XMPP (aka Jabber) in combination with OTR is a secure way to chat with others. There are some public servers available, but their popularity centralizes the infrastructure and leaves single points of failure. A recent example is Chaos Computer Club’s Jabber server (jabber.ccc.de) which was down for some days between Christmas and New Years 2014/2015, as a consequence of a DOS attack.
I’ve been setting up a Jabber server of my own on my Raspberry Pi. Here is how you can too:
We will be installing Prosody, a lightweight, easy to install Jabber server. I’m running version 0.9.7 with lua-sec-prosody version 0.5.1-2.
First add the Prosody repository to the debian apt-sources:
# wheezy (for jessie see below)
echo "deb http://packages.prosody.im/debian wheezy main" > /etc/apt/sources.list.d/prosody.sources.list
wget https://prosody.im/files/prosody-debian-packages.key -O- | apt-key add -
apt-get install prosody lua-sec-prosody
We need the lua-sec-prosody package for the newest cryptographic libraries.
In newer operating systems this temporarily forked package has been merged, and is not longer necessary:
apt-get install prosody
Next we generate the certificate for the server. This will be seen by clients and other servers. The CSR is to request a certificate.
openssl genrsa -out example.key 4096
openssl req -key example.com.key -out example.com.csr
I recommend that you get a certificate signed from a certification authority. I used CAcert, but any CA will do. I previously wrote about some options for CAs. Alternatively you can sign the key yourself. A self signed certificate will however bare the risk of failed connections with other servers, that need a secure connection:
openssl x509 -req -days 1024 -in example.com.csr -signkey example.com.key -out example.com.crt
openssl dhparam -out /etc/prosody/certs/dh_2048.pem 2048
For your firewall the ports 5269 (server to server) and 5222 (client to server) need to be open. If you setup IPv4 and IPv6, make sure to allow those ports on both IP versions. The server will listen to all IPs.
Finally you need to set the correct DNS entries:
_xmpp-client._tcp.example.com. IN SRV 10 0 5222 someserver.example.com.
_xmpp-server._tcp.example.com. IN SRV 10 0 5269 someserver.example.com.
_jabber._tcp.example.com. IN SRV 10 0 5269 someserver.example.com.
someserver A 10.0.8.15
someserver AAAA 2001:db8:f10::1
This DNS setup is really neat. It also means that the Jabber server does not have to run on the same machine as your website.
To use your server you need an account. Add it with:
prosodyctl adduser YOUR-NIC@example.com
Restart Prosody to get all the configuration running:
Now you just need to login with your jabber client.
You can check your security setup at xmpp.net.