manuals:servers:xmpp

Setting up a Prosody XMPP chat server


Firewall

The following ports have to be opened in your firewall: 

5222/tcp  # XMPP Client-to-Server
5269/tcp  # XMPP Server-to-Server
5281/tcp  # XMPP HTTPS (for file sharing)


Prosody

Prosody (formerly lxmppd) is a cross-platform XMPP server written in Lua. Its development goals include low resource usage, ease of use, and extensibility.


Installation

sudo apt install prosody prosody-modules lua-unbound

Add the prosody user to the ssl-cert group: 

sudo usermod -aG ssl-cert prosody


Configuration

Create a virtual host configuration:

/etc/prosody/conf.avail/quietlife.nl.cfg.lua
VirtualHost "quietlife.nl"
 
admins = { "user1@quietlife.nl" }
 
modules_enabled = {
		"carbons";
		"cloud_notify";
		"mam";
		"seclabels";
		"smacks";
}
 
ssl = {
		certificate = "/etc/prosody/certs/quietlife.nl.crt";
		key = "/etc/prosody/certs/quietlife.nl.key";
		protocol = "tlsv1_2+";
		ciphers = "EECDH+AESGCM:EDH+AESGCM";
		dhparam = "/etc/ssl/dhparams.pem";
}
 
Component "conference.quietlife.nl" "muc"
modules_enabled = { "muc_mam" }
log_all_rooms = true
 
Component "upload.quietlife.nl" "http_file_share"
http_file_share_size_limit = 100000000

Enable the configuration: 

cd /etc/prosody/conf.d/
sudo ln -s ../conf.avail/quietlife.nl.cfg.lua .


SSL certificate creation

Generate a certificate with certbot that contains your base hostname and subdomains conference and upload: 

sudo certbot certonly -d quietlife.nl -d conference.quietlife.nl -d upload.quietlife.nl

If your base hostname is on a subdomain, use sub-subdomains: 

sudo certbot certonly -d chat.quietlife.nl -d conference.chat.quietlife.nl -d upload.chat.quietlife.nl

If you already have a certificate for your base hostname, you can expand it to include these subdomains: 

sudo certbot certonly --expand -d quietlife.nl -d conference.quietlife.nl -d upload.quietlife.nl


DH parameters generation

If you don't have one already, generate dhparams.pem with openssl: 

cd /tmp/
openssl dhparam -out dhparams.pem 4096
sudo mv dhparams.pem /etc/ssl/
sudo chown root:ssl-cert /etc/ssl/dhparams.pem
sudo chmod 640 /etc/ssl/dhparams.pem


SSL certificate import

Unlike Apache, nginx, Dovecot and Postfix, Prosody does not shortly run as root when started in order to read from /etc/letsencrypt/. So certificates have to be copied to the /etc/prosody/certs/ directory: 

sudo prosodyctl --root cert import quietlife.nl /etc/letsencrypt/live


SSL certificate renewal

If you use Let's Encrypt, you have to renew your certificates every three months. They also have to be re-imported by Prosody after every renewal. This can be automated with a script you put in /etc/letsencrypt/renewal-hooks/post/:

/etc/letsencrypt/renewal-hooks/post/prosody.sh
#!/bin/sh
prosodyctl --root cert import quietlife.nl /etc/letsencrypt/live

Make it executable: 

sudo chmod +x /etc/letsencrypt/renewal-hooks/post/prosody.sh


Restart Prosody

sudo systemctl restart prosody.service


Add users

sudo prosodyctl adduser user1@quietlife.nl
sudo prosodyctl adduser user2@quietlife.nl
...