In order to get closer to my goal of reducing my dependence on centralized services, I decided to setup my own XMPP / Jabber server on a Linode VPS running Debian wheezy. I chose ejabberd since it was recommended by the RTC Quick Start website and here's how I put everything together.


My personal domain is and so I created the following DNS records:

jabber-gw            CNAME
_xmpp-client._tcp    SRV      5 0 5222
_xmpp-server._tcp    SRV      5 0 5269

Then I went to get a free XMPP SSL certificate for from StartSSL. This is how I generated the CSR (Certificate Signing Request) on a high-entropy machine:

openssl req -new -newkey rsa:2048 -nodes -out ssl.csr -keyout ssl.key -subj "/C=NZ/"

I downloaded the signed certificate as well as the StartSSL intermediate certificate and combined them this way:

cat ssl.crt ssl.key > ejabberd.pem

ejabberd installation

Installing ejabberd on Debian is pretty simple and I mostly followed the steps on the Ubuntu wiki with an additional customization to solve the Pidgin "Not authorized" connection problems.

  1. Install the package, using "admin" as the username for the administrative user:

    apt-get install ejabberd
  2. Set the following in /etc/ejabberd/ejabberd.cfg (don't forget the trailing dots!):

    {acl, admin, {user, "admin", ""}}.
    {hosts, [""]}.
    {fqdn, ""}.
  3. Copy the SSL certificate into the /etc/ejabberd/ directory and set the permissions correctly:

    chown root:ejabberd /etc/ejabberd/ejabberd.pem
    chmod 640 /etc/ejabberd/ejabberd.pem
  4. Improve the client-to-server TLS configuration by adding starttls_required to this block:

        {5222, ejabberd_c2s, [
          {access, c2s},
          {shaper, c2s_shaper},
          {max_stanza_size, 65536},
          {certfile, "/etc/ejabberd/ejabberd.pem"}
  5. Restart the ejabberd daemon:

    /etc/init.d/ejabberd restart
  6. Create a new user account for yourself:

    ejabberdctl register me P@ssw0rd1!
  7. Open up the following ports on the server's firewall:

    iptables -A INPUT -p tcp --dport 5222 -j ACCEPT
    iptables -A INPUT -p tcp --dport 5269 -j ACCEPT

Client setup

On the client side, if you use Pidgin, create a new account with the following settings in the "Basic" tab:

  • Protocol: XMPP
  • Username: me
  • Domain:
  • Password: P@ssw0rd1!

and the following setting in the "Advanced" tab:

  • Connection security: Require encryption

From this, I was able to connect to the server without clicking through any certificate warnings.


If you want to make sure that XMPP federation works, add your GMail address as a buddy to the account and send yourself a test message.

In this example, the XMPP address I give to my friends is

Finally, to ensure that your TLS settings are reasonable, use this automated tool to test both the client-to-server (c2s) and the server-to-server (s2s) flows.

Better alternatives...

Personally I'd suggest prosody rather than ejabberd which (IMO) is a pain to install and configure.

If you want something ejabberd-ish then there's also the project which was forked from ejabberd and has implemented many new (and working) features.

Comment by Steven Watkin
comment 2
I found the opposite - that ejabberd was much easier than both Prosody and Mongoose.IM to set up (Mongoose is probably easy on Debian/Ubuntu, but on Amazon Linux the dependencies are harder to install).
Comment by Anonymous