The following ports have to be opened in your firewall:

5000/tcp  # SOCKS5 Bytestreams (XEP-0065)
5222/tcp  # XMPP Client-to-Server
5269/tcp  # XMPP Server-to-Server

Prosody (formerly lxmppd) is a cross-platform XMPP server written in Lua. Its development goals include low resource usage, ease of use, and extensibility.


sudo apt install prosody prosody-modules


admins = { "" }
modules_enabled = {
        -- Generally required
                "roster"; -- Allow users to have a roster. Recommended ;)
                "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
                "tls"; -- Add support for secure TLS on c2s/s2s connections
                "dialback"; -- s2s dialback support
                "disco"; -- Service discovery
        -- Not essential, but recommended
                "private"; -- Private XML storage (for room bookmarks, etc.)
                "vcard"; -- Allow users to set vCards
        -- Nice to have
                "version"; -- Replies to server version requests
                "uptime"; -- Report how long server has been running
                "time"; -- Let others know the time here on this server
                "ping"; -- Replies to XMPP pings with pongs
                "pep"; -- Enables users to publish their mood, activity, playing music and more
                --"register"; -- Allow users to register on this server using a client and change passwords
        -- Admin interfaces
                "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
                --"admin_telnet"; -- Opens telnet console interface on localhost port 5582
        -- HTTP modules
                --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
                --"http_files"; -- Serve static files from a directory over HTTP
        -- Other specific functionality
                "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
allow_registration = false;
ssl = {
        key = "/etc/prosody/certs/localhost.key";
        certificate = "/etc/prosody/certs/localhost.crt";
-- Use strong ciphers
options = {
        "no_sslv2", "no_sslv3", "no_tlsv1", "no_tlsv1_1", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use";
c2s_require_encryption = true
s2s_secure_auth = true
authentication = "internal_hashed"

Virtual hosts

Create a virtual host configuration:

VirtualHost ""
        ssl = {
                key = "/etc/prosody/certs/";
                certificate = "/etc/prosody/certs/";
Component "" "muc"
Component "" "proxy65"

Enable the configuration:

sudo ln -s /etc/prosody/conf.avail/ /etc/prosody/conf.d/

SSL certificates

Copy your SSL certificates to a directory Prosody can read:

sudo mkdir -p /etc/prosody/certs/
sudo cp /etc/letsencrypt/live/ /etc/prosody/certs/
sudo cp /etc/letsencrypt/live/ /etc/prosody/certs/

Set strict permissions:

sudo chown -R root:prosody /etc/prosody/certs/
sudo chmod 750 /etc/prosody/certs/

Add users

sudo prosodyctl adduser
sudo prosodyctl adduser

sudo systemctl restart prosody.service

Unlike Apache, nginx, Dovecot and Postfix, Prosody does not shortly run as root when started in order to read from /etc/ssl/ or /etc/letsencrypt/. So certificates have to be copied to the /etc/prosody/ directory. If you use Let's Encrypt, this means that you have to renew those copies every three months.

This can be automated with a script you put in /etc/letsencrypt/renewal-hooks/post/:

cp /etc/letsencrypt/live/ /etc/prosody/certs/
cp /etc/letsencrypt/live/ /etc/prosody/certs/
chown -R root:prosody /etc/prosody/certs/
chmod 750 /etc/prosody/certs/
chmod 640 /etc/prosody/certs/*
systemctl reload prosody.service

  • manuals/servers/xmpp.txt
  • Last modified: 2021/11/23 17:20
  • by Kevin Keijzer