XMPP Service Operators - 2023-07-02

playninja@conversations.im for rtbl please

cumpantd@conversations.im for rtbl please

Thanks folks. I feel privileged to be in this able group!

My server is hosted at humaaraartha.in with Prosody on Alpine Linux

Earlier, I used to use amazing magicbroccoli.de

My name is Sagar Acharya

Swagath

I have registered on list.jabber.at

But when I verify my mail and JID, I get nothing on them. So I cannot proceed with adding my domain there!

ben: :)

Is your server public?

Yes

Nice

There are many many lists, the problem with lists is, they are often outdated. I guess you would have to ask https://www.fsinf.at/, they seem to host it if you really want to be on that list. There is also https://compliance.conversations.im/ and other lists I don't know right now...

Anyone from disroot here?

Do anyone of you host smptd mailserver?

Yes, but this might be more relevant to another room, such as xmpp:hbsc@muc.lurk.org?join for instance.

Link Mauve: That is IPv4 server

Sadly lots of the internet doesn't support ipv6 yet.

And this needs to be rectified at all costs

IPv6 is the future with ample addresses for all

Is there some way where I can add a tag to a profile?

Unfortunately, most ISPs in my area still only support IPv4

So next to profile picture, I want to put a glyph for certain accounts

You can get a /64 from he.net still

i am banned there XD

?

Specifically https://tunnelbroker.net/ and it's a /48 not a /64 oops

Establishing a secure connection from lebihan.pl to p2.siacs.eu failed. Certificate hash: 3a0af983a10e43f2a65e8a75b8aef14a6bf3b32fc3105d7340ec5662b71f49d2. Error with certificate 0: certificate has expired.

Currently, I have 2 self signed certs, what are your views on it's security

Are the key exchange algos a problem?

I mean how is CA verified better? It adds trustworthiness of my public cert relying on Letsencrypt?

Is this a question why CAs exist?

Whatever the outcome of that discussion, it won't change the fact that you won't be able to communicate with some servers if you don't have CA tusted certs. Because there are server that require it to connect to yours

(from a practical view you'll just need them, regardless if you believe in them )

Self-signed certs require each user to manually verify them if they want to be sure there's no MITM. Certs from known sources like Let's Encrypt will automatically be trusted and the user can be reasonably sure there's no MITM, outside of maybe an entity parsing metadata

outside of LE itself being compromised

sagaracharya, i think many of us have internally debated this "is trusting a CA worth it" and figured its easier just to make things work for the time being

it really is a philosophical question on trust so dont expect a real answer lmao

Quinn64: Interesting.

I saw the openssl scripts of prosody which are fine few liners

So what is the method to submit a cert to CA?

One submits the public key right?

sagaracharya, you use your private key to generate a CSR, send the CSR to let's encrypt, and you receive back a certificate you can use

I used to generate from acme.sh but I'd like to do it manually to be satisfied that just my public key is submitted.

What is csr?

cert signing request

Certbot make it simple. It gets slightly more complicated if you want a wildcard cert, but still pretty easy

wildcard certs are disgusting anyway

wildcard cert means?

cert for *.example.org

Like my cert covers jabbering-queer.net and *.jabbering-queer.net

and certbot only makes it simple if your system is simple, my systems never are

Fair enough

Quinn64: Are they difficult to work with?

Quinn64, i restrict my domains so i *cannot* issue wildcard certs for them, do you only do wildcards for perceived simplicity?

They sound nice

``` ;; wowana.me. IN CAA ;; ANSWER SECTION: wowana.me. 30 IN CAA 0 iodef "mailto:ssl@wowana.me" wowana.me. 30 IN CAA 0 issue "letsencrypt.org; accounturi=https://acme-v02.api.letsencrypt.org/acme/acct/80042877; validationmethods=dns-01" wowana.me. 30 IN CAA 0 issuewild ";" ```

What is the process after csr is generated?

Manual process without certbot or acmesh

you send HTTP requests to the ACME endpoint, this is documented via the rfcs

I like wildcard certs so I don't have to generate a new cert every time I add a subdomain > Quinn64: Are they difficult to work with? No, just require a slight bit more work to setup

sagaracharya, at this point youre implementing an acme client so have fun reading docs :>

>every time I add a subdomain realistically how often do you do this (if it's often, i eat my hat)

Since I'm experimenting around with different software and components before I eventually launch public registration? Quite a bit

ah ok

fair enough

It should be trivial though right.

csr is sent

Domain name verification

Then return cert

Are acme clients needed?

The complicated ones?

it isnt necessarily complicated, but it's just a few steps and you have to keep track of state/secrets a bunch

i wanted to implement one of my own but i ended up just using dehydrated for now

I used this for my server: https://github.com/joohoi/acme-dns-certbot-joohoi I skimmed through the code and didn't see any red flags

You might have to change the python version it uses, depending on your setup. Example: `#!/usr/bin/env python` to `#!/usr/bin/env python3`

https://wowana.me/git/config/acme.git/files.xht theres a (potentially outdated) snapshot of my dehydrated config + scripts i use to renew

opal: dehydrated? You mean without water?

i use dns-01 challenges

Or there's some software named dehydrated

sagaracharya, :D alternatively yeah there's https://github.com/dehydrated-io/dehydrated

i assure you im very hydrated rn

2.4k lines?! for just signing a public cert!

But dehydrated is superb wrt organization of files

1 file! Superb!!

2,4k lines of mostly boilerplate

i never called dehydrated an artistic endeavour

it's still shit

but it works

opal: Lol, yes

You seem to be a hardcore minimalist

wrt code

im a "do one thing and do it right" kind of person

opal: keep in mind wildcard certs are the only way you can have TLS protected private domain names without broadcasting them to the world

not everything i use/prefer is very minimal, but yeah i tend to lean that way

moparisthebest, oh good point thanks

opal: UNIX :)

Because of crt.sh

What is crt.sh?

moparisthebest: Very interesting. That is an important point indeed

sagaracharya: https://en.wikipedia.org/wiki/Certificate_Transparency

How can 1 generate wildcard certs?

with dns-01

i'll pull up a link

acme.sh can generate one?

Have any of you hosted opensmtpd?

https://peterbabic.dev/blog/wildcard-certificate-acme-sh/ sagaracharya

had to find that for acme.sh lol

Yes I use acme.sh for all my wildcard certs

Indeed you have to do the DNS challenge

i host my own dns so i dont know anything about this "dns api" shit

> Indeed you have to do the DNS challenge Can confirm ↺

i only modify my zone files and tell nsd to eat it up and serve it

opal: You host your own dns?

> i host my own dns so i dont know anything about this "dns api" shit Same, but bind9 has an API too ↺

sagaracharya, ``` ;; volatile.bz. IN NS ;; ANSWER SECTION: volatile.bz. 3600 IN NS lena.volatile.bz. volatile.bz. 3600 IN NS cherumin.volatile.bz. volatile.bz. 3600 IN NS uta.volatile.bz. ```

all day

opal: You were able to configure postfix! I bow down to you, O lord!!!

haha

I understand your skill level now!

postfix has too many knobs, bells, and whistles

just to send mail =D

Volatile is ipv4 only

Can't join your room

You should try OpenSMTPD, it is 10000x simpler to configure

Plus it is OpenBSD!!

>ipv4 only i have ipv6 records on everything mate

>Plus it is OpenBSD!! sounds like a reason to avoid it

Aah, then you must've blocked self signed certs

yeah thats the issue

Reason to avoid what?

sorry about that lol (but its also the case with 90% of xmpp)

i tried openbsd on my x200 and its like twice as slow as linux

and if i switch mailservers its gonna be to something like qmail, not opensmtpd

qmail is simpler in my head

Use it on alpine

You mean GNU/Linux ?

i know opensmtpd is cross-platform

im saying your vouch for it because "it's from openbsd" doesnt convince me lol

Your website is fantastic but I wish to point out 1 practical issue

Because the stuff you're competing with is WhatsApp, GMail, GitHub, free XMPP, you can attract only few users

I agree that money is required and us data security providers don't read secrets and thus don't earn money with user's data

i do this stuff because i believe in it, not because i want immediate returns

i would rather have a few interested people than a crowd of idiots who annoy me nonstop

i know my limits there

and ive dealt with it before

which is exactly *why* i take stances like that

admins get burnout and dont want to contribute to the open ecosystem because theyre just people and they get tired of dealing with other people sometimes

lol

Which city & country are you from?

if we're doing it because we care about it + the people we're helping out, it's good

best answer youre getting is usa

Yes, free software has an issue with money. I did give a talk on it at LibrePlanet 2022

nice

sagaracharya, my motivations for self-hosting are to serve myself foremost, so i'll only lose my interest in this space when i die haha

i can wait for the money, plus i can get money other ways; i have a job in any case

that part doesnt worry me much

doing things "right" concerns me

> Yes, free software has an issue with money. I did give a talk on it at LibrePlanet 2022 i agree. Most of us runs public servers with help of donations. ↺

Also most FOSS devs develops such software as hobby.

i used to run volatile as a public server but the spam's annoying to deal with

Yes, I find it unfortunate that the best folks have to rely on donation and people who take binaries, stitch them together and write absolutely bad code earn a lot.

> i used to run volatile as a public server but the spam's annoying to deal with Yess, thats something that we all should handle as sys admin. ↺

i think sagaracharya had https://wowana.me/blog/toward-a-healthier-federation.xht in mind when talking about this (if not, then it's what i had in mind at least) and it sums up why i stepped away from public-registration services

I want to complerely cure that

> I want to complerely cure that I am with you sagaracharya ↺

https://humaaraartha.in/sagar/libreplanet.html

My video tag isn't working but you can see the video at href link

>LibrePlanet removed my talk from their official videos haha thats lame of them

>My video tag isn't working i wouldnt have noticed, i have videos blocked from loading :p

It is my talk at LibrePlanet 2022 and it specifies my view of free sofyware

Lol

sagaracharya: I wish to see it

~ wowaname@mahin> mpv https://humaaraartha.in/static/videos/sagar_libreplanet_2021.webm Can't load unknown script: /home/wowaname/etc/mpv/scripts/osc.lua.dis [ffmpeg] https: HTTP error 404 Not Found oh there we go

Well yes, there's nothing there

I will correct and let you know

np

$ nslookup humaaraartha.in Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: Name: humaaraartha.in Address: 2405:201:f:11a4:c:9ff:fe02:4510

also if the slides themselves are trivial to host (as pdf i guess) then that'd be fine too

It leads to just ipv6 kewl ✏

im glad ipv4 is going the way of the dodo

sick of dualstack

opal: That I've intentionally kept so I meet more people

;P

I suggest this trick to meet more people

:D

Check it now

Straight from the link

yep works :)

Do you want the slides?

Mail me, I'll get back

its fine if the video works

how's the weather where you are lol, it's getting hot here now

opal: Are you with the lollipop girl?

with? lol my friend drew her for me

and i drew the pic on my site

https://popnmusic.fandom.com/wiki/Pochiko

Here, it is pleasant, humid and warm as I like it

i hate the humidity lmao

Nice.

we can trade

> Mail me, I'll get back can i get the video and slides :) ↺

Tcache, https://humaaraartha.in/static/videos/sagar_libreplanet_2021.webm for vid

it works now

Its still not working for me :(

oh i viewed it through mpv fine

opal: Glad

How does buffering work on html videos?

$ mpv https://humaaraartha.in/static/videos/sagar_libreplanet_2021.webm [ffmpeg] tcp: Connection to tcp://humaaraartha.in:443 failed: Network is unreachable Failed to open https://humaaraartha.in/static/videos/sagar_libreplanet_2021.webm. [ytdl_hook] ERROR: [generic] None: Unable to download webpage: <urlopen error [Errno 101] Network is unreachable> (caused by URLError(OSError(101, 'Network is unreachable'))) [ytdl_hook] youtube-dl failed: unexpected error occurred Exiting... (Errors when loading file)

oh are you having an issue with ipv6

Within <video> tag

For IPv6, you'd have to use Tor

I mean for v4

should i just re-host it

Tcache,

opal: yess please, if you can

For slides, mail me

sagaracharya@tutanota.com

sure

https://volatile.bz/static/sagar_libreplanet_2021.webm Tcache

You could also exchange xmpp addresses and continue from there.... Even share files

if jids were public in here i'd be way ahead of you

> https://volatile.bz/static/sagar_libreplanet_2021.webm Tcache thank you opal ↺

meanwhile we'll shit up your vibe Menel :)

np

You can exchange them even via pm

yess i am aware of it Menel Thanks for pointing out. :)

i cant figure out how to whisper on gajim

It was pure joy talking to you sysadmins

happy sunday

Just let me know on the video tag buffering in html

<video controls><source src="/static/videos/sagar_libreplanet_2021.webm" type="video/webm">We were unable to load video.</video>

How does buffering work in this?

How much video is loaded?

My internet is very slow atm, since im at woods. I will download that video once im home.

sagaracharya, btw the webserver is advertising that video's content-type as text/plain, might be causing issues in browsers

http clients usually request partial content for video streaming

wget does the same with --continue flag

Type is clearly video/webm

not what curl -I telling me

Well, can you check whether my XMPP TLS cert is signed by CA now?

I used the same cert as that of my http website

Hey, y'all must know this

How do I route all 80 port requests to 443?

I use mini_httpd

http 302/307 redirect to https://url

>can you check whether no i cant since i dont know your xmpp server

and i was gonna suggest xmpp.net to check tls, but it seems down now :(

humaaraartha.in

ok

sagaracharya, i see let's encrypt when i connect; are you able to communicate with my server now

Is port a file on unix?

opal: I'm unable to, tried just now

hm

Remote server not found

My groups are unsecure though

They're self certified

why use self signed certs in 2023? LE is like 8 years old now

Did you see the video?

ya i watched it

im not the person who had issues loading it

What do you think about it?

Give me your xmpp id

wowaname@volatile.bz

I'm unable to send to you

Any msgs also, can't fetch OMEMO keys

Jul 02 19:12:27 s2sout7f831245d220 info Sending error replies for 1 queued stanzas because of failed outgoing connection to humaaraartha.in thats all i see in my logs when i try to ping that server

im going afk

ping is disabled

It won't work.

I have disabled it in config

ping is a fundamental requirement of ipv6, why would you disable it?

i said "ping" colloquially

duncan, xmpp has ping too but in any case i didnt mean either xmpp or ipv6 ping

duncan: common and dumb DDoS vector. nonresponse to icmp ping means not participating in a spoof attack

ooookay. got morph'd again.

In muc DMs from my furries general, > fisuioion a écrit : > 1. Stop using the offensive term: You loaded it with toxic trash, you yourself, your delusional making entirely (not mine), then you put your toxic trash onto me. Do not. bla, bla, bla > P.S. Don't dare to DM me, that JID is temporal. It's just made to hopefully finally stop your bad behavior. xmpp:fisuioion@conversations.im for the rtbl maybe, though furries general doesn't use rtbl? ✏

i know sending spam samples is generally considered gauche... In muc DMs from my furries general, > fisuioion a écrit : > 1. Stop using the offensive term: You loaded it with toxic trash, you yourself, your delusional making entirely (not mine), then you put your toxic trash onto me. Do not. bla, bla, bla > P.S. Don't dare to DM me, that JID is temporal. It's just made to hopefully finally stop your bad behavior. xmpp:fisuioion@conversations.im for the rtbl maybe, though furries general doesn't use rtbl? ✏

The RTBL is generally for network-wide stuff. For targeted abuse it's better to ban/block the account directly and escalate to your/their server admin if needed

sagaracharya: testssl says: Oops: TCP connect problem Unable to open a socket to [2405:201:f:11a4:c:9ff:fe02:4510]:5222. Fatal error: Can't connect to "[2405:201:f:11a4:c:9ff:fe02:4510]:5222" Same for 5269