new | ask | show | jobs
yosamino 10 hours ago  [ - ]

I've run an XMPP server in various states of professionalism for around 20 years now. From mom's basement all the way to a colocated server with a similar setup that's described in the post.

The only caveat I have not been able to solve is hosting an xmpp server for a different domain, like it's possible with email.

A client connecting the account joe.doe@example.ORG will find the server it wants to connect to via SRV to be , e.g., xmpp14.example.COM and expect a TLS certificate for "example.ORG" which that server does not have (nor can/should easily get) - which makes sense in a lot of ways, but limits the ways one can offer hosting services.

If anyone has creative solutions I'm all ears.

nicoco 9 hours ago  [ - ]

I know at least two services that offer hosting with your own domain: https://my.snikket.org/ and https://account.conversations.im/domain/ so I suppose it is not that complex to setup.

yosamino 9 hours ago  [ - ]

Correct, but that means you cannot share that domain securely with, let's say, a website. No ?

nicoco 4 hours ago  [ - ]

TBH I am not well-versed into DNS and certificates and security, but I guess you have to trust your provider with a certificate for `example.com` if you allow them to manage JIDs of the form `anything@example.com`, indeed. Again, I am not very knowledgeable about the subject, so take this with a grain of salt.

singpolyma3 9 hours ago  [ - ]

You need a certificate for the domain you are going to serve of course. You can get one with ACME DNS challenges pretty easily (I have my clients set up a CNAME for the _acme-challenge subdomain of their domain).

yosamino 9 hours ago  [ - ]

I worded that poorly.

Yes, that is of course correct. But that means that your clients have to trust you without technical safeguards, that you will not use this to get for certificates for purposes other than XMPP.

Which, in my mind, is a problem if the domain is not used just for XMPP, but lets say for a website as well.

Joe_Cool 8 hours ago  [ - ]

You should be able to do that via DNS SRV entries.

  _xmpp-client._tcp.domain.tld. TTL IN SRV priority weight port target
  _xmpps-client._tcp.domain.tld. TTL IN SRV priority weight port target

  example:
  _xmpp-client._tcp.not-my-domain.com. 3599 IN SRV 5 0 5222 jabber.my-domain.com.
You could also build a reverse proxy setup. Then you wouldn't need the keys to the SSL certs. But that is probably overkill to run at your client: https://wiki.xmpp.org/web/Tech_pages/XEP-0368

I don't think I have seen a client complain about the cert being for jabber.my-domain.com Which one is giving trouble there?

source: https://datatracker.ietf.org/doc/html/rfc6120

https://wiki.xmpp.org/web/SRV_Records

yosamino 6 hours ago  [ - ]

> Which one is giving trouble there?

Probably all of them.

Section 5.4.3.1

  > The receiving entity SHOULD choose which certificate to present
  > based on the domainpart contained in the 'to' attribute of the
  > initial stream header (in essence, this domainpart is
  > functionally equivalent to the Server Name Indication defined for
  > TLS in [TLS-EXT]).
and 13.7.2 says

  > Once the identity of the stream peer has been validated, the
  > validating entity SHOULD also correlate the validated identity with
  > the 'from' address (if any) of the stream header it received from the
  > peer.  If the two identities do not match, the validating entity
  > SHOULD terminate the connection attempt (however, there might be good
  > reasons why the identities do not match, as described under
  > Section 4.7.1).
You can manually set a server in most clients, and I don't know how that is generally implemented. I guess that should work then.

But if you serve a certificate for jabber.example.com for a user trying to connect to an account user@example.com using SRV records then that mismatch will give you at least a certificate warning popup. And for good reason too: How would a user verify that a certificate

abcde.1234.jabber.freshhosting.donut

is valid for the account joe.doe@example.com ?

singpolyma3 29 minutes ago  [ - ]

Yes there is a new DNS challenge coming which will make this even easier.

fluoridation 6 hours ago  [ - ]

I've always just used self-signed certificates. On first connect, the client will ask the user to trust your CA. There's no real difference in terms of security.