Difference between revisions of "Linux ejabberd"
(→Setup SSL (Custom)) |
|||
| (28 intermediate revisions by the same user not shown) | |||
| Line 5: | Line 5: | ||
https://github.com/processone/ejabberd | https://github.com/processone/ejabberd | ||
| + | ejabberd does not store messages on the server. There are mods available to do this called Message Archive Management (aka MAM). | ||
| + | |||
| + | Offline messages there is a mod to store these messages, mod_offline. | ||
| + | |||
| + | == Install == | ||
| + | OSX - I just downloaded the installer and app. | ||
| + | |||
| + | Fedora | ||
| + | # yum install ejabberd | ||
| + | |||
| + | == Startup == | ||
| + | To start, stop, status, restart | ||
| + | # ejabberdctl start | ||
| + | |||
| + | There is no auto startup script for ejabberd for Fedora if you google around you can find one. | ||
== Config == | == Config == | ||
| Line 15: | Line 30: | ||
Turned off user registration. Switch 'allow' to 'deny'. You will need to register users before turning this off. | Turned off user registration. Switch 'allow' to 'deny'. You will need to register users before turning this off. | ||
{access, register, [{deny, all}]}. | {access, register, [{deny, all}]}. | ||
| + | |||
| + | TTLS - I needed to enable TTLS to be able to communicate between servers. To get this working correctly I also needed to uncomment out the pem cert. | ||
| + | {s2s_use_starttls, true}. | ||
| + | |||
| + | {s2s_certfile, "/etc/ejabberd/ejabberd.pem"} | ||
| + | |||
| + | Added my user to the list of admin users. | ||
| + | {acl, admin, {user, "myusername", "johnfreier.com"}}. | ||
| + | |||
== Register an account CLI == | == Register an account CLI == | ||
This is how you register an account. | This is how you register an account. | ||
# ejabberdctl register myuser johnfreier.com password | # ejabberdctl register myuser johnfreier.com password | ||
| + | |||
| + | |||
| + | == File Locations == | ||
| + | Configs | ||
| + | /etc/ejabberd/* | ||
| + | |||
| + | Logs | ||
| + | /var/log/ejabberd/* | ||
| + | |||
| + | == Web Admin URL == | ||
| + | If you choose to use the web admin interface. | ||
| + | |||
| + | http://yourdomain:5280/admin/ | ||
| + | |||
| + | == Ports == | ||
| + | When ejabber is started by default it opens the following ports from nmap. | ||
| + | |||
| + | 5222/tcp open xmpp-client | ||
| + | 5269/tcp open xmpp-server | ||
| + | 5280/tcp open xmpp-bosh | ||
| + | |||
| + | 5222 - standard port for clients to connect to. | ||
| + | 5269 - standard port for servers to connect to. | ||
| + | 5280 - is the same port as the web admin interface but when the webadmin interface is disabled this is still open?? | ||
| + | |||
| + | After reading I heard about these ports. | ||
| + | 4369 - I believe this port is used for the ./ejabberctl to talk to the server. | ||
| + | |||
| + | Might want to block port 4369 and 5280. | ||
| + | |||
| + | # iptables -I INPUT ! -i lo -p tcp --dport 4369 -j DROP | ||
| + | # iptables -A INPUT -p tcp --dport 5280 -j DROP | ||
| + | |||
| + | The first line will block all but localhost because 4369 is needed for localhost only | ||
| + | |||
| + | == Server 2 Server (S2S) == | ||
| + | This is a feature that allows servers to talk to other servers. | ||
| + | |||
| + | Config properties that prefix with s2s_* are configurations with Server 2 Server. | ||
| + | |||
| + | To disable this feature look for and comment out. | ||
| + | ejabberd_s2s_in | ||
| + | |||
| + | == Setup SSL (StartSSL) == | ||
| + | *Attempt not yet verified. | ||
| + | |||
| + | Created a Free account at https://www.startssl.com and register the domain name. Follow the instructions it will ask to run an openSSL command. | ||
| + | example.key | ||
| + | example.csr | ||
| + | |||
| + | Download the zip it offers. | ||
| + | 1_Intermeditate.crt | ||
| + | 2_example.com.crt | ||
| + | root.crt | ||
| + | |||
| + | Concatenated them to create a PEM | ||
| + | # cat 2_example.com.crt example.key root.crt >ejabberd.pem | ||
| + | |||
| + | Chmod the file | ||
| + | # chmod 400 ejabberd.pem | ||
| + | |||
| + | Remove the password prompt from the key. | ||
| + | # openssl rsa -in ejabberd.pem -out newejabberd.pem | ||
| + | # openssl x509 -in ejabberd.pem >>newejabberd.pem | ||
| + | |||
| + | Copy the pem | ||
| + | # cp ./newejabberd.pem /etc/ejabberd/ejabberd.pem | ||
| + | |||
| + | Uncomment config file | ||
| + | {5222, ejabberd_c2s, [ | ||
| + | {certfile, "/etc/ejabberd/ejabberd.pem"}, starttls, | ||
| + | {access, c2s}, | ||
| + | {shaper, c2s_shaper}, | ||
| + | {max_stanza_size, 65536} | ||
| + | ]}, | ||
| + | |||
| + | {s2s_use_starttls, true}. | ||
| + | |||
| + | {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}. | ||
| + | |||
| + | Restart | ||
| + | # ejabberdctl restart | ||
| + | |||
| + | Resource | ||
| + | http://hyperstruct.net/2007/06/20/installing-the-startcom-ssl-certificate-in-ejabberd/ | ||
| + | |||
| + | == Setup SSL (Custom) == | ||
| + | * This way will alert when connecting that the certificate cannot be validated. | ||
| + | |||
| + | Generate Key Pair | ||
| + | # openssl req -new -x509 -newkey rsa:1024 -days 3650 -keyout privkey.pem -out server.pem | ||
| + | |||
| + | you will be prompted for a passphrase and a bunch of questions. | ||
| + | |||
| + | Common Name is the domain name. | ||
| + | |||
| + | Remove the passphrase | ||
| + | # openssl rsa -in privkey.pem -out privkey.pem | ||
| + | |||
| + | Combine the Private and Public Key | ||
| + | # cat privkey.pem >> server.pem | ||
| + | |||
| + | Move Key | ||
| + | # mv server.pem /usr/local/etc/jabberd/server.pem | ||
| + | |||
| + | Set Permissions | ||
| + | # chmod 640 /usr/local/etc/jabberd/server.pem | ||
| + | |||
| + | Resource | ||
| + | http://www.jabberdoc.org/app_sslkey.html | ||
| + | |||
| + | == Resources == | ||
| + | http://michael-prokop.at/blog/2007/07/27/setting-up-your-own-jabber-server-ejabberd/ | ||
| + | https://www.digitalocean.com/community/tutorials/how-to-install-ejabberd-xmpp-server-on-ubuntu | ||
| + | https://docs.ejabberd.im/admin/guide/installation/ | ||
| + | http://louwrentius.com/setting-up-a-jabber-instant-messaging-server-_http-title-site-doesnt-have-a-title-texthtml-charsetutf-8.html | ||
Latest revision as of 10:42, 18 May 2016
ejabberd is an open source platform built on Jabber/XMPP.
XMPP (Extensible Messaging and Presence Protocol)
https://github.com/processone/ejabberd
ejabberd does not store messages on the server. There are mods available to do this called Message Archive Management (aka MAM).
Offline messages there is a mod to store these messages, mod_offline.
Contents
Install
OSX - I just downloaded the installer and app.
Fedora
# yum install ejabberd
Startup
To start, stop, status, restart
# ejabberdctl start
There is no auto startup script for ejabberd for Fedora if you google around you can find one.
Config
Host - Updated the host to include my domain.
{hosts, ["localhost", "johnfreier.com"]}.
Turned off the web admin interface
%%web_admin
Turned off user registration. Switch 'allow' to 'deny'. You will need to register users before turning this off.
{access, register, [{deny, all}]}.
TTLS - I needed to enable TTLS to be able to communicate between servers. To get this working correctly I also needed to uncomment out the pem cert.
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}
Added my user to the list of admin users.
{acl, admin, {user, "myusername", "johnfreier.com"}}.
Register an account CLI
This is how you register an account.
# ejabberdctl register myuser johnfreier.com password
File Locations
Configs
/etc/ejabberd/*
Logs
/var/log/ejabberd/*
Web Admin URL
If you choose to use the web admin interface.
Ports
When ejabber is started by default it opens the following ports from nmap.
5222/tcp open xmpp-client 5269/tcp open xmpp-server 5280/tcp open xmpp-bosh
5222 - standard port for clients to connect to. 5269 - standard port for servers to connect to. 5280 - is the same port as the web admin interface but when the webadmin interface is disabled this is still open??
After reading I heard about these ports.
4369 - I believe this port is used for the ./ejabberctl to talk to the server.
Might want to block port 4369 and 5280.
# iptables -I INPUT ! -i lo -p tcp --dport 4369 -j DROP # iptables -A INPUT -p tcp --dport 5280 -j DROP
The first line will block all but localhost because 4369 is needed for localhost only
Server 2 Server (S2S)
This is a feature that allows servers to talk to other servers.
Config properties that prefix with s2s_* are configurations with Server 2 Server.
To disable this feature look for and comment out.
ejabberd_s2s_in
Setup SSL (StartSSL)
- Attempt not yet verified.
Created a Free account at https://www.startssl.com and register the domain name. Follow the instructions it will ask to run an openSSL command.
example.key example.csr
Download the zip it offers.
1_Intermeditate.crt 2_example.com.crt root.crt
Concatenated them to create a PEM
# cat 2_example.com.crt example.key root.crt >ejabberd.pem
Chmod the file
# chmod 400 ejabberd.pem
Remove the password prompt from the key.
# openssl rsa -in ejabberd.pem -out newejabberd.pem # openssl x509 -in ejabberd.pem >>newejabberd.pem
Copy the pem
# cp ./newejabberd.pem /etc/ejabberd/ejabberd.pem
Uncomment config file
{5222, ejabberd_c2s, [
{certfile, "/etc/ejabberd/ejabberd.pem"}, starttls,
{access, c2s},
{shaper, c2s_shaper},
{max_stanza_size, 65536}
]},
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
Restart
# ejabberdctl restart
Resource
http://hyperstruct.net/2007/06/20/installing-the-startcom-ssl-certificate-in-ejabberd/
Setup SSL (Custom)
- This way will alert when connecting that the certificate cannot be validated.
Generate Key Pair
# openssl req -new -x509 -newkey rsa:1024 -days 3650 -keyout privkey.pem -out server.pem
you will be prompted for a passphrase and a bunch of questions.
Common Name is the domain name.
Remove the passphrase
# openssl rsa -in privkey.pem -out privkey.pem
Combine the Private and Public Key
# cat privkey.pem >> server.pem
Move Key
# mv server.pem /usr/local/etc/jabberd/server.pem
Set Permissions
# chmod 640 /usr/local/etc/jabberd/server.pem
Resource
http://www.jabberdoc.org/app_sslkey.html
Resources
http://michael-prokop.at/blog/2007/07/27/setting-up-your-own-jabber-server-ejabberd/ https://www.digitalocean.com/community/tutorials/how-to-install-ejabberd-xmpp-server-on-ubuntu https://docs.ejabberd.im/admin/guide/installation/ http://louwrentius.com/setting-up-a-jabber-instant-messaging-server-_http-title-site-doesnt-have-a-title-texthtml-charsetutf-8.html
