XMPP Service Operators - 2023-07-02

  1. endrit

    playninja@conversations.im for rtbl please

  2. endrit

    cumpantd@conversations.im for rtbl please

  3. sagaracharya

    Thanks folks. I feel privileged to be in this able group!

  4. sagaracharya

    My server is hosted at humaaraartha.in with Prosody on Alpine Linux

  5. sagaracharya

    Earlier, I used to use amazing magicbroccoli.de

  6. sagaracharya

    My name is Sagar Acharya

  7. ben


  8. sagaracharya

    I have registered on list.jabber.at

  9. sagaracharya

    But when I verify my mail and JID, I get nothing on them. So I cannot proceed with adding my domain there!

  10. sagaracharya

    ben: :)

  11. ben

    Is your server public?

  12. sagaracharya


  13. ben


  14. Menel

    There are many many lists, the problem with lists is, they are often outdated. I guess you would have to ask https://www.fsinf.at/, they seem to host it if you really want to be on that list. There is also https://compliance.conversations.im/ and other lists I don't know right now...

  15. sagaracharya

    Anyone from disroot here?

  16. sagaracharya

    Do anyone of you host smptd mailserver?

  17. Link Mauve

    Yes, but this might be more relevant to another room, such as xmpp:hbsc@muc.lurk.org?join for instance.

  18. sagaracharya

    Link Mauve: That is IPv4 server

  19. Menel

    Sadly lots of the internet doesn't support ipv6 yet.

  20. Ellenor Bjornsdottir

    And this needs to be rectified at all costs

  21. sagaracharya

    IPv6 is the future with ample addresses for all

  22. sagaracharya

    Is there some way where I can add a tag to a profile?

  23. Quinn64

    Unfortunately, most ISPs in my area still only support IPv4

  24. sagaracharya

    So next to profile picture, I want to put a glyph for certain accounts

  25. moparisthebest

    You can get a /64 from he.net still

  26. Ellenor Bjornsdottir

    i am banned there XD

  27. sagaracharya


  28. moparisthebest

    Specifically https://tunnelbroker.net/ and it's a /48 not a /64 oops

  29. mimi89999

    Establishing a secure connection from lebihan.pl to p2.siacs.eu failed. Certificate hash: 3a0af983a10e43f2a65e8a75b8aef14a6bf3b32fc3105d7340ec5662b71f49d2. Error with certificate 0: certificate has expired.

  30. sagaracharya

    Currently, I have 2 self signed certs, what are your views on it's security

  31. sagaracharya

    Are the key exchange algos a problem?

  32. sagaracharya

    I mean how is CA verified better? It adds trustworthiness of my public cert relying on Letsencrypt?

  33. Menel

    Is this a question why CAs exist?

  34. Menel

    Whatever the outcome of that discussion, it won't change the fact that you won't be able to communicate with some servers if you don't have CA tusted certs. Because there are server that require it to connect to yours

  35. Menel

    (from a practical view you'll just need them, regardless if you believe in them )

  36. Quinn64

    Self-signed certs require each user to manually verify them if they want to be sure there's no MITM. Certs from known sources like Let's Encrypt will automatically be trusted and the user can be reasonably sure there's no MITM, outside of maybe an entity parsing metadata

  37. opal

    outside of LE itself being compromised

  38. opal

    sagaracharya, i think many of us have internally debated this "is trusting a CA worth it" and figured its easier just to make things work for the time being

  39. opal

    it really is a philosophical question on trust so dont expect a real answer lmao

  40. sagaracharya

    Quinn64: Interesting.

  41. sagaracharya

    I saw the openssl scripts of prosody which are fine few liners

  42. sagaracharya

    So what is the method to submit a cert to CA?

  43. sagaracharya

    One submits the public key right?

  44. opal

    sagaracharya, you use your private key to generate a CSR, send the CSR to let's encrypt, and you receive back a certificate you can use

  45. sagaracharya

    I used to generate from acme.sh but I'd like to do it manually to be satisfied that just my public key is submitted.

  46. sagaracharya

    What is csr?

  47. opal

    cert signing request

  48. Quinn64

    Certbot make it simple. It gets slightly more complicated if you want a wildcard cert, but still pretty easy

  49. opal

    wildcard certs are disgusting anyway

  50. sagaracharya

    wildcard cert means?

  51. opal

    cert for *.example.org

  52. Quinn64

    Like my cert covers jabbering-queer.net and *.jabbering-queer.net

  53. opal

    and certbot only makes it simple if your system is simple, my systems never are

  54. Quinn64

    Fair enough

  55. sagaracharya

    Quinn64: Are they difficult to work with?

  56. opal

    Quinn64, i restrict my domains so i *cannot* issue wildcard certs for them, do you only do wildcards for perceived simplicity?

  57. sagaracharya

    They sound nice

  58. opal

    ``` ;; wowana.me. IN CAA ;; ANSWER SECTION: wowana.me. 30 IN CAA 0 iodef "mailto:ssl@wowana.me" wowana.me. 30 IN CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/80042877; validationmethods=dns-01" wowana.me. 30 IN CAA 0 issuewild ";" ```

  59. sagaracharya

    What is the process after csr is generated?

  60. sagaracharya

    Manual process without certbot or acmesh

  61. opal

    you send HTTP requests to the ACME endpoint, this is documented via the rfcs

  62. Quinn64

    I like wildcard certs so I don't have to generate a new cert every time I add a subdomain > Quinn64: Are they difficult to work with? No, just require a slight bit more work to setup

  63. opal

    sagaracharya, at this point youre implementing an acme client so have fun reading docs :>

  64. opal

    >every time I add a subdomain realistically how often do you do this (if it's often, i eat my hat)

  65. Quinn64

    Since I'm experimenting around with different software and components before I eventually launch public registration? Quite a bit

  66. opal

    ah ok

  67. opal

    fair enough

  68. sagaracharya

    It should be trivial though right.

  69. sagaracharya

    csr is sent

  70. sagaracharya

    Domain name verification

  71. sagaracharya

    Then return cert

  72. sagaracharya

    Are acme clients needed?

  73. sagaracharya

    The complicated ones?

  74. opal

    it isnt necessarily complicated, but it's just a few steps and you have to keep track of state/secrets a bunch

  75. opal

    i wanted to implement one of my own but i ended up just using dehydrated for now

  76. Quinn64

    I used this for my server: https://github.com/joohoi/acme-dns-certbot-joohoi I skimmed through the code and didn't see any red flags

  77. Quinn64

    You might have to change the python version it uses, depending on your setup. Example: `#!/usr/bin/env python` to `#!/usr/bin/env python3`

  78. opal

    https://wowana.me/git/config/acme.git/files.xht theres a (potentially outdated) snapshot of my dehydrated config + scripts i use to renew

  79. sagaracharya

    opal: dehydrated? You mean without water?

  80. opal

    i use dns-01 challenges

  81. sagaracharya

    Or there's some software named dehydrated

  82. opal

    sagaracharya, :D alternatively yeah there's https://github.com/dehydrated-io/dehydrated

  83. opal

    i assure you im very hydrated rn

  84. sagaracharya

    2.4k lines?! for just signing a public cert!

  85. sagaracharya

    But dehydrated is superb wrt organization of files

  86. sagaracharya

    1 file! Superb!!

  87. opal

    2,4k lines of mostly boilerplate

  88. opal

    i never called dehydrated an artistic endeavour

  89. opal

    it's still shit

  90. opal

    but it works

  91. sagaracharya

    opal: Lol, yes

  92. sagaracharya

    You seem to be a hardcore minimalist

  93. sagaracharya

    wrt code

  94. opal

    im a "do one thing and do it right" kind of person

  95. moparisthebest

    opal: keep in mind wildcard certs are the only way you can have TLS protected private domain names without broadcasting them to the world

  96. opal

    not everything i use/prefer is very minimal, but yeah i tend to lean that way

  97. opal

    moparisthebest, oh good point thanks

  98. sagaracharya

    opal: UNIX :)

  99. moparisthebest

    Because of crt.sh

  100. sagaracharya

    What is crt.sh?

  101. sagaracharya

    moparisthebest: Very interesting. That is an important point indeed

  102. moparisthebest

    sagaracharya: https://en.wikipedia.org/wiki/Certificate_Transparency

  103. sagaracharya

    How can 1 generate wildcard certs?

  104. opal

    with dns-01

  105. opal

    i'll pull up a link

  106. sagaracharya

    acme.sh can generate one?

  107. sagaracharya

    Have any of you hosted opensmtpd?

  108. opal

    https://peterbabic.dev/blog/wildcard-certificate-acme-sh/ sagaracharya

  109. opal

    had to find that for acme.sh lol

  110. moparisthebest

    Yes I use acme.sh for all my wildcard certs

  111. moparisthebest

    Indeed you have to do the DNS challenge

  112. opal

    i host my own dns so i dont know anything about this "dns api" shit

  113. TheCoffeMaker

    > Indeed you have to do the DNS challenge Can confirm

  114. opal

    i only modify my zone files and tell nsd to eat it up and serve it

  115. sagaracharya

    opal: You host your own dns?

  116. moparisthebest

    > i host my own dns so i dont know anything about this "dns api" shit Same, but bind9 has an API too

  117. opal

    sagaracharya, ``` ;; volatile.bz. IN NS ;; ANSWER SECTION: volatile.bz. 3600 IN NS lena.volatile.bz. volatile.bz. 3600 IN NS cherumin.volatile.bz. volatile.bz. 3600 IN NS uta.volatile.bz. ```

  118. opal

    all day

  119. sagaracharya

    opal: You were able to configure postfix! I bow down to you, O lord!!!

  120. opal


  121. sagaracharya

    I understand your skill level now!

  122. opal

    postfix has too many knobs, bells, and whistles

  123. opal

    just to send mail =D

  124. sagaracharya

    Volatile is ipv4 only

  125. sagaracharya

    Can't join your room

  126. sagaracharya

    You should try OpenSMTPD, it is 10000x simpler to configure

  127. sagaracharya

    Plus it is OpenBSD!!

  128. opal

    >ipv4 only i have ipv6 records on everything mate

  129. opal

    >Plus it is OpenBSD!! sounds like a reason to avoid it

  130. sagaracharya

    Aah, then you must've blocked self signed certs

  131. opal

    yeah thats the issue

  132. sagaracharya

    Reason to avoid what?

  133. opal

    sorry about that lol (but its also the case with 90% of xmpp)

  134. opal

    i tried openbsd on my x200 and its like twice as slow as linux

  135. opal

    and if i switch mailservers its gonna be to something like qmail, not opensmtpd

  136. opal

    qmail is simpler in my head

  137. sagaracharya

    Use it on alpine

  138. sagaracharya

    You mean GNU/Linux ?

  139. opal

    i know opensmtpd is cross-platform

  140. opal

    im saying your vouch for it because "it's from openbsd" doesnt convince me lol

  141. sagaracharya

    Your website is fantastic but I wish to point out 1 practical issue

  142. sagaracharya

    Because the stuff you're competing with is WhatsApp, GMail, GitHub, free XMPP, you can attract only few users

  143. sagaracharya

    I agree that money is required and us data security providers don't read secrets and thus don't earn money with user's data

  144. opal

    i do this stuff because i believe in it, not because i want immediate returns

  145. opal

    i would rather have a few interested people than a crowd of idiots who annoy me nonstop

  146. opal

    i know my limits there

  147. opal

    and ive dealt with it before

  148. opal

    which is exactly *why* i take stances like that

  149. opal

    admins get burnout and dont want to contribute to the open ecosystem because theyre just people and they get tired of dealing with other people sometimes

  150. opal


  151. sagaracharya

    Which city & country are you from?

  152. opal

    if we're doing it because we care about it + the people we're helping out, it's good

  153. opal

    best answer youre getting is usa

  154. sagaracharya

    Yes, free software has an issue with money. I did give a talk on it at LibrePlanet 2022

  155. opal


  156. opal

    sagaracharya, my motivations for self-hosting are to serve myself foremost, so i'll only lose my interest in this space when i die haha

  157. opal

    i can wait for the money, plus i can get money other ways; i have a job in any case

  158. opal

    that part doesnt worry me much

  159. opal

    doing things "right" concerns me

  160. Tcache

    > Yes, free software has an issue with money. I did give a talk on it at LibrePlanet 2022 i agree. Most of us runs public servers with help of donations.

  161. Tcache

    Also most FOSS devs develops such software as hobby.

  162. opal

    i used to run volatile as a public server but the spam's annoying to deal with

  163. sagaracharya

    Yes, I find it unfortunate that the best folks have to rely on donation and people who take binaries, stitch them together and write absolutely bad code earn a lot.

  164. Tcache

    > i used to run volatile as a public server but the spam's annoying to deal with Yess, thats something that we all should handle as sys admin.

  165. opal

    i think sagaracharya had https://wowana.me/blog/toward-a-healthier-federation.xht in mind when talking about this (if not, then it's what i had in mind at least) and it sums up why i stepped away from public-registration services

  166. sagaracharya

    I want to complerely cure that

  167. Tcache

    > I want to complerely cure that I am with you sagaracharya

  168. sagaracharya


  169. sagaracharya

    My video tag isn't working but you can see the video at href link

  170. opal

    >LibrePlanet removed my talk from their official videos haha thats lame of them

  171. opal

    >My video tag isn't working i wouldnt have noticed, i have videos blocked from loading :p

  172. sagaracharya

    It is my talk at LibrePlanet 2022 and it specifies my view of free sofyware

  173. sagaracharya


  174. Tcache

    sagaracharya: I wish to see it

  175. opal

    ~ wowaname@mahin> mpv https://humaaraartha.in/static/videos/sagar_libreplanet_2021.webm Can't load unknown script: /home/wowaname/etc/mpv/scripts/osc.lua.dis [ffmpeg] https: HTTP error 404 Not Found oh there we go

  176. sagaracharya

    Well yes, there's nothing there

  177. sagaracharya

    I will correct and let you know

  178. opal


  179. Tcache

    $ nslookup humaaraartha.in Server: Address: Non-authoritative answer: Name: humaaraartha.in Address: 2405:201:f:11a4:c:9ff:fe02:4510

  180. opal

    also if the slides themselves are trivial to host (as pdf i guess) then that'd be fine too

  181. Tcache

    It leads to ipv6 kewl

  182. Tcache

    It leads to just ipv6 kewl

  183. opal

    im glad ipv4 is going the way of the dodo

  184. opal

    sick of dualstack

  185. sagaracharya

    opal: That I've intentionally kept so I meet more people

  186. sagaracharya


  187. sagaracharya

    I suggest this trick to meet more people

  188. Tcache


  189. sagaracharya

    Check it now

  190. sagaracharya

    Straight from the link

  191. opal

    yep works :)

  192. sagaracharya

    Do you want the slides?

  193. sagaracharya

    Mail me, I'll get back

  194. opal

    its fine if the video works

  195. opal

    how's the weather where you are lol, it's getting hot here now

  196. sagaracharya

    opal: Are you with the lollipop girl?

  197. opal

    with? lol my friend drew her for me

  198. opal

    and i drew the pic on my site

  199. opal


  200. sagaracharya

    Here, it is pleasant, humid and warm as I like it

  201. opal

    i hate the humidity lmao

  202. sagaracharya


  203. opal

    we can trade

  204. Tcache

    > Mail me, I'll get back can i get the video and slides :)

  205. opal

    Tcache, https://humaaraartha.in/static/videos/sagar_libreplanet_2021.webm for vid

  206. opal

    it works now

  207. Tcache

    Its still not working for me :(

  208. opal

    oh i viewed it through mpv fine

  209. sagaracharya

    opal: Glad

  210. sagaracharya

    How does buffering work on html videos?

  211. Tcache

    $ mpv https://humaaraartha.in/static/videos/sagar_libreplanet_2021.webm [ffmpeg] tcp: Connection to tcp://humaaraartha.in:443 failed: Network is unreachable Failed to open https://humaaraartha.in/static/videos/sagar_libreplanet_2021.webm. [ytdl_hook] ERROR: [generic] None: Unable to download webpage: <urlopen error [Errno 101] Network is unreachable> (caused by URLError(OSError(101, 'Network is unreachable'))) [ytdl_hook] youtube-dl failed: unexpected error occurred Exiting... (Errors when loading file)

  212. opal

    oh are you having an issue with ipv6

  213. sagaracharya

    Within <video> tag

  214. sagaracharya

    For IPv6, you'd have to use Tor

  215. sagaracharya

    I mean for v4

  216. opal

    should i just re-host it

  217. opal


  218. Tcache

    opal: yess please, if you can

  219. sagaracharya

    For slides, mail me

  220. sagaracharya


  221. Tcache


  222. opal

    https://volatile.bz/static/sagar_libreplanet_2021.webm Tcache

  223. Menel

    You could also exchange xmpp addresses and continue from there.... Even share files

  224. opal

    if jids were public in here i'd be way ahead of you

  225. Tcache

    > https://volatile.bz/static/sagar_libreplanet_2021.webm Tcache thank you opal

  226. opal

    meanwhile we'll shit up your vibe Menel :)

  227. opal


  228. Menel

    You can exchange them even via pm

  229. Tcache

    yess i am aware of it Menel Thanks for pointing out. :)

  230. opal

    i cant figure out how to whisper on gajim

  231. sagaracharya

    It was pure joy talking to you sysadmins

  232. sagaracharya will leave this room and be back later

  233. opal

    happy sunday

  234. sagaracharya

    Just let me know on the video tag buffering in html

  235. sagaracharya

    <video controls><source src="/static/videos/sagar_libreplanet_2021.webm" type="video/webm">We were unable to load video.</video>

  236. sagaracharya

    How does buffering work in this?

  237. sagaracharya

    How much video is loaded?

  238. Tcache

    My internet is very slow atm, since im at woods. I will download that video once im home.

  239. opal

    sagaracharya, btw the webserver is advertising that video's content-type as text/plain, might be causing issues in browsers

  240. opal

    http clients usually request partial content for video streaming

  241. opal

    wget does the same with --continue flag

  242. sagaracharya

    Type is clearly video/webm

  243. opal

    not what curl -I telling me

  244. sagaracharya

    Well, can you check whether my XMPP TLS cert is signed by CA now?

  245. sagaracharya

    I used the same cert as that of my http website

  246. sagaracharya

    Hey, y'all must know this

  247. sagaracharya

    How do I route all 80 port requests to 443?

  248. sagaracharya

    I use mini_httpd

  249. opal

    http 302/307 redirect to https://url

  250. opal

    >can you check whether no i cant since i dont know your xmpp server

  251. opal

    and i was gonna suggest xmpp.net to check tls, but it seems down now :(

  252. sagaracharya


  253. opal


  254. opal

    sagaracharya, i see let's encrypt when i connect; are you able to communicate with my server now

  255. sagaracharya

    Is port a file on unix?

  256. sagaracharya

    opal: I'm unable to, tried just now

  257. opal


  258. sagaracharya

    Remote server not found

  259. sagaracharya

    My groups are unsecure though

  260. sagaracharya

    They're self certified

  261. duncan

    why use self signed certs in 2023? LE is like 8 years old now

  262. sagaracharya

    Did you see the video?

  263. opal

    ya i watched it

  264. opal

    im not the person who had issues loading it

  265. sagaracharya

    What do you think about it?

  266. sagaracharya

    Give me your xmpp id

  267. opal


  268. sagaracharya

    I'm unable to send to you

  269. sagaracharya

    Any msgs also, can't fetch OMEMO keys

  270. opal

    Jul 02 19:12:27 s2sout7f831245d220 info Sending error replies for 1 queued stanzas because of failed outgoing connection to humaaraartha.in thats all i see in my logs when i try to ping that server

  271. opal

    im going afk

  272. sagaracharya

    ping is disabled

  273. sagaracharya

    It won't work.

  274. sagaracharya

    I have disabled it in config

  275. sagaracharya will see you later

  276. duncan

    ping is a fundamental requirement of ipv6, why would you disable it?

  277. opal

    i said "ping" colloquially

  278. opal

    duncan, xmpp has ping too but in any case i didnt mean either xmpp or ipv6 ping

  279. Ellenor Bjornsdottir

    duncan: common and dumb DDoS vector. nonresponse to icmp ping means not participating in a spoof attack

  280. Ellenor Bjornsdottir

    ooookay. got morph'd again.

  281. Ellenor Bjornsdottir

    In muc DMs from my furries general, > fisuioion a écrit : > 1. Stop using the offensive term: You loaded it with toxic trash, you yourself, your delusional making entirely (not mine), then you put your toxic trash onto me. Do not. bla, bla, bla > P.S. Don't dare to DM me, that JID is temporal. It's just made to hopefully finally stop your bad behavior. xmpp:fisuioion@conversations.im for the rtbl maybe?

  282. Ellenor Bjornsdottir

    In muc DMs from my furries general, > fisuioion a écrit : > 1. Stop using the offensive term: You loaded it with toxic trash, you yourself, your delusional making entirely (not mine), then you put your toxic trash onto me. Do not. bla, bla, bla > P.S. Don't dare to DM me, that JID is temporal. It's just made to hopefully finally stop your bad behavior. xmpp:fisuioion@conversations.im for the rtbl maybe, though furries general doesn't use rtbl?

  283. Ellenor Bjornsdottir

    i know sending spam samples is generally considered gauche... In muc DMs from my furries general, > fisuioion a écrit : > 1. Stop using the offensive term: You loaded it with toxic trash, you yourself, your delusional making entirely (not mine), then you put your toxic trash onto me. Do not. bla, bla, bla > P.S. Don't dare to DM me, that JID is temporal. It's just made to hopefully finally stop your bad behavior. xmpp:fisuioion@conversations.im for the rtbl maybe, though furries general doesn't use rtbl?

  284. MattJ

    The RTBL is generally for network-wide stuff. For targeted abuse it's better to ban/block the account directly and escalate to your/their server admin if needed

  285. Menel

    sagaracharya: testssl says: Oops: TCP connect problem Unable to open a socket to [2405:201:f:11a4:c:9ff:fe02:4510]:5222. Fatal error: Can't connect to "[2405:201:f:11a4:c:9ff:fe02:4510]:5222" Same for 5269