers would be appreciated (and I'd be curious if the jabber.fr stats have changed, but I'm more interested in other servers)

  2. Sam

    Alternatively if you're not willing to share that: are there any services that *only* support dialback (and why)?

  3. Maranda thinks he doesn't fall within the large category... but:

  4. Maranda

    https://lightwitch.org/xmpp/status

  5. Sam

    Convenient; thanks!

  6. Sam

    How many of those are dialback vs. external?

  7. Maranda

    90% are using SASL External

  8. Sam

    Thanks; that's similar to what jabber.fr was saying before. If anyone else has anything, I'd love to know

  9. Maranda

    Sam: with M-Link (jabber.org) SASL external always fails so it'll always have to fall back to dialback.

  10. Sam

    I was worried about something like that, but it's in theory moving to Prosody, no?

  11. MattJ

    Yes

  12. MattJ

    Also another data point: Snikket only does EXTERNAL

  13. Sam

    Good to know, thanks

  14. Maranda

    also Cisco Jabber, which often doesn't even do TLS on S2S streams, does only do dialback.

  15. MattJ

    I get reports of problems with some domains, but given that practically every implementation supports EXTERNAL for s2s, it's usually an issue of incorrect certificates

  16. Maranda

    jabberd too.

  17. Maranda

    Often some servers running OpenFire will mostly only do dialback.

  18. Holger

    Sam, > Alternatively if you're not willing to share that: are there any services that *only* support dialback (and why)? I'm not aware of Dialback-only configurations, but as MattJ said, of course you _do_ see certificate issues in the wild (failing Let's Encrypt updates; or those recent problems with the Let's Encrypt chain; whatever). So it's not like you could just disable Dialback without a realistic risk of breaking legitimate communication.

  19. Sam

    This is for something that doesn't yet implement dialback, so it was more to see if I need to implement it for any reason. It had been deprioritized as low-use, but now I'm thinking we might just not implement it at all. Naturally other servers may be misconfigured, I don't necessarily think I should drop a level of security to work around that

  20. Sam

    If it was already implemented and in use, that might change things, but you can't miss what you don't have :)

  21. Holger

    The security<->interop thing is the usual trade-off (if you'd only be interested in the security-side of the trade-off, you'd do super-strict TLS settings and loose interop with half the ecosystem). But I totally get how you'd want to avoid _implementing_ Dialback 🙂

  22. Holger

    I'd probably avoid it if possible.

  23. Sam

    I'm definitely interested in both, not just the security side,but multiple servers with only a tiny fraction of issues (<10% of connections in both cases) and at least one project that doesn't support it at all (and is still popular) seems like a tradeoff that's worth making.

  24. jonas’

    Sam, if you ping me later today or for instance during council meeting time, I can take a look at search.jabber.network stats.

  25. Holger

    Quick count of log entries from yesterday + today on c.im says: ~5% of incoming and ~20% of outgoing s2s connections were Dialback-authenticated. The relatively high latter number is due to the LE chain foo, I'd guess. (But counting log entries might be misleading anyway; I should at least count only one entry per remote domain I guess.)

  26. Martin

    > Sam, > I'm not aware of Dialback-only configurations, … jabber.org

  27. Holger

    Never heard of that server.

  28. Martin

    Must be new.

  29. jonas’

    strange name, too

  30. Sam

    jonas’: thanks, will do!

  31. Sam

    Thanks Holger!

  32. moparisthebest

    Sam: anything that interops with Tor would have to do dialback right? At least on the incoming direction?

  33. Sam

    Probably

  34. moparisthebest

    I have a crazy idea re: this but it's standards related so I'll take it to XSF

  35. Licaon_Kter

    Do tell though...

  36. moparisthebest

    just a way to validate tor s2s without doing dialback

  37. moparisthebest

    would need code written and at least an informational xep I guess, we've been needing one for "best practices re: .onion domains" anyway

  38. jonas’

    moparisthebest, do write one :)

  39. ernst.on.tour

    @ping xmpp.jp

  40. Echo1

    ernst.on.tour: Ping failed (remote-server-not-found): Server-to-server connection failed: DNS resolution failed