XMPP Service Operators - 2023-04-03

moparisthebest, the old admin of jabber.de used sslh. It was quite a pain until it worked okay.

moparisthebest, these are the old DNS SRV records refering to 5223: _xmpp-client._tls._tcp.openim.de. 60 IN SRV 5 0 5223 openim.de. _xmpps-client._tcp.openim.de. 60 IN SRV 10 0 5223 openim.de. _xmpps-client._tcp.openim.de. 60 IN SRV 5 0 5223 openim.de.

Never heard of _tls._tcp. btw... You?

Sounds bogus to me

there's _xmpp-client and _xmpps-client for direct tls

also there's a duplicated direct tls entry pointing to the very same host which makes no sense.

Maranda, the new records should be 100% okay.

Anyway, a lot of people seem to connect to port 5223, not using direct tls.

Roi: not sure about the actual configuration of Prosody listeners, but you need to give time for changes to propagate and cached records to actually expire

Anyways

Maranda, sure I know. But we switched to the new server on March 30th. I know no TTLs which last so long. And as you see above, the TTLs were set to 60 seconds before.

I guess they used clients that specified the port manually

Menel, yes that is also my guess. And that seem to be many. A few clients cannot login so frequently to this port and generete all these errors. Maybe spam scripts? No idea...

Yes, beside a short info text about the changed port on your website there isn't much to do I guess

Maybe move xmpps-client to 443 or some other port and close 5223 after a while (give some time for DNS) if you want to get rid of the error spam in your logs.

It is already on 443 too

and xmpp-client on 80 too, quite robust

Roi: > Bei uns wird der Port 5223 (im Gegensatz zum alten openim.de Server) nur für SSL und nicht TLS verwendet. You should also fix this. '…für "Direct TLS" und nicht "STARTTLS"…'

Menel, > Yes, beside a short info text about the changed port on your website there isn't much to do I guess https://jabber.hot-chilli.net/2023/03/30/openim-de/

Martin, I won't change the current ports for the new vhost. The other vhosts have a lot more users. I did not see this as a problem because of SRV records. These are there for a reason. But surprise, a lot of users like it the old-fashioned way and do a manual setup.

Menel, > It is already on 443 too > and xmpp-client on 80 too, quite robust Yes. As we have a second IP and I do not need these ports for web, we offer these ports for users who are behind firewalls. No idea if this is still needed, but it helped people a lot 15-10 years ago when I talked a lot to people about that setup.

> You should also fix this. '…für "Direct TLS" und nicht "STARTTLS"…' Yes, thank you. On the server specs page I also still have SSL - as this was the term for a long time. ;-)

Done

But that won't reduce the hammering login tries. ;-)

> _xmpp-client._tls._tcp.openim.de. 60 IN SRV 5 0 5223 openim.de. Maranda, Roi: the original draft of xep 368 had _xmpp-client._tls.domain instead of _xmpps-client._tcp.domain but that one just seems like a mistake

Establishing a secure connection from jotwewe.de to p2.siacs.eu failed. Certificate hash: b0b50b70971d48aa46db72b2c4fd1f218c8caec9. Error with certificate 0: certificate has expired.

As this came up here, does somebody have an up to date howto for sslh? I found several howtos, but all very old. And came up with this: DAEMON_OPTS="--user sslh -n --transparent --listen ipv4:5223 --listen ipv6:5224 --xmpp 127.0.0.1:5222 --tls 127.0.0.1:5223 --pidfile /var/run/sslh/sslh.pid" This does not work as Prosody sits on 5223. Is there an option to tell Prosody to only listen to port 5223 on localhost without affecting the other ports Prosody is listening to? Also, do I still need to adjust sysctl.conf and iptables?

Roi: use a config file you cave man

Transparent is a pain to setup, in my experience.

> This does not work as Prosody sits on 5223. Just change the ports in one of the services... Why would you want to listen on the same port with both services? Ipv4 and 6 have different ports? That sounds all so wrong. There is a snippet of config somewere on xmpp.org iirc.. Or somewhere

https://wiki.xmpp.org/web/Tech_pages/XEP-0368#sslh

Yep that's the latest, I have transparent working but it involves so many iptables rules and routing tables etc it's impossible for me to show :/

Any British people here who know about the online safety bill? This is a serious threat to XMPP server operators right?

Well the transparent setup is what I want here if I go this path...

> > This does not work as Prosody sits on 5223. > Just change the ports in one of the services... > Why would you want to listen on the same port with both services? > Ipv4 and 6 have different ports? That sounds all so wrong. There is a snippet of config somewere on xmpp.org iirc.. Or somewhere Maybe you did not follow my problem here. The server just runs fine. But the new vhost (users) are used to a different setup. And I won't change the traditional setup. But I am willing to expand it.

Roi, there's xmpp:prosody@conference.prosody.im?join

Trung, sure I know this room. ;-) But discussion was going on here. ;-)

Roi, forgive me if i'm getting this wrong but I see there are people running bleeding edge distro complaining debian (my distro) is too old and then there're people of openim.de who can't switch to starttls for some unknown reason and you want to support their doing?

Trung, I want to be userfriendly. Also the prosody.log is bugging me where I see 100+ messages per second about unsupported protocol... This also takes a lot of resources, at least I believe so.

Debian? :-) Just upgraded the server to Bullseye. I win the antique prize. ;-)

Archeodistrology

An Arch user just died because of you :'(

moparisthebest, edhelas said you died

Wasn't me this time 😅

Roi: https://github.com/yrutschle/sslh/blob/master/doc/tproxy.md is probably what you want, going to have to have prosody listen on different ports, and set up all these rules, good luck :/

This is one of the reasons xmpp-proxy doesn't mess with these shenanigans, it just passes the IP directly to prosody with the PROXY protocol

Does anyone have stats on how many public xmpp servers do or don't support ipv6?

A lot of hosts will drop $2 off price to forgo ipv4, wondering if that is viable

Probably not

moparisthebest, thank you, I will take a look into it. But at the moment, my entusiasm is already been down again... ;-)