Source: ejabberd
Severity: wishlist
Hi,
I recently configured my ejabberd server for compliance with the
ComplianceTester by Daniel Gultsch [1] and with the IM Observatory [2].
I would like to propose adding more example documentation to
ejabberd.yml such that it becomes easier for the user to achieve the
same.
Here is a list of possible improvements:
Use macros
==========
Especially SSL options will be used at several places in ejabberd.yml.
Together with client to server, server to server, http upload and admin
web interface I ended up using the same options five times. I only
stumbled over the possibility to use macros in the configuration by
chance and think they deserve more wide-spread use because they allow
one to do the configuration in a central place. I use this:
define_macro:
'CERTFILE': "/etc/ejabberd/ejabberd.pem"
'CIPHERS': "ECDH:DH:!3DES:!aNULL:!eNULL:!MEDIUM@STRENGTH"
'TLSOPTS':
- "no_sslv3"
- "cipher_server_preference"
- "no_compression"
'DHFILE': "/etc/ejabberd/dhparams.pem" # generated with: openssl dhparam -out
dhparams.pem 2048
And then later at many places in my config:
certfile: 'CERTFILE'
protocol_options: 'TLSOPTS'
dhfile: 'DHFILE'
ciphers: 'CIPHERS'
Which brings me to the next point:
Default TLS Options
===================
It might make sense to document more secure TLS options than the
default. See above for some examples.
mod_http_upload
===============
I understand why this should not be enabled by default but I think it
might make sense to make enabling it easier by supplying some commented
default like:
# -
# port: 5443
# ip: "::"
# module: ejabberd_http
# request_handlers:
# "": mod_http_upload
# tls: true
# certfile: 'CERTFILE'
# protocol_options: 'TLSOPTS'
# dhfile: 'DHFILE'
# ciphers: 'CIPHERS'
And then later:
# mod_http_upload:
# # docroot: "@HOME@/upload" # this is the default
# put_url: "https://@HOST@:5443"; # default: "http://@HOST@:5444";
# thumbnail: false # otherwise needs the identify command from ImageMagick
installed
# mod_http_upload_quota:
# max_days: 30
mod_mam
=======
Same for this one:
# XEP-0313: Message Archive Management
# You might want to setup a SQL backend for MAM because the mnesia database is
# limited to 2GB which might be exceeded on large servers
# mod_mam: {}
Admin User
==========
There is a small typo in the comment for admin user. It currently says:
## admin:
## user:
## - "aleksey@localhost"
## - "erm...@example.org"
But this now became a key/value pair and would better be written as:
## admin:
## user:
## - "aleksey": "localhost"
## - "ermine": "example.org"
TLS for s2s Communication
=========================
The default for this setting is currently:
-s2s_use_starttls: optional
which surprised me a lot. Should the default not be to always encrypt
and then the admin should make the concious choice when they want to
allow plain-text communication between servers?
I suppose this is set to optional because the google servers do not
support this? I still would argue that the default Debian configuration
should be secure end encrypted by default. I'd suggest changing this
setting to "required" and mention that the gmail server doesn't support
it in a comment next to it.
Thanks!
cheers, josch
[1] https://github.com/iNPUTmice/ComplianceTester (unfortunately this
cannot be built from source in Debian yet)
[2] https://xmpp.net/
