Firewall

The following ports have to be opened in your firewall:

5000/tcp  # SOCKS5 Bytestreams (XEP-0065)
5222/tcp  # XMPP Client-to-Server
5269/tcp  # XMPP Server-to-Server


Prosody

Prosody (formerly lxmppd) is a cross-platform XMPP server written in Lua. Its development goals include low resource usage, ease of use, and extensibility.


Installation

sudo apt install prosody


Configuration

admins = { "user1@quietlife.nl" }
 
modules_enabled = {
 
        -- Generally required
                "roster"; -- Allow users to have a roster. Recommended ;)
                "saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
                "tls"; -- Add support for secure TLS on c2s/s2s connections
                "dialback"; -- s2s dialback support
                "disco"; -- Service discovery
 
        -- Not essential, but recommended
                "private"; -- Private XML storage (for room bookmarks, etc.)
                "vcard"; -- Allow users to set vCards
 
        -- Nice to have
                "version"; -- Replies to server version requests
                "uptime"; -- Report how long server has been running
                "time"; -- Let others know the time here on this server
                "ping"; -- Replies to XMPP pings with pongs
                "pep"; -- Enables users to publish their mood, activity, playing music and more
                --"register"; -- Allow users to register on this server using a client and change passwords
 
        -- Admin interfaces
                "admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
                --"admin_telnet"; -- Opens telnet console interface on localhost port 5582
 
        -- HTTP modules
                --"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
                --"http_files"; -- Serve static files from a directory over HTTP
 
        -- Other specific functionality
                "posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
};
 
allow_registration = false;
 
ssl = {
        key = "/etc/prosody/certs/localhost.key";
        certificate = "/etc/prosody/certs/localhost.crt";
}
 
-- Use strong ciphers
options = {
        "no_sslv2", "no_sslv3", "no_tlsv1", "no_tlsv1_1", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use";
}
 
c2s_require_encryption = true
 
s2s_secure_auth = true
 
authentication = "internal_hashed"


Virtual hosts

Create a virtual host configuration:

/etc/prosody/conf.avail/quietlife.nl.cfg.lua
VirtualHost "quietlife.nl"
 
        ssl = {
                key = "/etc/prosody/certs/quietlife.nl/privkey.pem";
                certificate = "/etc/prosody/certs/quietlife.nl/fullchain.pem";
                }
 
Component "conference.quietlife.nl" "muc"
Component "proxy.quietlife.nl" "proxy65"

Enable the configuration:

sudo ln -s /etc/prosody/conf.avail/quietlife.nl.cfg.lua /etc/prosody/conf.d/quietlife.nl.cfg.lua


SSL certificates

Copy your SSL certificates to a directory Prosody can read:

sudo mkdir -p /etc/prosody/certs/quietlife.nl
 
sudo cp /etc/letsencrypt/live/quietlife.nl/fullchain.pem /etc/prosody/certs/quietlife.nl/fullchain.pem
sudo cp /etc/letsencrypt/live/quietlife.nl/privkey.pem /etc/prosody/certs/quietlife.nl/privkey.pem

Set strict permissions:

sudo chown -R root:prosody /etc/prosody/certs/quietlife.nl/
sudo chmod 750 /etc/prosody/certs/quietlife.nl/


Add users

sudo prosodyctl adduser user1@quietlife.nl
sudo prosodyctl adduser user2@quietlife.nl
...


Starting everything up

sudo systemctl restart prosody.service


SSL certificate renewal

Unlike Apache, nginx, Dovecot and Postfix, Prosody does not shortly run as root when started in order to read from /etc/ssl/ or /etc/letsencrypt/. So certificates have to be copied to the /etc/prosody/ directory. If you use Let's Encrypt, this means that you have to renew those copies every three months.

This can be automated with a script you run as root:

#!/bin/bash
 
cp /etc/letsencrypt/live/quietlife.nl/fullchain.pem /etc/prosody/certs/quietlife.nl/fullchain.pem
cp /etc/letsencrypt/live/quietlife.nl/privkey.pem /etc/prosody/certs/quietlife.nl/privkey.pem
 
chown -R root:prosody /etc/prosody/certs/quietlife.nl/
chmod 750 /etc/prosody/certs/quietlife.nl/
 
systemctl restart prosody.service