XMPP Service Operators - 2024-07-31


  1. jjj333_p [pain.agency]

    > Make it match what you have in > nano /etc/network/interfaces > For ipv6 was finally looking into this, and i have nothing in there https://envs.sh/ilb.png

  2. jjj333_p [pain.agency]

    using null ptr instance since my http rev proxy is stopped

  3. jjj333_p [pain.agency]

    ``` root@snapshot-115842185-debian-2gb-hil-1:/home/joseph# cat /etc/network/interfaces # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5) # Include files from /etc/network/interfaces.d: source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback root@snapshot-115842185-debian-2gb-hil-1:/home/joseph# ip -6 a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 state UNKNOWN qlen 1000 inet6 ::1/128 scope host noprefixroute valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP qlen 1000 inet6 2a01:4ff:1f0:c2f2::1/64 scope global valid_lft forever preferred_lft forever inet6 fe80::9400:2ff:fe4d:986d/64 scope link valid_lft forever preferred_lft forever 4: br-2410bde0046c: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP inet6 fe80::42:86ff:fed7:4daa/64 scope link valid_lft forever preferred_lft forever 9: vethc039dcd@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 state UP inet6 fe80::c8aa:62ff:fec6:9448/64 scope link valid_lft forever preferred_lft forever root@snapshot-115842185-debian-2gb-hil-1:/home/joseph# ```

  4. jonas’

    you need to check the files referencesd there in `source`, too

  5. jonas’

    or that

  6. jjj333_p [pain.agency]

    this is a very stupid question but how do i know which ip to read from the ip output

  7. jonas’

    ignore everything with fe80, because those are so-called link-local addresses

    👍 1
  8. jonas’

    ignore ::1, because that's loopback (think 127.0.0.1, but for IPv6)

    👍 1
  9. jjj333_p [pain.agency]

    okay seems #2 it is

  10. jonas’

    yup :)

  11. jjj333_p [pain.agency]

    https://envs.sh/ilw.png

  12. jjj333_p [pain.agency]

    okay ive added the records. i did it just after renewing my letsencrypt certs so i dont know if that was the wrong order per se but oh well

  13. jonas’

    thankfully, let's encrypt doesn't care :)

    👍 1
  14. jjj333_p [pain.agency]

    if anyone knows how to see if ipv6 only is working, feel free to test and let me know. i have both ipv4 and ipv6 here i believe

  15. jjj333_p [pain.agency]

    or at least for sure ipv4

  16. jjj333_p [pain.agency]

    and ping isnt set to work with my server

  17. jjj333_p [pain.agency]

    anyways jonas’ tysm for your help

  18. jonas’

    i can at least reach your xmpp server on port 5222 over IPv6

  19. jonas’

    and port 5269

  20. jonas’

    so there's that

  21. roughnecks

    jjj333_p [pain.agency] ``` xmpp-dns -6cfstv pain.agency failure in xmpp-client lookup: lookup _xmpp-client._tcp.pain.agency. on 127.0.0.53:53: no such host failure in xmpps-client lookup: lookup _xmpps-client._tcp.pain.agency. on 127.0.0.53:53: no such host Trying fallback ports. xmpp-client pain.agency. 5222 Priority: 0 Weight: 0 IP: 2a01:4ff:1f0:c2f2::1 Connection: [OK] StartTLS: [OK] Certificate: [OK] xmpps-client pain.agency. 5223 Priority: 0 Weight: 0 IP: 2a01:4ff:1f0:c2f2::1 Connection: [OK] TLS: [OK] Certificate: [OK] xmpps-client pain.agency. 443 Priority: 0 Weight: 0 IP: 2a01:4ff:1f0:c2f2::1 Connection: [OK] TLS: [Not OK] remote error: tls: no application protocol failure in xmpp-server lookup: lookup _xmpp-server._tcp.pain.agency. on 127.0.0.53:53: no such host failure in xmpps-server lookup: lookup _xmpps-server._tcp.pain.agency. on 127.0.0.53:53: no such host Trying fallback ports. xmpp-server pain.agency. 5269 Priority: 0 Weight: 0 IP: 2a01:4ff:1f0:c2f2::1 Connection: [OK] StartTLS: [OK] Certificate: [OK] xmpps-server pain.agency. 5270 Priority: 0 Weight: 0 IP: 2a01:4ff:1f0:c2f2::1 Connection: [OK] TLS: [OK] Certificate: [OK] ```

  22. jjj333_p [pain.agency]

    the one `TLS: [Not OK]` concerns me a little, but otherwise that seems fine. thanks =)

  23. roughnecks

    yeah. To repeat the test: https://salsa.debian.org/mdosch/xmpp-dns

    👍 1
  24. jjj333_p [pain.agency]

    tysm

  25. roughnecks

    np

  26. Martin

    Seems you're missing srv records.

  27. jonas’

    why does xmpp-dns default to direct TLS on port 443 if there are no SRV records for that?

  28. jjj333_p [pain.agency]

    oh yes, i was told those arent necessary as my domain already points to my vps

  29. jjj333_p [pain.agency]

    > oh yes, i was told those arent necessary as my domain already points to my vps i can add them if i should, i just have been too lazy

  30. Martin

    Then clients will probably only use default 5222 StartTLS as long as you don't manually configure them to use direct tls. Same for s2s. But as you set up direct tls you might also want to use it.

  31. jjj333_p [pain.agency]

    > Then clients will probably only use default 5222 StartTLS as long as you don't manually configure them to use direct tls. Same for s2s. But as you set up direct tls you might also want to use it. is there anything wrong with them using that default?

  32. Martin

    No, but l assumed you want to use direct tls as you set it up.

  33. jjj333_p [pain.agency]

    > No, but l assumed you want to use direct tls as you set it up. oh i was just told you have to? is there some other form of tls that xmpp uses?

  34. jjj333_p [pain.agency]

    (to be fair i was inducted into the xmpp cult by people i no longer talk to, and they all kinda were telling me conflicting things)

  35. jonas’

    telepath.im admin, welcome

  36. telepath.im admin

    Thank you

  37. taba

    >> No, but l assumed you want to use direct tls as you set it up. > oh i was just told you have to? is there some other form of tls that xmpp uses? jjj333_p [pain.agency]: look up STARTTLS

  38. taba

    > (to be fair i was inducted into the xmpp cult by people i no longer talk to, and they all kinda were telling me conflicting things) xmppeaking

  39. jjj333_p [pain.agency]

    > jjj333_p [pain.agency]: look up STARTTLS ah. so i should probably set up srv records. ill do that... eventually

  40. jjj333_p [pain.agency]

    > xmppeaking eh just the normal autism of online nice communities

  41. jjj333_p [pain.agency]

    our brand of autism before everything fell apart just happened to be xmpp and programming in old versions of c for whatever reason (not me personally)

  42. jonas’

    for the record: you do not need SRV records for starttls to work

  43. jjj333_p [pain.agency]

    > for the record: you do not need SRV records for starttls to work my understanding is starttls is what its using when you dont have srv records?

  44. jjj333_p [pain.agency]

    or was i misunderstanding

  45. jonas’

    starttls is used with _xmpp-server / _xmpp-client SRV records, and by default when you don't have SRV records

    👍 1
  46. jonas’

    the other variant, direct tls, is only used with _xmpps-server / _xmpps-client SRV records and is not supported by all clients and servers which may connect to your server.

  47. jonas’

    direct tls has fewer roundtrips than starttls, which may be an advantage for mobile clients on high-latency or otherwise slow links

  48. jjj333_p [pain.agency]

    > direct tls has fewer roundtrips than starttls, which may be an advantage for mobile clients on high-latency or otherwise slow links got it, makes sense

  49. ukko

    how do the srv lookups not outweight the fewer round trips?

  50. jonas’

    ukko, they can be cached.

  51. ukko

    oh

  52. jjj333_p [pain.agency]

    > how do the srv lookups not outweight the fewer round trips? i just always figured that it came with the rest of the dns information

  53. jjj333_p [pain.agency]

    no reason to assume that i just did

  54. jonas’

    nice DNS servers may actually also hand you the address records alongside the SRV response, yeah, but it's not too common.

  55. jonas’

    but caches certainly help.

  56. jjj333_p [pain.agency]

    > got it, makes sense might be something that matters to me as i live in bumfuck, pacific ocean and selfhost because most foss services are hosted in the eu which i get approx 600ms ping to

  57. jonas’

    ukko, not to mention that the SRV records must be queried regardless, because a client needs to find out first whether there even are SRV records before they can fall back to non-SRV endpoints.

    👍 1
  58. jjj333_p [pain.agency]

    even my vps (west coast usa) to eu servers is about 400-500ms ping

  59. jjj333_p [pain.agency]

    but anyways thats good to know that its realistically mostly a latency improvement more than anything

  60. jjj333_p [pain.agency]

    clarifies it in my mind

  61. Menel

    Hm also an udp dns package is more lightweight then any part of the tls handshake I guess

  62. jjj333_p [pain.agency]

    > Hm also an udp dns package is more lightweight then any part of the tls handshake I guess also often dns servers (such as clownflare) do a lot of work to reduce latency otherwise

  63. jonas’

    jjj333_p [pain.agency], well and direct TLS on port 443 tends to be easier to get through some nasty firewalls than starttls on port 5222, but whether you want to cater for those is up to you

    👍 1
  64. Menel

    Thanks to #Whatsapp, 5222 is still very good, but yeah. Nothing beats 443/tcp

  65. jjj333_p [pain.agency]

    > jjj333_p [pain.agency], well and direct TLS on port 443 tends to be easier to get through some nasty firewalls than starttls on port 5222, but whether you want to cater for those is up to you i mean so far i havent run into that problem yet i dont think, but good to know

  66. ukko

    > about 400-500ms ping you can use https://ping.pe to ping/traceroute/mtr from dozens of locations

  67. jjj333_p [pain.agency]

    actually wait, very dumb question, does direct tls being on port 443 conflict with reverse proxy? because i know i have to stop caddy to work certbot? or is it only for http traffic

  68. ukko

    you shouldn't have to stop caddy, switch to standalone plugin for certbot or let caddy handle certs itself

  69. jjj333_p [pain.agency]

    > > about 400-500ms ping > > you can use https://ping.pe to ping/traceroute/mtr from dozens of locations pretty sure i never set up ping to work, not sure how i would make it work and havent bothered to car

  70. jjj333_p [pain.agency]

    care

  71. jjj333_p [pain.agency]

    https://downloadable.pain.agency/file_share/cvM60BXcaQ70Xp3DdfbPIkmv/d8fca9ad-68f4-459a-a655-7b807ee2e46f.png

  72. jjj333_p [pain.agency]

    > you shouldn't have to stop caddy, switch to standalone plugin for certbot or let caddy handle certs itself i use standalone for the domains that are xmpp specific, and then caddy handles certs for all the others. do i add all the xmpp subdomains into caddy to be reverse proxied?

  73. jjj333_p [pain.agency]

    like ive never had to renew pain.agency because it is managed by caddy and ive had it for years. but the xmpp subdomains i figured cant be managed by caddy since caddy is only http traffic?

  74. Menel

    jjj333_p [pain.agency]: xmpp on 443 will conflict with caddy listening on 443 tcp

  75. Menel

    Two services on the same port can't work

  76. telepath.im admin

    >> >> you can use https://ping.pe to ping/traceroute/mtr from dozens of locations > pretty sure i never set up ping to work, not sure how i would make it work and havent bothered to car Allow ICMP

  77. Menel

    But I think caddy can do raw tls proxy stuff. So it could receive on port 443 for your xmpp server and serve that to the xmpp server locally on another port like 5223

  78. jjj333_p [pain.agency]

    > But I think caddy can do raw tls proxy stuff. > So it could receive on port 443 for your xmpp server and serve that to the xmpp server locally on another port like 5223 so i should just add the xmpp subdomains into caddy and tell it to redirect to the respective ports?

  79. Menel

    Something about a layer4 app in caddy is what the internet tells me. A normal reverse proxy won't work. Because the normal one is for https

  80. Menel

    https://wiki.xmpp.org/web/Tech_pages/XEP-0368#Transparent_Proxying Nobody added caddy yet here

  81. moparisthebest

    > why does xmpp-dns default to direct TLS on port 443 if there are no SRV records for that? This is what all clients and servers should be doing 🙂

  82. moparisthebest

    Also same for QUIC

  83. jonas’

    moparisthebest, that's non-standard behaviour though

  84. Menel

    But xmpp-dns only does that when you tell it to "just try stuff" right? It's a sensible assumption. Like 5223 too.

  85. jonas’

    ok

  86. Menel

    I _think_ it's the second most used xmpps_client port

  87. Trung

    we should just get rid off `ports` all together

  88. Trung

    what's the point when we just use all on the one and only 443

  89. Menel

    With ip6 we can instead just use ips and not ports true

  90. ukko

    The real issue is that HTTPS records weren't the default

  91. ukko

    No reason it should be hardcoded to 443

  92. Menel

    I'm using xmpp over 443 for clients without sslh on ipv6. Thanks to the power of so many ips 😍

  93. ukko

    Alternatively just think using onions like ogres

  94. moparisthebest

    > what's the point when we just use all on the one and only 443 Correct

  95. moparisthebest

    it should be hardcoded to 443 because that's the most likely to work, that's all

  96. Trung

    internet == 443

  97. Polarian

    >> why does xmpp-dns default to direct TLS on port 443 if there are no SRV records for that? > This is what all clients and servers should be doing 🙂 _in your opinion_

  98. Polarian

    Wasn't DirectTLS considered legacy?

  99. moparisthebest

    *the world's opinion

  100. Polarian

    until Openfire 4.8.0 I believe DirectTLS was Legacy TLS

  101. moparisthebest

    > Wasn't DirectTLS considered legacy? Xep-0368 never was, but back in 2000 when XMPP standardized as an RFC and people thought non-encrypted was ok the previous seperate hardcoded port of 5223 was deprecated in favor of starttls which was hot at the time

  102. Polarian

    >> Wasn't DirectTLS considered legacy? > Xep-0368 never was, but back in 2000 when XMPP standardized as an RFC and people thought non-encrypted was ok the previous seperate hardcoded port of 5223 was deprecated in favor of starttls which was hot at the time yet startls is the most commonly used

  103. Polarian

    id you disable startls you will struggle to peer with servers

  104. Polarian

    if you disable startls you will struggle to peer with servers

  105. Polarian

    A friend of mine learnt that the hard way...

  106. moparisthebest

    Not sure that's true anymore actually

  107. Polarian

    > A friend of mine learnt that the hard way... this was 1 year ago

  108. Polarian

    so I assume it still is

  109. Menel

    There are indeed servers not using direct tls.

  110. moparisthebest

    But yes it's unsurprising the way that's worked for 25 years is more widely supported than the 8 year old way

  111. Polarian

    > There are indeed servers not using direct tls. _cough cough_

  112. Polarian

    lets just say I got a little lazy when setting up my current server... it was a test server and then became my main server... so it uses an embedded database and only have the bare minimum setup

  113. Trung

    that's your problem

  114. Polarian

    Indeed. But I am not the only one :)

  115. Menel

    There is no harm having both, or only starttls on s2s

  116. Menel

    The handshake isn't very relevant for s2s

  117. Polarian

    Menel: servers are dropping startls s2s

  118. Polarian

    I have seen it a few times now

  119. Menel

    I've never seen it

  120. Polarian

    I assume moparisthebest *would* like to if everyone used DirectTLS

  121. Polarian

    so that the handshake is encrypted and not just the payload

  122. moparisthebest

    hosts that only allow TLS on 443 are getting more common, it's becoming more important :)

  123. Menel

    Just saying it's a no-issue currently.

  124. moparisthebest

    correct, can't do nice things like ECH with starttls

  125. Polarian

    > hosts that only allow TLS on 443 are getting more common, it's becoming more important :) Thankfully I dont need to worry about extreme firewalls like that :)

  126. Polarian

    > correct, can't do nice things like ECH with starttls almost nobody has adopted ECH

  127. moparisthebest

    You do if you need to talk to hosts over s2s behind them

  128. Menel

    I've zero servers that don't talk to mine (that I would want) currently. Well I'm preferring direct tls on ipv6 but I guess that doesn't matter

  129. Polarian

    im decommissioning my server in the coming months anyways

  130. moparisthebest

    Ech is supported by all browsers for years, it's coming along, these things move slowly

  131. moparisthebest

    Being able to move slowly in the right direction is one of the main benefits of an eXtensible standardized protocol, flag days are best avoided

  132. Polarian

    > Ech is supported by all browsers for years, it's coming along, these things move slowly server side? no

  133. taba

    > I'm using xmpp over 443 for clients without sslh on ipv6. Thanks to the power of so many ips 😍 Menel: ipv4 is a requirement

  134. taba

    doesn't work on any networks i've tried in georgia

  135. taba

    ipv6 doesn't work on any networks i've tried in georgia

  136. taba

    ipv6 doesn't work on any network i've tried in georgia

  137. Menel

    Well I'm saving the route to sslh for ipv6 with it. Ipv4 can still use 5222,5223 and 443 through sslh

  138. Menel

    Well I'm saving the route through sslh for ipv6 with it. Ipv4 can still use 5222,5223 and 443 through sslh

  139. moparisthebest

    I do the same

  140. Polarian

    > Well I'm saving the route through sslh for ipv6 with it. > Ipv4 can still use 5222,5223 and 443 through sslh I have never used sslh and havent had the need to

  141. taba

    i have

  142. taba

    just do it

  143. Polarian

    do what... I aint setting something up I dont need

  144. taba

    you must

  145. taba

    it's the only way

  146. Polarian

    to do what?

  147. Polarian

    if an XMPP server cant use ports other than 443 then they shouldnt host a server... simple!

  148. Polarian

    My university blocks IRC and XMPP... I simply dont use their network... they provide an unencrypted secondary network with no firewall and it goes through a different backhaul and isnt directly managed by the uni... or... I use mobile data... There is some efforts to try to unblock some of these services as they can affect the computing department. Plus the devices arent able to update properly as the firewall keeps dropping microsoft updater packets.

  149. Polarian

    sometimes the simpler solution is better... I dont need to use the network so i dont.

  150. Polarian

    also sshl could break contracts and TOS... resulting in legal trouble... or in my case, my education revoked (they can do that) and permanent suspension

  151. ernst.on.tour

    > if an XMPP server cant use ports other than 443 then they shouldnt host a server... simple! If you cannot configure my (our) firewall, nobody inside our company will connect your server. ... simple!!!

  152. Holger

    A server op may or may not be interested in supporting clients behind restrictive firewalls. No need to agree on a single policy here.

  153. Polarian

    as their firewall is in place to enforce their policies, bypassing it goes against your employment/education contract

  154. Polarian

    so I would actually be concerned about pushing sshl as a standard/default

  155. Polarian

    > as their firewall is in place to enforce their policies, bypassing it goes against your employment/education contract _I think I see why I am considered so boring_

  156. Polarian

    >> if an XMPP server cant use ports other than 443 then they shouldnt host a server... simple! > If you cannot configure my (our) firewall, nobody inside our company will connect your server. > ... simple!!! so if the company chooses to host said server? why would they block its ports?

  157. Polarian

    and force an extra point of failure?

  158. Holger

    Polarian. There's hotel WiFis or whatever operated by admins who believe security is increased by allowing only TLS on 443. I'd like to use XMPP from such networks so I offer TLS on 443. If the hotel admin wanted to block XMPPS on 443 then they obviously got it wrong. Not my problem. I understand you don't care about that use case. Fine then. End of story. No?

  159. Holger

    So much bikeshedding all day long ...

  160. Polarian

    > Polarian. There's hotel WiFis or whatever operated by admins who believe security is increased by allowing only TLS on 443. I'd like to use XMPP from such networks so I offer TLS on 443. If the hotel admin wanted to block XMPPS on 443 then they obviously got it wrong. Not my problem. I understand you don't care about that use case. Fine then. End of story. No? sure... but why not just use data then?

  161. Polarian

    also unless they are using deep packet inspection you can TCP VPN on 443 to a more free network, this is more versatile too :)

  162. moparisthebest

    Because it costs me and I don't want to? Or maybe it's not available there.

  163. Holger

    I doubt discussing such stuff helps anyone in here in any way.

  164. Polarian

    > also unless they are using deep packet inspection you can TCP VPN on 443 to a more free network, this is more versatile too :) also means server providers dont have to do any extra work

  165. Polarian

    > I doubt discussing such stuff helps anyone in here in any way. true... sorry.

  166. Holger

    Don't mind occasional small talk at all, but the amount reduces the value of this channel for me.

  167. ernst.on.tour

    Okay, you seems to be a 12-15year old kiddy which never worked in a company Let me explain: There are companies which block your mobil. But this companies will offer you a proxy to go through the internet. They open 80/443/.... in *their* firewall. If somebody try to connect your server, he will get no connect. If he will connect to my server (via 443 and sslh) he is able to do so. It is his (her) will to do so and I'm not the judgement.

  168. taba

    > also sshl could break contracts and TOS... resulting in legal trouble... or in my case, my education revoked (they can do that) and permanent suspension you do realize that human beings run your uni right?

  169. Polarian

    drop the topic

  170. taba

    > if an XMPP server cant use ports other than 443 then they shouldnt host a server... simple! Polarian: i allow connection to like 4 ports

  171. taba

    maybe 5

  172. Polarian

    > Okay, you seems to be a 12-15year old kiddy which never worked in a company > > Let me explain: > There are companies which block your mobil. But this companies will offer you a proxy to go through the internet. They open 80/443/.... in *their* firewall. > > If somebody try to connect your server, he will get no connect. > > If he will connect to my server (via 443 and sslh) he is able to do so. > > It is his (her) will to do so and I'm not the judgement. I do not personally agree with bypassing corporate restrictions considering it is likely a violation of your contract if caught, and even then, you are at work... you shouldnt be on XMPP, and if you want to use XMPP, use your data, why should they pay to route your packets which arent work related? Also drop the topic Also also mind your language, I will gladly admit I am not 12-15, I am quite a bit older, older than some others in this channel, do not use ageist remarks to invalidate my opinion, or to belittle me.

  173. Polarian

    On topic question I was wondering, if you use standard ports do you guys still publish SRV records?

  174. Kris

    Srv are also useful if you want addresses on the root domain, but run the actually xmpp server on a subdomain.

  175. Kris

    For various reasons, typically because they point to physically separate servers.

  176. Menel

    To see and get inspired what people use I recommend using xmpp-dns on some public servers and see

  177. Polarian

    > Srv are also useful if you want addresses on the root domain, but run the actually xmpp server on a subdomain. sorry, say you didn't... say you had the root domain as your FQDN and you are using standard ports?

  178. Menel

    Some do, some don't Polarian. Some say it's cleaner to publish anyway. The current clients and severs will work in any case

  179. Polarian

    > Some do, some don't Polarian. Some say it's cleaner to publish anyway. The current clients and severs will work in any case whats the standard on this?

  180. moparisthebest

    Polarian: RFC 6120

  181. Menel

    The rfc? You may read that yourself at xmpp.org

  182. Polarian

    > Polarian: RFC 6120 someone knows their rfcs