The following ports have to be opened in your firewall:

5222/tcp  # XMPP Client-to-Server
5269/tcp  # XMPP Server-to-Server
5281/tcp  # XMPP HTTPS (for file sharing)

Prosody (formerly lxmppd) is a cross-platform XMPP server written in Lua. Its development goals include low resource usage, ease of use, and extensibility.


sudo apt install prosody prosody-modules lua-unbound

Add the prosody user to the ssl-cert group:

sudo usermod -aG ssl-cert prosody


Create a virtual host configuration:

VirtualHost ""
admins = { "" }
modules_enabled = {
ssl = {
		certificate = "/etc/prosody/certs/";
		key = "/etc/prosody/certs/";
		protocol = "tlsv1_2+";
		dhparam = "/etc/ssl/dhparams.pem";
Component "" "muc"
Component "" "http_file_share"
http_file_share_size_limit = 100000000

Enable the configuration:

cd /etc/prosody/conf.d/
sudo ln -s ../conf.avail/ .

SSL certificate creation

Generate a certificate with certbot that contains your base hostname and subdomains conference and upload:

sudo certbot certonly -d -d -d

If your base hostname is on a subdomain, use sub-subdomains:

sudo certbot certonly -d -d -d

If you already have a certificate for your base hostname, you can expand it to include these subdomains:

sudo certbot certonly --expand -d -d -d

DH parameters generation

If you don't have one already, generate dhparams.pem with openssl:

cd /tmp/
openssl dhparam -out dhparams.pem 4096
sudo mv dhparams.pem /etc/ssl/
sudo chown root:ssl-cert /etc/ssl/dhparams.pem
sudo chmod 640 /etc/ssl/dhparams.pem

SSL certificate import

Unlike Apache, nginx, Dovecot and Postfix, Prosody does not shortly run as root when started in order to read from /etc/letsencrypt/. So certificates have to be copied to the /etc/prosody/certs/ directory:

sudo prosodyctl --root cert import /etc/letsencrypt/live

SSL certificate renewal

If you use Let's Encrypt, you have to renew your certificates every three months. They also have to be re-imported by Prosody after every renewal. This can be automated with a script you put in /etc/letsencrypt/renewal-hooks/post/:

prosodyctl --root cert import /etc/letsencrypt/live

Make it executable:

sudo chmod +x /etc/letsencrypt/renewal-hooks/post/

Restart Prosody

sudo systemctl restart prosody.service

sudo prosodyctl adduser
sudo prosodyctl adduser