Red bulbs aside

Install Prosody XMPP server on OpenBSD

prosody-0.11.4 on OpenBSD 6.7

Fresh install

Simply :

# pkg_add prosody

Unlock port on your firewall

Ports 5222 (for client to server - c2s) and 5269 (for server to server - s2s) are required so do not forget to open it on your pf.conf.

Using your Let's Encrypt certificate

Obtaining your certificate is already well described by Roman Zotolarev here.

You will obtain :

The user or group _prosody must be able to read these keys, but acme-client will return warnings if the private key is readable by anyone else than root. So choose the folder where you can copy it and make it safely available for _prosody (configuration files and others certs are stored in /etc/prosody/).

If you have followed Roman Zotolarev's tutorial (link above), you have probably set up automatic renewal with crontab. You can just add two cp commands so that useful keys for prosody would be updated too.


0       0       *       *       *       acme-client && rcctl reload httpd && cp /etc/ssl/ /path_to_your_keys/ && cp /etc/ssl/private/ /path_to_your_keys/

Prosody configuration

Configuration is usually stored in /etc/prosody/prosody.cfg.lua. Below an example of a basic and secure configuration :

prosody.cfg.lua example

-- Set it to the XMPP admin account on the server
admins = { "" }

-- Drop privileges
prosody_user = "_prosody"
prosody_group = "_prosody"

-- Enable POSIX-only options
daemonize = true
pidfile = "/var/prosody/"

modules_enabled = {

        -- Generally required
                "roster"; -- Allow users to have a roster. Recommended ;)
                "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
                "tls"; -- Add support for secure TLS on c2s/s2s connections
                "dialback"; -- s2s dialback support
                "disco"; -- Service discovery

        -- Not essential, but recommended
                "carbons"; -- Keep multiple clients in sync
                "pep"; -- Enables users to publish their avatar, mood, activity, playing music and more
                "private"; -- Private XML storage (for room bookmarks, etc.)
                "blocklist"; -- Allow users to block communications with other users
                "vcard4"; -- User profiles (stored in PEP)
                "vcard_legacy"; -- Conversion between legacy vCard and PEP Avatar, vcard

        -- Nice to have
                "version"; -- Replies to server version requests
                "uptime"; -- Report how long server has been running
                "time"; -- Let others know the time here on this server
                "ping"; -- Replies to XMPP pings with pongs
                "register"; -- Allow users to register on this server using a client and change passwords

        -- Admin interfaces
                "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
allow_registration = false
c2s_require_encryption = true
s2s_require_encryption = true
s2s_secure_auth = true
authentication = "internal_hashed"
archive_expires_after = "1w" -- Remove archived messages after 1 week
log = {
        info = "/var/prosody/prosody.log"; -- Check the path and file permissions for _prosody
        error = "/var/prosody/prosody.err"; -- Check the path and file permissions for _prosody
certificates = "certs"
VirtualHost "" -- Change it to your domain
ssl = {
        -- Normal options
            key = "/path_to_your_keys/";
            certificate = "/path_to_your_keys/";

Prosody SSL advanced configuration

To obtain a more secure SSL configuration, I add protocol = "tlsv1_1+"; to allow only TLS V1.1 and superior.

To be able to use EDH-based cipher, I generate the needed DH key with

# openssl dhparam -out /etc/prosody/certs/dh-2048.pem 2048

Be sure that this file is readable by _prosody. Then add dhparam = "/etc/prosody/certs/dh-2048.pem".

I add the following line to select enabled ciphers (see official openssl doc if needed) :

in prosody.cfg.lua


That will allow :

Also we explicitly disable :

All that modify the ssl section of prosody.cfg.lua as:

in prosody.cfg.lua

VirtualHost ""
ssl = {
        -- Normal options
            key = "/path_to_your_keys/";
            certificate = "/path_to_your_keys/";
        -- Advanced options
        protocol = "tlsv1_1+";
        dhparam = "/etc/prosody/certs/dh-2048.pem";
        ciphers = "HIGH+kEDH:HIGH+kEECDH:!RSA:!SRP:!PSK:!3DES:!aNULL";
        options = { cipher_server_preference = true, no_compression = true, cipher_server_preference = true };

Start your server !

You can start your XMPP server with :

# prosodyctl start

You can add you first user with :

# prosodyctl adduser

Comment ?

Should you have any comment on this page, get in touch !

Back to index
Static Website made thanks to ssg