Securing XMPP

Revision as of 22:25, 3 January 2014 by Zash (talk | contribs) (→‎Prosody: Manifesto says to fallback to dialback, s2s_secure_auth would disable that)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Aim: Encrypt All XMPP Connections

This page provides instructions for XMPP server administrators to secure XMPP client and server connections ready for the following ubiquitous encryption manifesto test days:

  • January 4, 2014 - first test day requiring encryption
  • February 22, 2014 - second test day
  • March 22, 2014 - third test day
  • April 19, 2014 - fourth test day
  • May 19, 2014 - permanent upgrade to encrypted network

To achieve this, we need to:

  • Encrypt connections between clients and servers (c2s)
  • Encrypt server to server connections (s2s)

Step1: Get a server certificate

Let's say you run an XMPP service for (jids of, you will need to order a certificate for with a subject or alt-name of (not from your preferred cert provider (StartSSL offers free certificates and is quite good).

Step 2: Configure your DNS

Ensure that the following DNS records are set: 18000 IN SRV 0 5 5269        18000  A # you must have an A record for your server

You can test your DNS setup at

You may also want to Secure your DNS with DNSSEC

Step 3: Disable cleartext connections

These instructions will disable any cleartext communication between servers and client connections.


Configure ejabberd.conf

% Ordinary client-2-server service
[{5222, ejabberd_c2s, [{access, c2s},
starttls_required, {certfile, "/etc/ssl/certs/ejabberd.pem"},
{shaper, c2s_shaper}]},
% Use STARTTLS+Dialback for S2S connections
{s2s_use_starttls, true}.
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.


Ensure that prosody.cfg.lua contains the following settings in the global section of your config, or under the specific VirtualHost you want to secure:

 c2s_require_encryption = true
 s2s_require_encryption = true

Further help:


See for more details:

--vhost-tls-required = true

By default Tigase will read VHosts certificates from certs/ subdirectory match domain name against .pem filename of the certificate. Alternatively configuration for particular vhost certificate could be specified explicitly in

  • TLS for s2s connection is enabled by default; no option to configure it as required (certain domains can be configured to skip TLS for s2s with following configuration. For more information: --s2s-skip-tls-hostnames):
--s2s-skip-tls-hostnames = domain1,domain2



Step 4: Check your XMPP Security

Test your XMPP security to be sure.