Install ejabberd v14.07 on CentOS v7.x
As of writing this eJabberd was not available as a binary RPM for EL7. This document describes building a binary RPM. Alternatively a vendor supplied binary blob can be used for installation.
Create a VM with:
- 512MB ram
- 2 cores
- 8GB root
This installation is a fresh upgrade style installation. The following environment, as per this installation document, is in place:
- DNS SRV records
- an https web reverse proxy for the management web ui
- signed server-to-server and client-to-client certificates
The jabber server is:
- small with very low traffic
- uses local authentication
- preregistered users
- uses the built in Mnesia database (no mysql, no postgresql)
- non-clustered
- ipv4 and ipv6
Install
Install the EPEL repository and the ejabberd RPM:
# rpm -Uvh http://download.fedoraproject.org/pub/epel/7/x86_64/e/epel-release-7-2.noarch.rpm # yum install http://files.lucidsolutions.co.nz/linux/centos/ejabberd-el7/ejabberd-14.07-6.el7.centos.x86_64.rpm
Configure
Edit '/etc/ejaberd/ejabberd.yml' as required.
Start
Enable and start the systemd based service:
# systemctl enable ejabberd # systemctl start ejabberd
Firewall
Add the following ipv4 firewall rules:
# xmpp (client and server) -A tcpIn -p tcp -m tcp --dport 5222 -m conntrack --ctstate NEW -j ACCEPT -A tcpIn -p tcp -m tcp --dport 5269 -m conntrack --ctstate NEW -j ACCEPT -A tcpOut -p tcp -m tcp --dport 5269 -m conntrack --ctstate NEW -j ACCEPT # ejabberd web interface -A tcpIn -p tcp -m tcp --dport 5280 --source 10.20.0.0/16 -m state --state NEW -j ACCEPT
Add the following ipv6 firewall rules:
# xmpp (client and server) -A tcpIn -p tcp -m tcp --dport 5222 -m conntrack --ctstate NEW -j ACCEPT -A tcpIn -p tcp -m tcp --dport 5269 -m conntrack --ctstate NEW -j ACCEPT -A tcpOut -p tcp -m tcp --dport 5269 -m conntrack --ctstate NEW -j ACCEPT # ejabberd web interface -A tcpIn -p tcp -m tcp --dport 5280 --source fd0c:898b:471c/48 -m state --state NEW -j ACCEPT
Ports
Port | Usage | Description |
---|---|---|
5222 | c2s |
Client to server communications. Must be publically accessable. |
5269 | s2s |
Server to server comminucation. This needs to be publically accessable to allow incoming federated connections. |
5280 |
http |
ejabberd http web interface |
4560 |
xmlrpc |
ejabberd xml rpc port. |
4369 | epmd |
Erlang endpoint mapper. Required by erlang. If a cluster environment is setup then this must be accessable by cluster nodes. |
xxxxx |
ejabberd | A high port number used for ejabberd for communication between nodes in a cluster environment. This can be found in the epm with 'epmd -names'. It can be constrained to a port range with the FIREWALL_WINDOW setting in '/etc/ejabbers/ejabberdctl.cfg'. |
Configure accounts
Create a master administrator account from the command line. It is important to note that the erlang cookie file must be the same as the one used by the ejabberd process (which runs as 'ejabberd'):
# cp /var/lib/ejabberd/.erlang.cookie ~/.erlang.cookie # ejabberdctl register admin lucidsolutions.co.nz PmBdEmu7krraQGVocLvniee3qa8oD7
Verify TLS support
Use the IM Observatory page to verify the status of the server:
- https://xmpp.net/result.php?domain=lucidsolutions.co.nz&type=server
- https://xmpp.net/result.php?domain=lucidsolutions.co.nz&type=client
They even provide a badge:
Links
Documenation
Verification
- https://kingant.net/check_xmpp_dns/?h=lucidsolutions.co.nz
- https://www.olark.com/gtalk/check_srv (for google domains only)
Source
- https://github.com/processone/ejabberd/
- https://github.com/processone/ejabberd/blob/master/ejabberd.yml.example
TLS
Misc
- http://gstlt.info/2012/06/ejabberd-backup-made-simple/
- http://uwot.eu/blog/2014/08/centos-ejabberd-chatsecure-a-new-era-for-xmpp/
Appendices
TLS verification
$ openssl s_client -connect [::1]:5269 -starttls xmpp $ openssl s_client -connect 127.0.0.1:5269 -starttls xmpp $ openssl s_client -connect [::1]:5222 -starttls xmpp $ openssl s_client -connect 127.0.0.1:5222 -starttls xmpp
ejabberd configuration
ejabberd v14 uses a yaml configuration file: (Note: the cipher lists are wrapped for readability)
### ======= ### LOGGING loglevel: 4 log_rotate_size: 10485760 log_rotate_date: "" log_rotate_count: 1 log_rate_limit: 100 ### ================ ### SERVED HOSTNAMES hosts: - "lucidsolutions.co.nz" ### =============== ### LISTENING PORTS listen: - ip: "::" port: 5222 module: ejabberd_c2s certfile: "/etc/ejabberd/ejabberd-c2s.pem" ciphers: "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" starttls: true protocol_options: - "no_sslv3" max_stanza_size: 65536 shaper: c2s_shaper access: c2s - ip: "::" port: 5269 module: ejabberd_s2s_in - ip: "127.0.0.1" port: 4560 module: ejabberd_xmlrpc - ip: "::1" port: 4560 module: ejabberd_xmlrpc - port: 5280 module: ejabberd_http ## request_handlers: ## "/pub/archive": mod_http_fileserver web_admin: true http_poll: true http_bind: true ## register: true captcha: true #s2s_use_starttls: required s2s_use_starttls: optional s2s_certfile: "/etc/ejabberd/ejabberd-s2s.pem" s2s_ciphers: "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" s2s_protocol_options: - "no_sslv3" host_config: "lucidsolutions.co.nz": domain_certfile: "/etc/ejabberd/ejabberd-s2s.pem" outgoing_s2s_families: - ipv4 - ipv6 ### ============== ### AUTHENTICATION auth_method: internal ### =============== ### TRAFFIC SHAPERS shaper: normal: 1000 fast: 50000 ## ## This option specifies the maximum number of elements in the queue ## of the FSM. Refer to the documentation for details. ## max_fsm_queue: 1000 ###. ==================== ###' ACCESS CONTROL LISTS acl: admin: user: - "admin": "lucidsolutions.co.nz" ## Local users: don't modify this. local: user_regexp: "" ## ## Loopback network ## loopback: ip: - "127.0.0.0/8" - "::1" ### ============ ### ACCESS RULES access: ## Maximum number of simultaneous sessions allowed for a single user: max_user_sessions: all: 10 ## Maximum number of offline messages that users can have: max_user_offline_messages: admin: 5000 all: 100 ## This rule allows access only for local users: local: local: allow ## Only non-blocked users can use c2s connections: c2s: blocked: deny all: allow ## For C2S connections, all users except admins use the "normal" shaper c2s_shaper: admin: none all: normal ## All S2S connections use the "fast" shaper s2s_shaper: all: fast ## Only admins can send announcement messages: announce: admin: allow ## Only admins can use the configuration interface: configure: admin: allow ## Admins of this server are also admins of the MUC service: muc_admin: admin: allow ## Only accounts of the local ejabberd server can create rooms: muc_create: local: allow ## All users are allowed to use the MUC service: muc: all: allow ## Only accounts on the local ejabberd server can create Pubsub nodes: pubsub_createnode: local: allow ## In-band registration allows registration of any possible username. ## To disable in-band registration, replace 'allow' with 'deny'. register: all: deny ## Only allow to register from localhost trusted_network: loopback: allow ## Do not establish S2S connections with bad servers ## s2s: ## bad_servers: deny ## all: allow ### ================ ### DEFAULT LANGUAGE language: "en" ### ======= ### MODULES modules: mod_adhoc: {} mod_announce: # recommends mod_adhoc access: announce mod_blocking: {} # requires mod_privacy mod_caps: {} mod_carboncopy: {} mod_configure: {} # requires mod_adhoc mod_disco: {} ## mod_echo: {} mod_irc: {} mod_http_bind: {} ## mod_http_fileserver: ## docroot: "/var/www" ## accesslog: "/var/log/ejabberd/access.log" mod_last: {} mod_muc: ## host: "conference.@HOST@" access: muc access_create: muc_create access_persistent: muc_create access_admin: muc_admin ## mod_muc_log: {} mod_offline: access_max_user_messages: max_user_offline_messages mod_ping: {} ## mod_pres_counter: ## count: 5 ## interval: 60 mod_privacy: {} mod_private: {} ## mod_proxy65: {} mod_pubsub: access_createnode: pubsub_createnode ## reduces resource comsumption, but XEP incompliant ignore_pep_from_offline: true ## XEP compliant, but increases resource comsumption ## ignore_pep_from_offline: false last_item_cache: false plugins: - "flat" - "hometree" - "pep" # pep requires mod_caps mod_register: welcome_message: subject: "Welcome!" body: |- Hi. Welcome to this XMPP server. ## registration_watchers: ## - "admin1@example.org" ip_access: trusted_network access: register mod_roster: {} mod_shared_roster: {} mod_stats: {} mod_time: {} mod_vcard: {} mod_version: {}
Installation
yum install
Dependencies Resolved ========================================================================================== Package Arch Version Repository Size ========================================================================================== Installing: ejabberd x86_64 14.07-6.el7.centos /ejabberd-14.07-6.el7.centos.x86_64 6.1 M Installing for dependencies: SDL x86_64 1.2.15-11.el7 base 204 k atk x86_64 2.8.0-4.el7 base 233 k cairo x86_64 1.12.14-6.el7 base 697 k cups-libs x86_64 1:1.6.3-14.el7 base 352 k erlang x86_64 R16B-03.7.el7 epel 30 k erlang-appmon x86_64 R16B-03.7.el7 epel 138 k erlang-asn1 x86_64 R16B-03.7.el7 epel 757 k erlang-common_test x86_64 R16B-03.7.el7 epel 719 k erlang-compiler x86_64 R16B-03.7.el7 epel 1.0 M erlang-cosEvent x86_64 R16B-03.7.el7 epel 154 k erlang-cosEventDomain x86_64 R16B-03.7.el7 epel 119 k erlang-cosFileTransfer x86_64 R16B-03.7.el7 epel 173 k erlang-cosNotification x86_64 R16B-03.7.el7 epel 738 k erlang-cosProperty x86_64 R16B-03.7.el7 epel 166 k erlang-cosTime x86_64 R16B-03.7.el7 epel 111 k erlang-cosTransactions x86_64 R16B-03.7.el7 epel 171 k erlang-crypto x86_64 R16B-03.7.el7 epel 84 k erlang-debugger x86_64 R16B-03.7.el7 epel 544 k erlang-dialyzer x86_64 R16B-03.7.el7 epel 655 k erlang-diameter x86_64 R16B-03.7.el7 epel 655 k erlang-edoc x86_64 R16B-03.7.el7 epel 319 k erlang-eldap x86_64 R16B-03.7.el7 epel 101 k erlang-erl_docgen x86_64 R16B-03.7.el7 epel 152 k erlang-erl_interface x86_64 R16B-03.7.el7 epel 184 k erlang-erts x86_64 R16B-03.7.el7 epel 2.5 M erlang-et x86_64 R16B-03.7.el7 epel 224 k erlang-eunit x86_64 R16B-03.7.el7 epel 151 k erlang-examples x86_64 R16B-03.7.el7 epel 1.1 M erlang-gs x86_64 R16B-03.7.el7 epel 627 k erlang-hipe x86_64 R16B-03.7.el7 epel 2.4 M erlang-ic x86_64 R16B-03.7.el7 epel 884 k erlang-inets x86_64 R16B-03.7.el7 epel 797 k erlang-jinterface x86_64 R16B-03.7.el7 epel 99 k erlang-kernel x86_64 R16B-03.7.el7 epel 1.1 M erlang-megaco x86_64 R16B-03.7.el7 epel 5.5 M erlang-mnesia x86_64 R16B-03.7.el7 epel 699 k erlang-observer x86_64 R16B-03.7.el7 epel 556 k erlang-odbc x86_64 R16B-03.7.el7 epel 68 k erlang-orber x86_64 R16B-03.7.el7 epel 945 k erlang-os_mon x86_64 R16B-03.7.el7 epel 113 k erlang-otp_mibs x86_64 R16B-03.7.el7 epel 31 k erlang-parsetools x86_64 R16B-03.7.el7 epel 177 k erlang-percept x86_64 R16B-03.7.el7 epel 149 k erlang-pman x86_64 R16B-03.7.el7 epel 112 k erlang-public_key x86_64 R16B-03.7.el7 epel 536 k erlang-reltool x86_64 R16B-03.7.el7 epel 358 k erlang-runtime_tools x86_64 R16B-03.7.el7 epel 178 k erlang-sasl x86_64 R16B-03.7.el7 epel 292 k erlang-snmp x86_64 R16B-03.7.el7 epel 1.5 M erlang-ssh x86_64 R16B-03.7.el7 epel 393 k erlang-ssl x86_64 R16B-03.7.el7 epel 585 k erlang-stdlib x86_64 R16B-03.7.el7 epel 2.2 M erlang-syntax_tools x86_64 R16B-03.7.el7 epel 335 k erlang-test_server x86_64 R16B-03.7.el7 epel 280 k erlang-toolbar x86_64 R16B-03.7.el7 epel 54 k erlang-tools x86_64 R16B-03.7.el7 epel 564 k erlang-tv x86_64 R16B-03.7.el7 epel 395 k erlang-typer x86_64 R16B-03.7.el7 epel 65 k erlang-webtool x86_64 R16B-03.7.el7 epel 49 k erlang-wx x86_64 R16B-03.7.el7 epel 2.9 M erlang-xmerl x86_64 R16B-03.7.el7 epel 996 k fontconfig x86_64 2.10.95-7.el7 base 228 k fontpackages-filesystem noarch 1.44-8.el7 base 9.9 k gd x86_64 2.0.35-26.el7 base 146 k gdk-pixbuf2 x86_64 2.28.2-4.el7 base 533 k ghostscript x86_64 9.07-16.el7 base 4.3 M ghostscript-fonts noarch 5.50-32.el7 base 324 k graphite2 x86_64 1.2.2-5.el7 base 81 k graphviz x86_64 2.30.1-18.el7 base 1.3 M gtk2 x86_64 2.24.22-5.el7_0.1 updates 3.4 M harfbuzz x86_64 0.9.20-3.el7 base 144 k hicolor-icon-theme noarch 0.12-7.el7 base 42 k jasper-libs x86_64 1.900.1-26.el7 base 147 k jbigkit-libs x86_64 2.0-11.el7 base 46 k lcms2 x86_64 2.5-4.el7 base 133 k libICE x86_64 1.0.8-7.el7 base 63 k libSM x86_64 1.2.1-7.el7 base 38 k libX11 x86_64 1.6.0-2.1.el7 base 605 k libX11-common noarch 1.6.0-2.1.el7 base 181 k libXau x86_64 1.0.8-2.1.el7 base 29 k libXaw x86_64 1.0.11-6.1.el7 base 189 k libXcomposite x86_64 0.4.4-4.1.el7 base 22 k libXcursor x86_64 1.1.14-2.1.el7 base 30 k libXdamage x86_64 1.1.4-4.1.el7 base 20 k libXext x86_64 1.3.2-2.1.el7 base 38 k libXfixes x86_64 5.0.1-2.1.el7 base 18 k libXfont x86_64 1.4.7-2.el7_0 updates 144 k libXft x86_64 2.3.1-5.1.el7 base 57 k libXi x86_64 1.7.2-2.1.el7 base 39 k libXinerama x86_64 1.1.3-2.1.el7 base 14 k libXmu x86_64 1.1.1-5.1.el7 base 70 k libXpm x86_64 3.5.10-5.1.el7 base 52 k libXrandr x86_64 1.4.1-2.1.el7 base 25 k libXrender x86_64 0.9.8-2.1.el7 base 25 k libXt x86_64 1.1.4-6.1.el7 base 173 k libXxf86vm x86_64 1.1.3-2.1.el7 base 17 k libfontenc x86_64 1.1.1-5.el7 base 29 k libjpeg-turbo x86_64 1.2.90-5.el7 base 134 k libpng x86_64 2:1.5.13-5.el7 base 212 k librsvg2 x86_64 2.39.0-1.el7 base 123 k libthai x86_64 0.1.14-9.el7 base 187 k libtiff x86_64 4.0.3-14.el7 base 167 k libtool-ltdl x86_64 2.4.2-20.el7 base 49 k libxcb x86_64 1.9-5.el7 base 169 k libyaml x86_64 0.1.4-10.el7 base 55 k lksctp-tools x86_64 1.0.13-3.el7 base 87 k mesa-libEGL x86_64 9.2.5-6.20131218.el7_0 updates 69 k mesa-libGL x86_64 9.2.5-6.20131218.el7_0 updates 142 k mesa-libGLU x86_64 9.0.0-4.el7 base 196 k mesa-libgbm x86_64 9.2.5-6.20131218.el7_0 updates 30 k mesa-libglapi x86_64 9.2.5-6.20131218.el7_0 updates 34 k pango x86_64 1.34.1-5.el7 base 283 k pixman x86_64 0.32.4-3.el7 base 254 k poppler-data noarch 0.4.6-3.el7 base 2.2 M tcl x86_64 1:8.5.13-4.el7 base 1.9 M tk x86_64 1:8.5.13-4.el7 base 1.4 M unixODBC x86_64 2.3.1-10.el7 base 413 k urw-fonts noarch 2.4-16.el7 base 3.0 M wxBase x86_64 2.8.12-8.el7 epel 576 k wxGTK x86_64 2.8.12-8.el7 epel 2.9 M wxGTK-gl x86_64 2.8.12-8.el7 epel 33 k xorg-x11-font-utils x86_64 1:7.5-18.1.el7 base 87 k Transaction Summary ========================================================================================== Install 1 Package (+122 Dependent packages) Total size: 71 M Total download size: 65 M Installed size: 166 M