XMPP Service Operators - 2022-03-09

  1. zcyph

    I read about DNS SRV for XMPP, if the server is xmpp.example.com to get usernames to appear as user@example.com or something along those lines. Has anyone been able to do that?

  2. rob

    Yes

  3. rob

    Prosody for example https://prosody.im/doc/dns

  4. rob

    But the DNS works the same for other servers

  5. rob

    I have a number of domains that all have srv records pointing at a server on another subdomain

  6. rob

    But it works for the same domain as in your example

  7. zcyph

    I've never been able to get it to work, so I'm not sure if I'm configuring it wrong or just misunderstanding. Set correctly I should then be able to log in with client apps using user@example.com and other users will be able to find me that way too, even though the server actually is at xmpp.example.com right?

  8. rob

    Yes, if you give me the domains I'm happy to tell you what DNS you need

  9. rob

    This assumes you control the server, it didn't work if you want a custom username@domain but your account is on someone else's server

  10. rob

    The server has to know about the domain, called a virtual host

  11. zcyph

    Awesome thanks, I'm trying to get chat.sendly.cc and xmpp.zcyph.cc to sendly.cc and zcyph.cc respectively

  12. moparisthebest

    And you need the right certificate, ie for example.com and not xmpp.example.com

  13. rob

    But then you would at least get a certificate error?

  14. zcyph

    Right certificate?

  15. moparisthebest

    I didn't check these I just mean in general

  16. rob

    zcyph: so in the doc for prosody, replace example.com and xmpp.example.com with sendly.cc and chat.sendly.cc and the same for zcyph.cc and xmpp.zcyph.cc

  17. rob

    You need both client and server records for each domain

  18. rob

    And the port needs to be the configured port on your server, which might not be what is in the doc

  19. rob

    zcyph: what server and how did you set it up? Did you follow a guide or use the documentation?

  20. rob

    And by server I meant what server software, prosody or ejabberd etc

  21. zcyph

    I used Snikket (https://snikket.org/service/quickstart/) behind Nginx (https://github.com/snikket-im/snikket-server/blob/master/docs/advanced/reverse_proxy.md)

  22. moparisthebest

    That's trickier, I think Snikket doesn't support it out of the box because then it's impossible to get the proper certificates I mentioned without even more setup

  23. zcyph

    damn, am i just better off installing prosody instead

  24. rob

    Ah could be, snikket is meant to just work. But doesn't really support advanced configuration. At that point you should consider running prosody itself

  25. rob

    You can still use the invites modules and conversejs if those appeal to you

  26. rob

    As an example https://git.loranger.xyz/rob/gists/src/branch/mistress/prosody-config

  27. zcyph

    their docs say they use 5222 (client ot server) and 5269 (server to server) - aren't those the standard ones

  28. rob

    They are, but you need certificates for both example.com and xmpp.example.com

  29. rob

    There is a snikket chat which might be of more help as we are only assuming

  30. rob

    This one is specific to custom installs xmpp:unofficial@channels.snikket.org?join

  31. zcyph

    thank you

  32. rob

    No problem

  33. zcyph

    I found this in their FAQ: "Sometimes we get asked if it is possible to have a different address for users, such as user@example.com. Technically XMPP supports this (by adding custom SRV records in DNS), but it’s made complex by the requirement for certificates for that domain. Snikket would need certificates for example.com, which is quite tricky unless the A record for that domain is also pointing at Snikket - Let’s Encrypt does not follow SRV records"

  34. zcyph

    That sounds like if I already have a website on a different machine using up example.com that i'm just outta luck for this

  35. zcyph

    but this certificate issue wouldn't be an issue with Prosody?

  36. rob

    Well you still need the certificate, so the server the software runs on needs a valid certificate for the domain

  37. rob

    In my case, I run my webserver and xmpp server on the same machine so it's not too hard

  38. rob

    You could get fancy, and use DNS challenges to get the certificate on the second machine. That way the a record isn't needed and can point at the web server

  39. rob

    But likely not for snikket

  40. moparisthebest

    zcyph: if you set up prosody directly, and your own method of getting certificates like acme.sh you could use the DNS challenge to get the right certs

  41. moparisthebest

    But now you see why Snikket doesn't support this...

  42. rob

    It's just too much for an easy to setup implementation

  43. zcyph

    ah

  44. zcyph

    Makes a bit more sense now, thanks

  45. moparisthebest

    One day DNSSEC might save us from this nightmare

  46. moparisthebest

    If something else doesn't save us first...

  47. rob

    There's always another nightmare 😶

  48. junaid

    so it seems like dismail.de is offline atm. if anyone knows the owner then please consider passing on the message.

  49. MattJ

    zcyph, there are many solutions to the certificate issue when deploying XMPP, so it's not that you're out of luck. It just requires you to pick a solution and set it up. For Snikket we're planning to add support for delegated DNS challenges, you can track progress on that at https://github.com/snikket-im/snikket-server/issues/60