Ejabberd has supported STUN/TURN for quite some time now, this in conjunction with client support can be used to implement one on one audio and video calls. Since version 2.8.0 Conversations Android client added audio and video call functionality by leveraging on STUN/TURN and XEP-0215. The rest of the XMPP world is following the route opened by them, so I expect to see IOS and regular computer XMPP clients to finally implement these new features too in the upcoming months. Enabling audio and video calls in Ejabberd is actually pretty simple. Provided you have installed the latest release (version 20.04), edit ejabberd.yml: …

XMPP over TLS (formerly XEP-0368) is a clever mechanism that allows users to connect to a XMPP server from networks that restrict outgoing traffic only to specific ports; this block is circumvent by routing XMPP traffic via port TCP 443. If the server hosts only a XMPP server setting up XMPP over TLS is pretty easy, just instruct the server to listen on port 443. If the server also runs a webserver which is listening on port 443 things are a bit more complicated; luckily Nginx provides a way to manage XMPP traffic and redirect it to the XMPP server. …

XMPP module HTTP File Upload (formerly XEP-0363) provides a way to share files between XMPP clients, it works transparently and even in multi user chats. The sender uploads a file on an HTTP(S) server that will then generate an URI, this is sent to each one of the recipients that can then download it. The interesting bits about this XEP are various: File sharing now works even in multi-user chats (MUC), in any case the file is only uploaded a single time even if the recipients are more than one. Peer-to-peer file transfer, be it in-band (XEP-0234: Jingle File Transfer) or out-of-band (XEP-0065: SOCKS5 Bytestreams), is slow, unreliable, does not work in MUC and does not work if the recipient is offline. HTTP File Upload supports both client-server encryption (HTTPS) and end-to-end encryption when used in conjunction with OMEMO encryption (as per today this is supported by Conversations on Android and Gajim desktop client). 3.1. When using OMEMO encryption the files are stored encrypted on the server, this makes it impossibile for ejabberd to create a thumbnail if the file sent is a picture. To enable HTTP File Upload module with HTTPS enabled in ejabberd edit ejabberd.yml configuration file: > listen: - port: 5443 ip: "0.0.0.0" module: ejabberd_http request_handlers: "upload": mod_http_upload tls: true protocol_options: 'TLS_OPTIONS' dhfile: 'DH_FILE' ciphers: 'TLS_CIPHERS' modules: mod_http_upload: docroot: "/home/ejabberd/upload" # this must be a valid path, user ownership and SELinux flags must be set accordingly put_url: "https://@HOST@:5443/upload" access: local max_size: 25000000 #25 MByte thumbnail: false file_mode: "0644" dir_mode: "0744" mod_http_upload_quota: max_days: 2 shaper: soft_upload_quota: - 250: all # MiB hard_upload_quota: - 10000: all # MiB define_macro: 'TLS_CIPHERS': "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" 'TLS_OPTIONS': - "no_sslv2, no_sslv3, no_tlsv1" - "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" - "no_compression" 'DH_FILE': "/usr/local/etc/ejabberd/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 4096 Add an iptables rule to allow traffic coming from port TCP 5443: …

CentOS repos (both official and EPEL) does not provide an up to date version of Ejabberd, installing from source is the only way if one want or need a version from this century. Problem is that doing things manually is a never ever a good idea, luckily Ansible and a bit of Python love come to rescue. Supposing Ejabberd is already installed and configured (I wrote a post on the subject a couple of years ago: https://uwot.eu/ejabberd-xmpp-server-configuration-guide//) the following Ansible script will take care of all the steps needed to upgrade to a newer version of Ejabberd …

Fail2ban is a useful tool capable of mitigating brute force attacks performed against a multitude of services (ejabberd in our case). Configuration is split between a multitude of files: jail.conf defines which filters are active while the filters scripts are placed in ./filter.d directory. [root@CentOS ~]# vi /etc/fail2ban/jail.conf --- bantime = 1200 findtime = 1200 maxretry = 10 backend = auto [ejabberd-auth] enabled = true port = 5222,5280,7777 action = iptables-multiport[name=ejabberd, port="5222,5269,5280,777", protocol=tcp] logpath = /var/log/ejabberd/ejabberd.log --- [root@CentOS ~]# vi /etc/fail2ban/filter.d/ejabberd-auth.conf --- [Definition] failregex = ^=INFO REPORT==== ===\nI\(<0\.\d+\.0>:ejabberd_c2s:\d+\) : \([^)]+\) Failed authentication for .+ from IP <HOST> \({{(?:\d+,){3}\d+},\d+}\)$ ^(?:\.\d+)? \[info\] <0\.\d+\.\d>@ejabberd_c2s:wait_for_feature_request:\d+ \([^\)]+\) Failed authentication for \S+ from IP <HOST>$ ^.* Failed authentication for \S+ from <HOST>$ ^.* from <<"<HOST>">> failed with error: <<"inexistent-account">>$ ^.* from <<"<HOST>">> failed with error: <<"bad-password">>$ ^.* from <<"<HOST>">> failed with error: <<"badformed-jid">>$ ignoreregex = [Init] journalmatch = --- The first two regular expressions are for user authentication while the others are for administration panel login. Other useful commands are: …

Ejabberd XMPP server includes a SOCKS5 proxy, setting it up correctly is what makes the difference between fast or very slow file transfer operations. As per XEP-0065 file transfer is either peer-to-peer or mediated by a proxy server. In Conversation peer-to-peer transfer is done by converting the file in base64, split it in 4 kb chunks sent one at the time always awaiting first for the ACK of the precedent one; this makes the whole process painfully slow and bandwidth consuming. The other file transfer method supported by Conversation is defined by XEP-0234 (or Jingle file transfer) which relies on a SOCKS5 proxy and also allow to negotiate parameters like encryption. Ejabberd configuration: …

I will be keeping this post up to date to keep track on how to configure and mantain an ejabberd server working efficiently and secure. I strongly advise any reader to read carefully what is written here and not just copy-and-paste the configuration file. My blog also contains a bunch of other posts regarding ejabberd that are worth giving a look at, use the search form. Server CentOS 7.5.1804 x86_64 Erlang/OTP 21.1.1-1 x86_64 ejabberd 18.09 Client LineageOS 15.1 (Android Nougat) Conversations 2.3.5+fcr .:. Installation and initial configuration Download and install erlang (release numbers here may not be up to date): …