XMPP Service Operators - 2022-02-15

This "postfix+dovecot" tangent reminds of https://www.justinbuchanan.com/blog/posts/Application-Specific-Passwords-for-Dovecot-and-Postfix Anyone doing the "application-specific passwords" thing with your XMPP service?

rozzin: Dovecot supports SCRAM: https://doc.dovecot.org/configuration_manual/authentication/authentication_mechanisms/ Cyrus SASL supports SCRAM: https://www.cyrusimap.org/sasl/sasl/authentication_mechanisms.html Postfix with Dovecot or Cyrus SASL too, more informations here: https://github.com/scram-sasl/info/issues/1

what does SCRAM have to do with this

> https://www.justinbuchanan.com/blog/posts/Application-Specific-Passwords-for-Dovecot-and-Postfix I find the threat model dumb, wtf ✏

Licaon_Kter: yeah, I agree that this sounds pretty dumb: > I always hate the feeling of using any of my username and password combinations on sketchy public computer somewhere. You know the kind I am talking about, those computers at hotels running Windows XP and IE6, signed as "Adminstrator", with every toolbar and add-on installed from a 9 year old version of Real Player to three different versions of some Internet poker game. There's bound to be a key logger in there someplace. > One time use passwords have been around for a long time to mitigate this type of scenario.

Licaon_Kter: but he goes someplace interesting/useful even if he started the journey for the wrong reasons.

Yeah...maybe...it feels like a solution in search of a problem

Just pretend that he said something like "it's going to be annoying resetting the password in every client program on every device I use if ever my smartphone is stolen" or whatever other reason sounds more reasonable to you.

Certificate-based login also serves the same sort of purposes, I guess....

Licaon_Kter, in 2012 it wasn’t as common to have a smartphone I think.

Even more recently, I’ve had to use one such computer.

Thankfully I hadn’t restricted all of my servers to certificates, or else I wouldn’t have been able to contact the person I had to contact.

Link Mauve: they say phone and typing on it, that confuses me

I only read the quote rozzin pasted.

moparisthebest: > what does SCRAM have to do with this SCRAM does not mandate credentials database to contain the password. Nor exchanges. Nevertheless, reusing password is bad considering that passwords may leak by any other mean. ✏

So you reject any new password that has a hit on haveibeenpwd dot com?

Licaon_Kter: I'm not sure to follow. But if the goal is to block some user passwords, you could still check for a match. Wasting more CPU, I presume ✏

Was more of a joke as that would force users to some longish pass words, battery, stapler, horse, etc

correct

Eh, if I want to pick issues to have, I guess I mostly have trouble with the conclusion of that paragraph: > One time use passwords have been around for a long time to mitigate *this type of scenario*. To me, it seems to like, no mitigating the damage done by intentionally giving a known-malicious MITM access to a login session into a security-sensitive system is actually *not* what one-time passwords or multifactor-authentication requirements are for....

@ping

Ironic echo bot is ironic

Licaon_Kter, seems like you need to invest in better MUC moderation techniques :)

Members only?

Maybe. Are they using multiple servers?

Yes

Just closed the chatroom and removed the autojoin flag for now.

Only noise, no info atm.

Let's all do that...oh wa-

> Let's all do that... Just kick everyone but morf :D

That would work. Whom will they spam if nobody is there? Just drain them. 😁

That's somewhat equivalent to a shadowban, but more inconvenient for the innocent people :)

Shadow banning would probably be pretty effective here... He would think everyone was just ignoring him

Not sure. He's joined with multiple JIDs so unless you shadow-ban all of them immediately, he'll notice himself.

moparisthebest: no, I realized it really wouldn't work on xmpp: they'd easilly observe the ban with another acct

That's ok, more work for him?

Hm?

I mean, a simple ban would be no less effective

And no more...

Exactly.

And that won't do the trick.

Holger: ejabberd *can't* set "moderators PM only" right? https://github.com/processone/ejabberd/issues/3736#issuecomment-1039415716 That would help since now I can't be reached there...to give member status to the worthy ones

Holger, so you echo visitor messages only to admins and other visitors? :)

That at least cuts out the noise for 90% of people

What if you had muc mode where all new users joined "shadow banned" (except mods would see) and you kept a queue of the last few messages so if mods saw they were good, the unban would let their messages through?

Yeah something like that maybe.

Significantly more annoying to implement of course :(

But for now I'm personally fine with just going members-only for a day :-)

The vast majority of current occupants are not members though

Yeah. They'd have to wait a day, that's the downside.

Then again the vast majority of the vast majority is probably just idling anyway.

Licaon_Kter: We could configure the room to allow visitors to send PMs to moderators (such as you) you. Not sure that's what you're suggesting?

"to moderators (such as you) only".

Holger: I have this in Offtopic but they can't afaik

Well as Badlop explained in that message it's configurable by the room owner.

> Can visitors send private messages to ...

> allow_private_messages_from_visitors : anyone | moderators | visitors

Last line says: > The only option that has no equivalent is muc#roomconfig_allowpm : moderators

So now I gotta go reading '45 to understand what it does? :-)

Sorry lol

moparisthebest: can you PM me in Offtopic?

Licaon_Kter: Ok '45 muc#roomconfig_allowpm controls who may *send* PMs.

Licaon_Kter: ejabberd allows you to configure who may *receive* PMs.

Licaon_Kter: I thought you were asking for the latter.

Licaon_Kter: no, button is greyed out in Conversations

Holger: Wonder what Dino sets in room config, the wrong one or nothing, since I can't PM either

I gotta reach for Gajim I guess...later

My crystal ball would guess 'nothing', and the default in that case can be specified in ejabberd.yml.

Offtopic is on Trashserver for reasons

So yes, Gajim FTW of course.

> members-only (FWIW I meant 'moderated' of course, i.e. 'only members can send messages'.)

Holger, ah right, yes, that makes more sense :)

https://upload.convorb.im/7c370453f738f2c0c995eaee643e5e0aba76aeb0/LZLCzcfpuhihniMyMRfbs945Rh3Q3a5qdK9Y3MGu/mucsettingspm.png

Holger, ^^^ now what? > '45 muc#roomconfig_allowpm controls who may *send* PMs. That's what both Dino and Gajim say > ejabberd allows you to configure who may *receive* PMs. So not respecting '45 ?

Licaon_Kter: Well ejabberd isn't actually violating the spec, servers aren't required to offer all config fields listed in '45, and ejabberd just doesn't support the #roomconfig_allowpm field. It offers different, custom fields with similar purposes. (Would be a violation if it offered a field using the '45 name with different semantics.) But yes if possible it would be good to stick to the registered fields, especially for fields that clients explicitly support. I wasn't aware this is the case for the #roomconfig_allowpm field.