Red bulbs aside

Install Prosody XMPP server on OpenBSD

prosody-0.11.4 on OpenBSD 6.7

Fresh install

Simply :

# pkg_add prosody

Unlock port on your firewall

Ports 5222 (for client to server - c2s) and 5269 (for server to server - s2s) are required so do not forget to open it on your pf.conf.

Using your Let's Encrypt certificate

Obtaining your certificate is already well described by Roman Zotolarev here.

You will obtain :

• a fullchain certificate (/etc/ssl/mydomain.com.fullchain.pem)
• a private key (/etc/ssl/private/mydomain.com.key)

The user or group _prosody must be able to read these keys, but acme-client will return warnings if the private key is readable by anyone else than root. So choose the folder where you can copy it and make it safely available for _prosody (configuration files and others certs are stored in /etc/prosody/).

If you have followed Roman Zotolarev's tutorial (link above), you have probably set up automatic renewal with crontab. You can just add two cp commands so that useful keys for prosody would be updated too.

crontab

0       0       *       *       *       acme-client mydomain.com && rcctl reload httpd && cp /etc/ssl/mydomain.com.fullchain.pem /path_to_your_keys/mydomain.com.fullchain.pem && cp /etc/ssl/private/mydomain.com.key /path_to_your_keys/mydomain.com.key

Prosody configuration

Configuration is usually stored in /etc/prosody/prosody.cfg.lua. Below an example of a basic and secure configuration :

prosody.cfg.lua example

-- Set it to the XMPP admin account on the server
admins = { "admin@mydomain.com" }

-- Drop privileges
prosody_user = "_prosody"
prosody_group = "_prosody"

-- Enable POSIX-only options
daemonize = true
pidfile = "/var/prosody/prosody.pid"

modules_enabled = {

        -- Generally required
                "roster"; -- Allow users to have a roster. Recommended ;)
                "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
                "tls"; -- Add support for secure TLS on c2s/s2s connections
                "dialback"; -- s2s dialback support
                "disco"; -- Service discovery

        -- Not essential, but recommended
                "carbons"; -- Keep multiple clients in sync
                "pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
                "private"; -- Private XML storage (for room bookmarks, etc.)
                "blocklist"; -- Allow users to block communications with other users
                "vcard4"; -- User profiles (stored in PEP)
                "vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard

        -- Nice to have
                "version"; -- Replies to server version requests
                "uptime"; -- Report how long server has been running
                "time"; -- Let others know the time here on this server
                "ping"; -- Replies to XMPP pings with pongs
                "register"; -- Allow users to register on this server using a client and change passwords

        -- Admin interfaces
                "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
}
allow_registration = false
c2s_require_encryption = true
s2s_require_encryption = true
s2s_secure_auth = true
authentication = "internal_hashed"
archive_expires_after = "1w" -- Remove archived messages after 1 week
log = {
        info = "/var/prosody/prosody.log"; -- Check the path and file permissions for _prosody
        error = "/var/prosody/prosody.err"; -- Check the path and file permissions for _prosody
}
certificates = "certs"
VirtualHost "mydomain.com" -- Change it to your domain
ssl = {
        -- Normal options
            key = "/path_to_your_keys/mydomain.com.key";
            certificate = "/path_to_your_keys/mydomain.com.fullchain.pem";
}

Prosody SSL advanced configuration

To obtain a more secure SSL configuration, I add protocol = "tlsv1_1+"; to allow only TLS V1.1 and superior.

To be able to use EDH-based cipher, I generate the needed DH key with

# openssl dhparam -out /etc/prosody/certs/dh-2048.pem 2048

Be sure that this file is readable by _prosody. Then add dhparam = "/etc/prosody/certs/dh-2048.pem".

I add the following line to select enabled ciphers (see official openssl doc if needed) :

in prosody.cfg.lua

ciphers = "HIGH+kEDH:HIGH+kEECDH:!RSA:!SRP:!PSK:!3DES:!aNULL";

That will allow :

• EDH-based “high strength” ciphersuites first, if dhparam is specified. EDH uses more CPU when establishing connections
• EECDH-based “high strength” ciphersuites, which uses the specified elliptic curve.

Also we explicitly disable :

• RSA ciphersuites. These have no forward-secrecy and are allowed by default, but if your key is compromised or cracked, previously-recorded traffic may be decrypted
• PSK: These ciphersuites require the client and server to already share some secret key. This makes it not particularly useful for the open XMPP network
• SRP: Similar to PSK, these ciphersuites also require a shared password
• 3DES: Triple-DES is an older encryption algorithm that is quite slow. As used in TLS it is also marginally weaker than the more modern AES, though OpenSSL still considers it “high strength”
• aNULL: We disable any ciphersuite that does not allow authenticating the other party.

All that modify the ssl section of prosody.cfg.lua as:

in prosody.cfg.lua

VirtualHost "mydomain.com"
ssl = {
        -- Normal options
            key = "/path_to_your_keys/mydomain.com.key";
            certificate = "/path_to_your_keys/mydomain.com.fullchain.pem";
        -- Advanced options
        protocol = "tlsv1_1+";
        dhparam = "/etc/prosody/certs/dh-2048.pem";
        ciphers = "HIGH+kEDH:HIGH+kEECDH:!RSA:!SRP:!PSK:!3DES:!aNULL";
        options = { cipher_server_preference = true, no_compression = true, cipher_server_preference = true };
}

Start your server !

You can start your XMPP server with :

# prosodyctl start

You can add you first user with :

# prosodyctl adduser admin@mydomain.com

Useful links

• prosody docs : https://prosody.im/doc/
• prosody advanced ssl configuration : https://prosody.im/doc/advancedsslconfig
• openssl ciphers : https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
• online SSL tester for XMPP server : https://www.xmpp.net or https://cryptcheck.fr
• XEP compliance tester : https://compliance.conversations.im/

Comment ?

Should you have any comment on this page, get in touch !