Comment by yosamino

4 days ago

I've run an XMPP server in various states of professionalism for around 20 years now. From mom's basement all the way to a colocated server with a similar setup that's described in the post.

The only caveat I have not been able to solve is hosting an xmpp server for a different domain, like it's possible with email.

A client connecting the account joe.doe@example.ORG will find the server it wants to connect to via SRV to be , e.g., xmpp14.example.COM and expect a TLS certificate for "example.ORG" which that server does not have (nor can/should easily get) - which makes sense in a lot of ways, but limits the ways one can offer hosting services.

If anyone has creative solutions I'm all ears.

9 comments

yosamino

singpolyma3 4 days ago

You need a certificate for the domain you are going to serve of course. You can get one with ACME DNS challenges pretty easily (I have my clients set up a CNAME for the _acme-challenge subdomain of their domain).

yosamino 4 days ago
I worded that poorly.
Yes, that is of course correct. But that means that your clients have to trust you without technical safeguards, that you will not use this to get for certificates for purposes other than XMPP.
Which, in my mind, is a problem if the domain is not used just for XMPP, but lets say for a website as well.
- Joe_Cool 4 days ago
  
  You should be able to do that via DNS SRV entries.
  _xmpp-client._tcp.domain.tld. TTL IN SRV priority weight port target _xmpps-client._tcp.domain.tld. TTL IN SRV priority weight port target example: _xmpp-client._tcp.not-my-domain.com. 3599 IN SRV 5 0 5222 jabber.my-domain.com.
  You could also build a reverse proxy setup. Then you wouldn't need the keys to the SSL certs. But that is probably overkill to run at your client: https://wiki.xmpp.org/web/Tech_pages/XEP-0368
  I don't think I have seen a client complain about the cert being for jabber.my-domain.com Which one is giving trouble there?
  source: https://datatracker.ietf.org/doc/html/rfc6120
  https://wiki.xmpp.org/web/SRV_Records
  
  1 reply →
- singpolyma3 4 days ago
  
  Yes there is a new DNS challenge coming which will make this even easier.

nicoco 4 days ago

I know at least two services that offer hosting with your own domain: https://my.snikket.org/ and https://account.conversations.im/domain/ so I suppose it is not that complex to setup.

yosamino 4 days ago
Correct, but that means you cannot share that domain securely with, let's say, a website. No ?
- nicoco 4 days ago
  
  TBH I am not well-versed into DNS and certificates and security, but I guess you have to trust your provider with a certificate for `example.com` if you allow them to manage JIDs of the form `anything@example.com`, indeed. Again, I am not very knowledgeable about the subject, so take this with a grain of salt.

fluoridation 4 days ago

I've always just used self-signed certificates. On first connect, the client will ask the user to trust your CA. There's no real difference in terms of security.