Prosody XMPP Server¶
Initial Installation¶
Install the following packages:
apt-get install prosody lua-dbi-sqlite3 lua-zlib lua-cyrussasl libsasl2-modules-gssapi-mit
Grant the host permission to the service/xmpp directory:
fs sa /afs/acm.jhu.edu/service/xmpp rcmd.crimea rl
fs sa /afs/acm.jhu.edu/service/xmpp/snapshot rcmd.crimea rlidwk
SSL Setup¶
Follow the instructions in SSL to get an SSL certificate.
Land the key in /etc/prosody/certs/xmpp.acm.jhu.edu.key and the cert,
followed by intermediate certs, in /etc/prosody/certs/xmpp.acm.jhu.edu.crt.
Check your work with (yes, the file needs to be given twice)
openssl verify -CAfile /etc/prosody/certs/xmpp.acm.jhu.edu.crt /etc/prosody/certs/xmpp.acm.jhu.edu.crt
Note
Prosody is particular about the order of the certificates in its key
file. Make sure that its comes first by running openssl x509 -noout -text
-in /etc/prosody/certs/xmpp.acm.jhu.edu.crt and making sure that the
Subject is as expected. If it doesn’t, you will get mysterious “no shared
cipers” failures!
Build dhparams:
openssl dhparam -out /etc/prosody/certs/dh-2048.pem 2048
Set up SASL¶
In /etc/prosody/prosody.cfg.lua, set the following options globally:
authentication = "cyrus"
cyrus_service_name = "prosody"
cyrus_service_realm = ""
c2s_require_encryption = true
s2s_secure_auth = true
Create /etc/sasl/prosody.conf with the following contents:
pwcheck_method: saslauthd
mech_list: PLAIN GSSAPI
Adjust /etc/default/saslauthd
START=yes
MECHANISMS=kerberos5
And run
addgroup prosody sasl
Set up virtual host¶
In /etc/prosody/prosody.cfg.lua, add the following stanza:
VirtualHost "xmpp.acm.jhu.edu"
enabled = true
-- Assign this host a certificate for TLS, otherwise it would use the one
-- set in the global section (if any).
-- Note that old-style SSL on port 5223 only supports one certificate, and will always
-- use the global one.
ssl = {
key = "/etc/prosody/certs/xmpp.acm.jhu.edu.key";
certificate = "/etc/prosody/certs/xmpp.acm.jhu.edu.crt";
options = { "no_sslv2", "no_ticket", "no_compression", "no_sslv3" };
dhparam = "/etc/prosody/certs/dh-2048.pem";
protocl = "tlsv1_2+";
}
Add to XMPP glue in DNS¶
Add a SRV record or two for XMPP clients and servers in DNS:
_xmpp-client._tcp IN SRV 5 0 5222 crimea.acm.jhu.edu.