XMPP Service Operators - 2023-04-03

  1. Roi

    moparisthebest, the old admin of jabber.de used sslh. It was quite a pain until it worked okay.

  2. Roi

    moparisthebest, these are the old DNS SRV records refering to 5223: _xmpp-client._tls._tcp.openim.de. 60 IN SRV 5 0 5223 openim.de. _xmpps-client._tcp.openim.de. 60 IN SRV 10 0 5223 openim.de. _xmpps-client._tcp.openim.de. 60 IN SRV 5 0 5223 openim.de.

  3. Roi

    Never heard of _tls._tcp. btw... You?

  4. Maranda

    Sounds bogus to me

  5. Maranda

    there's _xmpp-client and _xmpps-client for direct tls

  6. Maranda

    also there's a duplicated direct tls entry pointing to the very same host which makes no sense.

  7. Roi

    Maranda, the new records should be 100% okay.

  8. Roi

    Anyway, a lot of people seem to connect to port 5223, not using direct tls.

  9. Maranda

    Roi: not sure about the actual configuration of Prosody listeners, but you need to give time for changes to propagate and cached records to actually expire

  10. Maranda

    Anyways

  11. Roi

    Maranda, sure I know. But we switched to the new server on March 30th. I know no TTLs which last so long. And as you see above, the TTLs were set to 60 seconds before.

  12. Menel

    I guess they used clients that specified the port manually

  13. Roi

    Menel, yes that is also my guess. And that seem to be many. A few clients cannot login so frequently to this port and generete all these errors. Maybe spam scripts? No idea...

  14. Menel

    Yes, beside a short info text about the changed port on your website there isn't much to do I guess

  15. Martin

    Maybe move xmpps-client to 443 or some other port and close 5223 after a while (give some time for DNS) if you want to get rid of the error spam in your logs.

  16. Menel

    It is already on 443 too

  17. Menel

    and xmpp-client on 80 too, quite robust

  18. Martin

    Roi: > Bei uns wird der Port 5223 (im Gegensatz zum alten openim.de Server) nur für SSL und nicht TLS verwendet. You should also fix this. '…für "Direct TLS" und nicht "STARTTLS"…'

  19. Roi

    Menel, > Yes, beside a short info text about the changed port on your website there isn't much to do I guess https://jabber.hot-chilli.net/2023/03/30/openim-de/

  20. Roi

    Martin, I won't change the current ports for the new vhost. The other vhosts have a lot more users. I did not see this as a problem because of SRV records. These are there for a reason. But surprise, a lot of users like it the old-fashioned way and do a manual setup.

  21. Roi

    Menel, > It is already on 443 too > and xmpp-client on 80 too, quite robust Yes. As we have a second IP and I do not need these ports for web, we offer these ports for users who are behind firewalls. No idea if this is still needed, but it helped people a lot 15-10 years ago when I talked a lot to people about that setup.

  22. Roi

    > You should also fix this. '…für "Direct TLS" und nicht "STARTTLS"…' Yes, thank you. On the server specs page I also still have SSL - as this was the term for a long time. ;-)

  23. Roi

    Done

  24. Roi

    But that won't reduce the hammering login tries. ;-)

  25. moparisthebest

    > _xmpp-client._tls._tcp.openim.de. 60 IN SRV 5 0 5223 openim.de. Maranda, Roi: the original draft of xep 368 had _xmpp-client._tls.domain instead of _xmpps-client._tcp.domain but that one just seems like a mistake

  26. ibikk

    Establishing a secure connection from jotwewe.de to p2.siacs.eu failed. Certificate hash: b0b50b70971d48aa46db72b2c4fd1f218c8caec9. Error with certificate 0: certificate has expired.

  27. Roi

    As this came up here, does somebody have an up to date howto for sslh? I found several howtos, but all very old. And came up with this: DAEMON_OPTS="--user sslh -n --transparent --listen ipv4:5223 --listen ipv6:5224 --xmpp 127.0.0.1:5222 --tls 127.0.0.1:5223 --pidfile /var/run/sslh/sslh.pid" This does not work as Prosody sits on 5223. Is there an option to tell Prosody to only listen to port 5223 on localhost without affecting the other ports Prosody is listening to? Also, do I still need to adjust sysctl.conf and iptables?

  28. Licaon_Kter

    Roi: use a config file you cave man

  29. Licaon_Kter

    Transparent is a pain to setup, in my experience.

  30. Menel

    > This does not work as Prosody sits on 5223. Just change the ports in one of the services... Why would you want to listen on the same port with both services? Ipv4 and 6 have different ports? That sounds all so wrong. There is a snippet of config somewere on xmpp.org iirc.. Or somewhere

  31. Menel

    https://wiki.xmpp.org/web/Tech_pages/XEP-0368#sslh

  32. moparisthebest

    Yep that's the latest, I have transparent working but it involves so many iptables rules and routing tables etc it's impossible for me to show :/

  33. jacob.eva

    Any British people here who know about the online safety bill? This is a serious threat to XMPP server operators right?

  34. Roi

    Well the transparent setup is what I want here if I go this path...

  35. Roi

    > > This does not work as Prosody sits on 5223. > Just change the ports in one of the services... > Why would you want to listen on the same port with both services? > Ipv4 and 6 have different ports? That sounds all so wrong. There is a snippet of config somewere on xmpp.org iirc.. Or somewhere Maybe you did not follow my problem here. The server just runs fine. But the new vhost (users) are used to a different setup. And I won't change the traditional setup. But I am willing to expand it.

  36. Trung

    Roi, there's xmpp:prosody@conference.prosody.im?join

  37. Roi

    Trung, sure I know this room. ;-) But discussion was going on here. ;-)

  38. Trung

    Roi, forgive me if i'm getting this wrong but I see there are people running bleeding edge distro complaining debian (my distro) is too old and then there're people of openim.de who can't switch to starttls for some unknown reason and you want to support their doing?

  39. Roi

    Trung, I want to be userfriendly. Also the prosody.log is bugging me where I see 100+ messages per second about unsupported protocol... This also takes a lot of resources, at least I believe so.

  40. Roi

    Debian? :-) Just upgraded the server to Bullseye. I win the antique prize. ;-)

  41. edhelas

    Archeodistrology

  42. edhelas

    An Arch user just died because of you :'(

  43. Trung

    moparisthebest, edhelas said you died

  44. moparisthebest

    Wasn't me this time 😅

  45. moparisthebest

    Roi: https://github.com/yrutschle/sslh/blob/master/doc/tproxy.md is probably what you want, going to have to have prosody listen on different ports, and set up all these rules, good luck :/

  46. moparisthebest

    This is one of the reasons xmpp-proxy doesn't mess with these shenanigans, it just passes the IP directly to prosody with the PROXY protocol

  47. Harper

    Does anyone have stats on how many public xmpp servers do or don't support ipv6?

  48. Harper

    A lot of hosts will drop $2 off price to forgo ipv4, wondering if that is viable

  49. moparisthebest

    Probably not

  50. Roi

    moparisthebest, thank you, I will take a look into it. But at the moment, my entusiasm is already been down again... ;-)