In order to get closer to my goal of reducing my dependence on centralized services, I decided to setup my own XMPP / Jabber server on a Linode VPS running Debian wheezy. I chose ejabberd since it was recommended by the RTC Quick Start website and here's how I put everything together.
DNS and SSL
My personal domain is
fmarier.org and so I created the following DNS
jabber-gw CNAME fmarier.org. _xmpp-client._tcp SRV 5 0 5222 jabber-gw.fmarier.org. _xmpp-server._tcp SRV 5 0 5269 jabber-gw.fmarier.org.
Then I went to get a free XMPP SSL certificate for
from StartSSL. This is how I generated the CSR
(Certificate Signing Request) on a high-entropy machine:
openssl req -new -newkey rsa:2048 -sha256 -nodes -out ssl.csr -keyout ssl.key -subj "/C=NZ/CN=jabber-gw.fmarier.org"
cat ssl.crt ssl.key sub.class1.server.ca.pem > ejabberd.pem
Install the package, using "admin" as the username for the administrative user:
apt-get install ejabberd
Set the following in
/etc/ejabberd/ejabberd.yml(don't forget the trailing dots!):
acl: admin: user: - "admin": "fmarier.org" hosts: - "fmarier.org" auth_password_format: scram fqdn: "jabber-gw.fmarier.org"
Copy the SSL certificate into the
/etc/ejabberd/directory and set the permissions correctly:
chown root:ejabberd /etc/ejabberd/ejabberd.pem chmod 640 /etc/ejabberd/ejabberd.pem
Improve the client-to-server TLS configuration by adding
starttls_requiredto this block:
listen: - port: 5222 ip: "::" module: ejabberd_c2s certfile: "/etc/ejabberd/ejabberd.pem" starttls: true protocol_options: - "no_sslv3" max_stanza_size: 65536 shaper: c2s_shaper access: c2s
Restart the ejabberd daemon:
Create a new user account for yourself:
ejabberdctl register me fmarier.org P@ssw0rd1!
Open up the following ports on the server's firewall:
iptables -A INPUT -p tcp --dport 5222 -j ACCEPT iptables -A INPUT -p tcp --dport 5269 -j ACCEPT
On the client side, if you use Pidgin, create a new account with the following settings in the "Basic" tab:
- Protocol: XMPP
and the following setting in the "Advanced" tab:
- Connection security: Require encryption
From this, I was able to connect to the server without clicking through any certificate warnings.
If you want to make sure that XMPP federation works, add your GMail address as a buddy to the account and send yourself a test message.
In this example, the XMPP address I give to my friends is
Finally, to ensure that your TLS settings are reasonable, use this automated tool to test both the client-to-server (c2s) and the server-to-server (s2s) flows.