Source: ejabberd Severity: wishlist Hi,
I recently configured my ejabberd server for compliance with the ComplianceTester by Daniel Gultsch [1] and with the IM Observatory [2]. I would like to propose adding more example documentation to ejabberd.yml such that it becomes easier for the user to achieve the same. Here is a list of possible improvements: Use macros ========== Especially SSL options will be used at several places in ejabberd.yml. Together with client to server, server to server, http upload and admin web interface I ended up using the same options five times. I only stumbled over the possibility to use macros in the configuration by chance and think they deserve more wide-spread use because they allow one to do the configuration in a central place. I use this: define_macro: 'CERTFILE': "/etc/ejabberd/ejabberd.pem" 'CIPHERS': "ECDH:DH:!3DES:!aNULL:!eNULL:!MEDIUM@STRENGTH" 'TLSOPTS': - "no_sslv3" - "cipher_server_preference" - "no_compression" 'DHFILE': "/etc/ejabberd/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 2048 And then later at many places in my config: certfile: 'CERTFILE' protocol_options: 'TLSOPTS' dhfile: 'DHFILE' ciphers: 'CIPHERS' Which brings me to the next point: Default TLS Options =================== It might make sense to document more secure TLS options than the default. See above for some examples. mod_http_upload =============== I understand why this should not be enabled by default but I think it might make sense to make enabling it easier by supplying some commented default like: # - # port: 5443 # ip: "::" # module: ejabberd_http # request_handlers: # "": mod_http_upload # tls: true # certfile: 'CERTFILE' # protocol_options: 'TLSOPTS' # dhfile: 'DHFILE' # ciphers: 'CIPHERS' And then later: # mod_http_upload: # # docroot: "@HOME@/upload" # this is the default # put_url: "https://@HOST@:5443" # default: "http://@HOST@:5444" # thumbnail: false # otherwise needs the identify command from ImageMagick installed # mod_http_upload_quota: # max_days: 30 mod_mam ======= Same for this one: # XEP-0313: Message Archive Management # You might want to setup a SQL backend for MAM because the mnesia database is # limited to 2GB which might be exceeded on large servers # mod_mam: {} Admin User ========== There is a small typo in the comment for admin user. It currently says: ## admin: ## user: ## - "aleksey@localhost" ## - "erm...@example.org" But this now became a key/value pair and would better be written as: ## admin: ## user: ## - "aleksey": "localhost" ## - "ermine": "example.org" TLS for s2s Communication ========================= The default for this setting is currently: -s2s_use_starttls: optional which surprised me a lot. Should the default not be to always encrypt and then the admin should make the concious choice when they want to allow plain-text communication between servers? I suppose this is set to optional because the google servers do not support this? I still would argue that the default Debian configuration should be secure end encrypted by default. I'd suggest changing this setting to "required" and mention that the gmail server doesn't support it in a comment next to it. Thanks! cheers, josch [1] https://github.com/iNPUTmice/ComplianceTester (unfortunately this cannot be built from source in Debian yet) [2] https://xmpp.net/