HOWTO setup your very own Jabber server…

XMPP (aka Jabber) in combination with OTR is a secure way to chat with others. There are some public servers available, but their popularity centralizes the infrastructure and leaves single points of failure. A recent example is Chaos Computer Club’s Jabber server (jabber.ccc.de) which was down for some days between Christmas and New Years 2014/2015, as a consequence of a DOS attack.

I’ve been setting up a Jabber server of my own on my Raspberry Pi. Here is how you can too:

We will be installing Prosody, a lightweight, easy to install Jabber server. I’m running version 0.9.7 with lua-sec-prosody version 0.5.1-2.
First add the Prosody repository to the debian apt-sources:

1
2
3
4
5
# wheezy (for jessie see below)
echo "deb http://packages.prosody.im/debian wheezy main" > /etc/apt/sources.list.d/prosody.sources.list
wget https://prosody.im/files/prosody-debian-packages.key -O- | apt-key add -
apt-get update
apt-get install prosody lua-sec-prosody

We need the lua-sec-prosody package for the newest cryptographic libraries.

In newer operating systems this temporarily forked package has been merged, and is not longer necessary:

1
2
# jessie
apt-get install prosody

Replace the configuration file of Prosody (/etc/prosody/prosody.cfg.lua) with this file (github gist). Replace example.com with your domain. This is the domain you will use in your Jabber handle.

Next we generate the certificate for the server. This will be seen by clients and other servers. The CSR is to request a certificate.

1
2
3
cd /etc/prosody/certs/
openssl genrsa -out example.key 4096
openssl req -key example.com.key -out example.com.csr

I recommend that you get a certificate signed from a certification authority. I used CAcert, but any CA will do. I previously wrote about some options for CAs. Alternatively you can sign the key yourself. A self signed certificate will however bare the risk of failed connections with other servers, that need a secure connection:

1
openssl x509 -req -days 1024 -in example.com.csr -signkey example.com.key -out example.com.crt

For Diffie-Hellman keyexchange, which allows Perfect-Forward-Secrecy, we need to generate parameters, this will take long:

1
openssl dhparam -out /etc/prosody/certs/dh_2048.pem 2048

For your firewall the ports 5269 (server to server) and 5222 (client to server) need to be open. If you setup IPv4 and IPv6, make sure to allow those ports on both IP versions. The server will listen to all IPs.

Finally you need to set the correct DNS entries:

1
2
3
4
5
_xmpp-client._tcp.example.com. IN SRV 10 0 5222 someserver.example.com.
_xmpp-server._tcp.example.com. IN SRV 10 0 5269 someserver.example.com.
_jabber._tcp.example.com. IN SRV 10 0 5269 someserver.example.com.
someserver  A   10.0.8.15
someserver  AAAA    2001:db8:f10::1

This DNS setup is really neat. It also means that the Jabber server does not have to run on the same machine as your website.

To use your server you need an account. Add it with:

1
prosodyctl adduser YOUR-NIC@example.com

Restart Prosody to get all the configuration running:

1
prosodyctl restart

That’s it.

Now you just need to login with your jabber client.
Happy jabbering.

You can check your security setup at xmpp.net.

Flattr this!

One thought on “HOWTO setup your very own Jabber server…”

Leave a Reply

Your email address will not be published. Required fields are marked *

verify you\'re human: * Time limit is exhausted. Please reload CAPTCHA.