XMPP Service Operators - 2022-03-09

I read about DNS SRV for XMPP, if the server is xmpp.example.com to get usernames to appear as user@example.com or something along those lines. Has anyone been able to do that?

Yes

Prosody for example https://prosody.im/doc/dns

But the DNS works the same for other servers

I have a number of domains that all have srv records pointing at a server on another subdomain

But it works for the same domain as in your example

I've never been able to get it to work, so I'm not sure if I'm configuring it wrong or just misunderstanding. Set correctly I should then be able to log in with client apps using user@example.com and other users will be able to find me that way too, even though the server actually is at xmpp.example.com right?

Yes, if you give me the domains I'm happy to tell you what DNS you need

This assumes you control the server, it didn't work if you want a custom username@domain but your account is on someone else's server

The server has to know about the domain, called a virtual host

Awesome thanks, I'm trying to get chat.sendly.cc and xmpp.zcyph.cc to sendly.cc and zcyph.cc respectively

And you need the right certificate, ie for example.com and not xmpp.example.com

But then you would at least get a certificate error?

Right certificate?

I didn't check these I just mean in general

zcyph: so in the doc for prosody, replace example.com and xmpp.example.com with sendly.cc and chat.sendly.cc and the same for zcyph.cc and xmpp.zcyph.cc

You need both client and server records for each domain

And the port needs to be the configured port on your server, which might not be what is in the doc

zcyph: what server and how did you set it up? Did you follow a guide or use the documentation?

And by server I meant what server software, prosody or ejabberd etc

I used Snikket (https://snikket.org/service/quickstart/) behind Nginx (https://github.com/snikket-im/snikket-server/blob/master/docs/advanced/reverse_proxy.md)

That's trickier, I think Snikket doesn't support it out of the box because then it's impossible to get the proper certificates I mentioned without even more setup

damn, am i just better off installing prosody instead

Ah could be, snikket is meant to just work. But doesn't really support advanced configuration. At that point you should consider running prosody itself

You can still use the invites modules and conversejs if those appeal to you

As an example https://git.loranger.xyz/rob/gists/src/branch/mistress/prosody-config

their docs say they use 5222 (client ot server) and 5269 (server to server) - aren't those the standard ones

They are, but you need certificates for both example.com and xmpp.example.com

There is a snikket chat which might be of more help as we are only assuming

This one is specific to custom installs xmpp:unofficial@channels.snikket.org?join

thank you

No problem

I found this in their FAQ: "Sometimes we get asked if it is possible to have a different address for users, such as user@example.com. Technically XMPP supports this (by adding custom SRV records in DNS), but it’s made complex by the requirement for certificates for that domain. Snikket would need certificates for example.com, which is quite tricky unless the A record for that domain is also pointing at Snikket - Let’s Encrypt does not follow SRV records"

That sounds like if I already have a website on a different machine using up example.com that i'm just outta luck for this

but this certificate issue wouldn't be an issue with Prosody?

Well you still need the certificate, so the server the software runs on needs a valid certificate for the domain

In my case, I run my webserver and xmpp server on the same machine so it's not too hard

You could get fancy, and use DNS challenges to get the certificate on the second machine. That way the a record isn't needed and can point at the web server

But likely not for snikket

zcyph: if you set up prosody directly, and your own method of getting certificates like acme.sh you could use the DNS challenge to get the right certs

But now you see why Snikket doesn't support this...

It's just too much for an easy to setup implementation

ah

Makes a bit more sense now, thanks

One day DNSSEC might save us from this nightmare

If something else doesn't save us first...

There's always another nightmare 😶