pages tagged xmppFeeding the Cloudhttps://feeding.cloud.geek.nz/tags/xmpp/Feeding the Cloudikiwiki2023-10-25T03:12:43ZRunning your own XMPP server on Debian or Ubuntuhttps://feeding.cloud.geek.nz/posts/running-your-own-xmpp-server-debian-ubuntu/
<a href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike 4.0 International License</a>
2023-10-25T03:12:43Z2014-01-02T03:45:00Z
<p>In order to get closer to my goal of reducing my dependence on centralized
services, I decided to setup my own XMPP / Jabber server on a server
running <a href="http://www.debian.org/releases/buster/">Debian buster</a>. I chose
<a href="http://www.ejabberd.im/">ejabberd</a> since it was recommended by the
<a href="http://www.rtcquickstart.org/">RTC Quick Start</a> website and here's how I
put everything together.</p>
<h1 id="DNS_and_SSL">DNS and SSL</h1>
<p>My personal domain is <code>fmarier.org</code> and so I created the following DNS
records:</p>
<pre><code>jabber-gw CNAME fmarier.org.
_xmpp-client._tcp SRV 5 0 5222 jabber-gw.fmarier.org.
_xmpp-server._tcp SRV 5 0 5269 jabber-gw.fmarier.org.
</code></pre>
<p>Then I went to get a free TLS certificate for the above.</p>
<h2 id="Let.27s_Encrypt">Let's Encrypt</h2>
<p>The easiest way to get a certificate is to install <a href="https://certbot.eff.org/">certbot</a>:</p>
<pre><code>apt install certbot python3-certbot-apache
</code></pre>
<p>Then, shutdown your existing webserver if you have one running and request
a cert like this:</p>
<pre><code>certbot --duplicate certonly --apache -d jabber-gw.fmarier.org -d fmarier.org
</code></pre>
<p>Once you have the cert, you can merge the private and public keys
into the file that ejabberd expects:</p>
<pre><code>cat /etc/letsencrypt/live/jabber-gw.fmarier.org/privkey.pem /etc/letsencrypt/live/jabber-gw.fmarier.org/fullchain.pem > ejabberd.pem
</code></pre>
<p>and then restart the service:</p>
<pre><code>systemctl restart ejabberd.service
</code></pre>
<p>I wrote a <a href="https://feeding.cloud.geek.nz/posts/automatically-renewing-letsencrypt-certs-on-debian-using-certbot/">cronjob to renew this certificate automatically using certbot</a>.</p>
<h1 id="ejabberd_installation">ejabberd installation</h1>
<p>Installing ejabberd on Debian is pretty simple and I mostly followed the
<a href="https://help.ubuntu.com/community/SettingUpJabberServer">steps on the Ubuntu wiki</a>
with an
<a href="http://www.die-welt.net/2013/05/wheezy-ejabberd-pidgin-and-srv-records/">additional customization</a>
to solve the <a href="http://pidgin.im">Pidgin</a> "Not authorized" connection problems.</p>
<ol>
<li><p>Install the <a href="http://packages.debian.org/stable/ejabberd">package</a>, using
"admin" as the username for the administrative user:</p>
<pre><code>apt install ejabberd
</code></pre></li>
<li><p>Set the following in <code>/etc/ejabberd/ejabberd.yml</code>:</p>
<pre><code>acl:
admin:
user:
- "admin@fmarier.org"
hosts:
- "fmarier.org"
auth_password_format: scram
auth_scram_hash: sha512
fqdn: "jabber-gw.fmarier.org"
listen:
-
port: 3478
ip: "::"
transport: udp
module: ejabberd_stun
use_turn: false
</code></pre></li>
<li><p>Copy the SSL certificate into the <code>/etc/ejabberd/</code> directory and set the
permissions correctly:</p>
<pre><code>chown root:ejabberd /etc/ejabberd/ejabberd.pem
chmod 640 /etc/ejabberd/ejabberd.pem
</code></pre></li>
<li><p>Improve the client-to-server and server-to-server TLS configuration:</p>
<pre><code>define_macro:
# ...
'DH_FILE': "/etc/ejabberd/dhparams.pem"
c2s_dhfile: 'DH_FILE'
s2s_dhfile: 'DH_FILE'
listen:
-
port: 5222
ip: "::"
module: ejabberd_c2s
starttls_required: true
s2s_use_starttls: required
</code></pre></li>
<li><p>Create the required <code>dhparams.pem</code> file:</p>
<pre><code>openssl dhparam -out /etc/ejabberd/dhparams.pem 2048
</code></pre></li>
<li><p>Optionally disable non-essential modules by commenting them out under the <code>modules:</code> section of <code>/etc/ejabberd/ejabberd.yml</code>:</p>
<pre><code>## mod_avatar
## mod_mam
## mod_muc
## mod_private
## mod_pubsub
</code></pre></li>
<li><p>Restart the ejabberd daemon:</p>
<pre><code>systemctl restart ejabberd.service
</code></pre></li>
<li><p>Create a new user account for yourself:</p>
<pre><code>ejabberdctl register me fmarier.org P@ssw0rd1!
</code></pre></li>
<li><p>Open up the following ports on the server's firewall:</p>
<pre><code>iptables -A INPUT -p udp --dport 3478 -j ACCEPT
iptables -A INPUT -p tcp --dport 5222 -j ACCEPT
iptables -A INPUT -p tcp --dport 5269 -j ACCEPT
</code></pre></li>
<li><p>Optionally create a cronjob in <code>/etc/cron.d/restart-ejabberd</code>
to restart ejabberd once a day to ensure it doesn't stop responding
to requests after running for a while:</p>
<pre><code>0 4 * * * root /bin/systemctl restart ejabberd.service
</code></pre></li>
</ol>
<p>Note that if you'd like to be able to talk to contacts via the GMail XMPP
server, you will unfortunately need to change the <code>s2s_use_starttls</code>
setting in step 4 to the following:</p>
<pre><code> s2s_use_starttls: optional
</code></pre>
<h1 id="Client_setup">Client setup</h1>
<p>On the client side, if you use Pidgin, create a new account with the
following settings in the "Basic" tab:</p>
<ul>
<li>Protocol: XMPP</li>
<li>Username: <code>me</code></li>
<li>Domain: <code>fmarier.org</code></li>
<li>Password: <code>P@ssw0rd1!</code></li>
</ul>
<p>and the following setting in the "Advanced" tab:</p>
<ul>
<li>Connection security: Require encryption</li>
</ul>
<p>From this, I was able to connect to the server without clicking through any
certificate warnings.</p>
<h1 id="Testing">Testing</h1>
<p>If you want to make sure that XMPP federation works, add your GMail address
as a buddy to the account and send yourself a test message.</p>
<p>In this example, the XMPP address I give to my friends is <code>me@fmarier.org</code>.</p>
<p>Finally, to ensure that your TLS settings are reasonable, use this
<a href="https://xmpp.net/">automated tool</a> to test both the client-to-server (c2s)
and the server-to-server (s2s) flows.</p>
<h1 id="Spam_protection">Spam protection</h1>
<p>If you start having problems with spammers sending messages or subscription
requests to your users, you can whitelist the servers that are allowed to
federate with yours by putting the following in
<code>/etc/ejabberd/ejabberd.yml</code>:</p>
<pre><code>acl:
trusted_servers:
server:
- "cheogram.com"
- "conference.soprani.ca"
- "jmp.chat"
access:
s2s:
allow: trusted_servers
deny: all
s2s_access: s2s
</code></pre>
<p>The above was all I needed in order to be able to use the
<a href="https://jmp.chat/">JMP</a> SMS-to-XMPP service.</p>
Things that work well with Torhttps://feeding.cloud.geek.nz/posts/things-that-work-well-with-tor/
<a href="https://creativecommons.org/licenses/by-sa/4.0/">Creative Commons Attribution-ShareAlike 4.0 International License</a>
2021-06-11T20:43:57Z2013-11-19T05:38:00Z
<p><a href="https://torproject.org">Tor</a> is a proxy server which allows its users to
hide their IP address from the websites they connect to. In order to provide
this level of anonymity however, it introduces latency into these
connections, an unfortunate performance-privacy trade-off which means that
few users choose to do all of their browsing through Tor.</p>
<p>Here are a few things that I have found work quite well through Tor. If
there are any other interesting use cases I've missed (e.g.
<a href="http://matt.might.net/articles/why-peer-reviewers-should-use-tor/">reviewing academic papers</a>),
please leave a comment!</p>
<h1 id="Tor_setup">Tor setup</h1>
<p>There are already great docs on how to
<a href="https://www.torproject.org/docs/tor-doc-unix.html.en">install and configure the Tor server</a>
and the only thing I would add is that I've found that having a <a href="http://www.pps.univ-paris-diderot.fr/~jch/software/polipo/">Polipo</a> proxy
around is quite useful for those applications that support HTTP
proxies but not <a href="https://en.wikipedia.org/wiki/SOCKS">SOCKS</a> proxies.</p>
<p>On Debian, it's just a matter of installing the
<a href="http://packages.debian.org/stable/polipo">polipo</a> package and then
setting the following in <code>/etc/polipo/config</code>:</p>
<pre><code>logSyslog = true
logFile = /var/log/polipo/polipo.log
# Configure polipo for use with tor
proxyAddress = "127.0.0.1"
proxyPort = 8008
allowedClients = 127.0.0.1
allowedPorts = 1-65535
proxyName = "localhost"
cacheIsShared = false
socksParentProxy = "localhost:9050"
socksProxyType = socks5
chunkHighMark = 67108864
diskCacheRoot = ""
localDocumentRoot = ""
disableLocalInterface = true
disableConfiguration = true
dnsQueryIPv6 = no
dnsUseGethostbyname = yes
disableVia = true
censoredHeaders = from,accept-language,x-pad,link
censorReferer = maybe
# Suggestions from Incognito configuration
maxConnectionAge = 5m
maxConnectionRequests = 120
serverMaxSlots = 8
serverSlots = 2
tunnelAllowedPorts = 1-65535
</code></pre>
<h1 id="RSS_feeds">RSS feeds</h1>
<p>The whole idea behind <a href="https://en.wikipedia.org/wiki/RSS">RSS</a> feeds is that
articles are downloaded in batch ahead of time. In other words, latency
doesn't matter.</p>
<p>I use <a href="http://userbase.kde.org/Akregator">akregator</a> to read blogs and the
way to make it fetch articles over Tor is to change the
<a href="http://kde.org">KDE</a>-wide proxy server using <code>systemsettings</code> and setting a
manual proxy of <code>localhost</code> on port <code>8008</code> (i.e. the local instance of
Polipo). If you don't see the proxy settings in the KDE control panel, make
sure that the <code>kde-baseapps-bin</code>, <code>libkonq-common</code> and <code>kpart-webkit</code> packages
are installed.</p>
<p>Similarly, I use <a href="http://podget.sourceforge.net/">podget</a> to automatically
fetch podcasts through this cron job in <code>/etc/cron.d/podget-francois</code>:</p>
<pre><code>0 12 * * 1-5 francois http_proxy=http://localhost:8008/ https_proxy=http://localhost:8008/ nocache nice ionice -n7 /usr/bin/podget -s
</code></pre>
<p>Prior to that, I was using
<a href="https://github.com/jgoerzen/hpodder/wiki">hpodder</a> and had the following in
<code>~/.hpodder/curlrc</code>:</p>
<pre><code>proxy=socks4a://localhost:9050
</code></pre>
<h1 id="GnuPG">GnuPG</h1>
<p>For those of us using the <a href="http://gnupg.org/">GNU Privacy Guard</a> to exchange
<a href="https://help.ubuntu.com/community/GnuPrivacyGuardHowto">encrypted emails</a>,
keeping our public keyring up to date is important since it's the only way
to ensure that
<a href="https://www.linux.com/news/featured-blogs/136-distroblogs/6775-the-need-for-a-gpg-revocation-certificate">revoked keys</a>
are taken into account. The
<a href="https://github.com/fmarier/user-scripts/blob/master/gpg-refresh-keys">script I use</a>
for this runs once a day and has the unfortunate side effect of revealing the
contents of my address book to the <a href="http://pgp.net.nz">keyserver</a> I use.</p>
<p>Therefore, I figured that I should at least hide my IP address by putting
the following in <code>~/.gnupg/gpg.conf</code>:</p>
<pre><code>keyserver-options http-proxy=http://127.0.0.1:8008
</code></pre>
<p>However, that tends to makes key submission fail and so I created a key
submission alias in my <code>~/.bashrc</code> which avoids sending keys through Tor:</p>
<pre><code>alias gpgsendkeys='gpg --send-keys --keyserver-options http-proxy=""'
</code></pre>
<h1 id="Package_updates">Package updates</h1>
<p>Since most Debian packages are fairly small, downloading them over Tor doesn't
take a whole lot longer. Large updates on the other hand are affected
unless you do them in the background like I do with this <a href="https://github.com/fmarier/root-scripts/blob/master/apt-cron">daily cron job</a>:</p>
<pre><code>apt-get -qq update
apt-get -qq clean
apt-get --download-only --assume-yes --force-yes -qq dist-upgrade
apt-get -qq autoclean
</code></pre>
<p>To do updates over Tor, simply install the <a href="https://packages.debian.org/stable/apt-transport-tor">apt-transport-tor</a>
package and then replace <code>http://</code> with <code>tor+http://</code> everywhere in
your <code>/etc/apt/sources.list</code> so that it looks like:</p>
<pre><code>deb tor+http://httpredir.debian.org/debian sid main contrib
deb-src tor+http://httpredir.debian.org/debian sid main contrib
deb tor+http://httpredir.debian.org/debian experimental main
deb-src tor+http://httpredir.debian.org/debian experimental main
</code></pre>
<h1 id="Instant_messaging">Instant messaging</h1>
<p>Communication via <a href="https://en.wikipedia.org/wiki/XMPP">XMPP</a> is another use
case that's not affected much by a bit of extra latency.</p>
<p>To get <a href="http://pidgin.im/">Pidgin</a> to talk to an XMPP server over Tor,
simply open "Tools | Preferences" and set a <code>Tor/Privacy (SOCKS5)</code>
proxy of <code>127.0.0.1</code> on port <code>9050</code>.</p>
<h1 id="GMail">GMail</h1>
<p>Finally, I found that since I am
<a href="https://feeding.cloud.geek.nz/posts/keeping-gmail-in-separate-browser/">running GMail in a separate browser profile</a>,
I can take advantage of GMail's excellent caching and preloading and run the
whole thing over Tor by setting that entire browser profile to run its
traffic through the Tor SOCKS proxy on port <code>9050</code>.</p>