This is out-dated documentation. Please go to http://jabberd.org/ for up-to-date documentation.
Copyright © 1999 - 2004 The Jabber Manual Team
How to install, configure, and administer the jabberd 1.4.x server.
Table of Contents
This document describes how to install, configure, and administer jabberd 1.4.x.
The jabberd server is the original open-source server implementation of the Jabber protocol, and is the most popular software for deploying Jabber either inside a company or as a public IM service. However, there exist numerous other Jabber server implementations, including a number of open-source projects as well as commercial offerings (see the server software list). As the organization that manages the Jabber protocol, the Jabber Software Foundation (JSF) does not discriminate between Jabber implementations. At the same time, the JSF recognizes that most Jabber deployments start out by using the jabberd server, and thus has attempted to encourage the spread of Jabber technology by documenting how to install, configure, and administer the jabberd server.
For support related to jabberd, server administrators are encouraged to subscribe to the JADMIN mailing list (archive). For further information about Jabber, refer to the website of the Jabber Software Foundation.
The Jabber project was started by Jeremie Miller in 1998 as a free and open alternative to the proprietary IM services offered by AIM, ICQ, MSN, and Yahoo. The first public notice of the project occurred on Slashdot in January 1999. The core of the Jabber project has always been the jabberd server, a modular server that is written in C and that uses the GNU pth threading library. After over a year of development, jabberd 1.0 was released in May 2000. The interim 1.2 version was released in October 2000, followed by version 1.4 in January 2001, version 1.4.1 in April 2001, version 1.4.2 in February 2002, and version 1.4.3 in November 2003.
Concurrently to jabberd 1.4.x, jabberd 2 is developed, with its first stable release in December 2003. jabberd 2 is practically rewritten from scratch and for example features SQL support.
The jabberd 1.4.x server aims to be fully compliant with the XMPP protocol managed by the Jabber Software Foundation. However, as the XMPP protocol is a recent standard, jabberd 1.4.3 does not provide some XMPP features. Nevertheless, it is able to connect with both XMPP compliant servers and clients.
In essence, a Jabber server does the following:
accepts TCP socket connections from compatible clients and server-side components
manages XML streams to and from those clients and components
delivers the core Jabber data types (<message/>, <presence/>, and <iq/>) to authorized clients and components
maintains session information for connected clients (usually IM users)
if necessary, opens connections to and validates connections from other Jabber servers, then routes data to them
stores information on behalf of components and especially IM users, including each user's contact list and some client preferences
Additional features -- such as multi-user chat, user directories, and interoperability with legacy IM systems (AIM, ICQ, MSN, and Yahoo) -- are not part of the core messaging and presence functionality of a Jabber server and therefore are not addressed in this guide. Please see the Jabber Component Guide for further information about adding these features to your Jabber server.
Before installing any piece of software, and especially a fairly major element of network infrastucture such as a Jabber server, it is important to assess your needs and plan your deployment. Jabber servers are currently in use within a wide variety of environments, including:
small development teams
small to midsize company intranets
colleges and universities
Internet service providers
large company intranets
How you use your Jabber server will obviously influence the decisions you make regarding hardware, operating system, bandwidth, network configuration, firewalls, security, database connectivity, and so on. One major decision you need to make at the beginning is the operating system on which you will run your Jabber server. The jabberd server was designed for and developed on Linux and various other flavors of Unix (including AIX, Solaris, HP-UX, BSD, and Mac OS X). While the jabberd server has been ported to Windows, that port is not perfect and is not recommended for regular use. (This document does not address the Windows port.)
In addition, it is important to think about the breadth of service you want to offer. Do you need only simple one-to-one messaging and presence, or do you also want to offer multi-user chat? Do you want to run a directory of users on your server? Do you want the users of your Jabber server to communicate with users on legacy IM services like AIM, ICQ, MSN, Yahoo? These services are not part of the default jabberd installation and must be provided using add-on components. While this improves the user experience, it also makes your deployment more complicated and therefore more difficult to administer. (For details, refer to the Jabber Component Guide.)
Finally, think about how you need to integrate Jabber with existing network systems and information sources. For example, you may want to ensure that each person's Jabber username is consistent with their email address or network username. Or you may need to use an existing user database for authentication (e.g., your company's LDAP database) rather than the default filesystem storage method. Here again, meeting your needs may introduce additional complexity.
This section of the HOWTO defines the system requirements for running the jabberd server.
While the jabberd server was developed and is deployed mainly on GNU/Linux, it has been tested on a wide variety of Unix operating systems. The 1.4.x version of jabberd will run on the following:
Mac OS X
Solaris 2.6, 7, 8
The non-Linux operating systems listed above are not as widely deployed as Linux, so it is possible (though unlikely) that you will experience some problems with installing jabberd on those flavors of Unix. Where known, particular requirements and instructions specific to each operating system are noted throughout this document. In general, non-GNU Unix operating systems will require the use of GNU make instead of your operating system's native make program. Using GNU make should solve most of the problems you may encounter in running jabberd on a non-GNU operating system.
NOTE: this document does not address the Windows port of jabberd 1.4.x.
For systems that use the NetBSD pkgsrc system, there are
packages available for both the 1.4.2 and 2.0 Jabberd servers. This
simplifies much of the installation for the system.
Posted by Dave Burgess on 2004-05-21 11:22
Your hardware requirements will depend on the number of users you expect. In the author's experience, the majority of jabberd deployments are intended for use as pilot projects, intranet servers, development platforms, and the like, with perhaps 100 to 1,000 registered users. Since it is unlikely that even 50% of users will be online at any one time (e.g., the jabberd server running at jabber.org usually has only 2% of its registered users online), we can conservatively estimate that you will probably have a maximum of 500 simultaneous users. For a deployment of this kind, hardware requirements are minimal: perhaps a Pentium-class workstation with 512 megs of RAM.
If you are expecting to run a much larger deployment, you will need to make some adjustments. While the jabberd server has been tested up to 10,000 simultaneous users, it was designed as a proof of concept and not as an industrial-strength server for large Internet service providers. For example, depending on which operating system you are using, you may need to modify OS-level settings that limit the number of simultaneous TCP connections or file descriptors that the operating system can handle (in Linux, which by default is limited to 1024 file descriptors, this is done with proc settings). Because large deployments are outside the usual range of most Jabber server deployments, I will not discuss them directly in this document, although I hope to add more information about scaling the server in a future revision.
Posted by on 2004-08-27 23:14
The jabberd 1.4.x server requires the following software:
The GNU pth threading library. If you do not manually install but retrieve it from your Unix distribution's packet repository, do not forget to install the library's header files, too. Be aware jabberd 1.4.2 is not compatible to GNU Pth >1.4.0 (server-to-server connections will fail)! Jabberd 1.4.3 is not affected and known to work with GNU Pth 1.4.0, 1.4.1 and 2.0.
GNU make. GNU make is a standard part of all GNU/Linux operating systems, but must be installed separately on non-GNU systems such as FreeBSD and Solaris. Unlike GNU pth, you must install GNU make yourself (jabberd will not install it for you).
OpenSSL. This is optional. However, if you want to enable clients to connect to your server using SSL, you must install OpenSSL before installing jabberd 1.4.x.
There has been a report of jabberd server-to-server
communications failing when using GNU Pth compiled with the
"--enable-syscall-soft" option. Just build a default Pth and check
the pth.spec file if you're building a RPM from it.
Posted by Maqi (admin) on 2003-12-01 15:37
Under normal usage, a Jabber server will require approximately 15 bits per second for each connected user. This means that a server with 1,000 concurrent users would consume about 15 kbs of bandwidth, that 10,000 concurrent users would consume 150 kbs of bandwidth, etc. Note that this usage is for concurrent users, not registered users (the number of concurrent users depends on your deployment, but will typically average less than 5% of registered users for a service provider and less than 50% of registered users for an enterprise). Plan accordingly.
As described below, you will probably want to configure your jabberd server to run using a fully-qualified domain name (FQDN, for example jabber.mydomain.org - not localhost, jabber.mycompany.intranet or some IP). This is also true for subdomains for services associated with your jabberd server (e.g., a Jabber User Directory or conferencing service that you run on your Jabber server). Therefore you may want to ask your system administrator to add your hostname and all relevant subdomains to the DNS tables for your domain.
Why shuold not IP? Client can contact my stable IP directly
without the long-winded DNS!
Posted by angus on 2005-01-05 20:55
Nobody runs a mail server listening on its IP instead of the
hostname for good reasons. Its the same with Jabber. Before the
Admin Guide said very explicitely that you don't want to use IP
addresses people frequently asked what to do once their IP changed
(which DOES happen) - and of course this means "start from scratch"
if you didn't setup your server correctly from the beginning.
Posted by Maqi (admin) on 2005-01-06 03:22
Why should we use different hostname (or even different
machines) for the different services? Can't i use the same hostname
for all services (plain-jabber, conference, ...)?
Posted by Zondeman on 2005-01-14 15:00
No, you can't run multiple services/transports under one
hostname. However, you can use "virtual" hostnames for services
(hostnames that do not resolve via DNS). These services can only be
used by people with accounts on your server then (they are not
Posted by Maqi (admin) on 2005-01-15 06:23
The IANA has approved two ports for use by Jabber services: one port for client-to-server communications (port 5222) and one for server-to-server communications (port 5269). If you want Jabber clients to be able to connect to your server, you will need to ensure that TCP port 5222 is open. If you want users of your Jabber server to be able to send messages to users on other Jabber servers, you will need to ensure that TCP port 5269 is open for incoming connections. In addition, if you will be installing gateways to other IM systems, you will need to open ports that are specific to those systems. Please refer to the README or other documentation for the gateway software you plan to install for specific information about the ports you will need to open (e.g., port 1863 for the MSN gateway).
Some Jabber servers are deployed on a company intranet or inside a firewall. If you do not want to open communications from your server to other Jabber servers outside your organization, you of course may not want to open any ports. In certain situations (e.g., if your organization has telecommuting employees), you may want to open the standard Jabber client port 5222 (or 5223 for SSL connections) so that users outside the firewall may make incoming connections to your server. In addition, if you would like users of your server to communicate with users of external server, you will need to open the standard Jabber server port 5269 to enable server-to-server connections. A more complex configuration would have one server behind the firewall for internal users, one server in a DMZ for external users, and a trusted server-to-server channel between the two servers over port 5269 (with "whitelisting" at the firewall level to open server-to-server communications over port 5269 only between these two machines).
If you do have a firewall between your Jabber server and any of the users of your server, make sure that your firewall timeout settings are appropriate for use with Jabber. It is important to understand that Jabber users connect to the server using a persistent TCP socket on port 5222. Because the TCP socket is open as long as the user has a session on the server, firewall timeouts that are optimized for HTTP traffic may disconnect Jabber users prematurely.
Our travelling staff use SSH tunnels to access internal servers.
This doesn't seem possible with jabber because of poor support in
the clients. You can tell the client to connect to port N on
localhost, which tunnels through to our intranet jabber server, but
then the client says "hello, localhost" (in the jabber protocol)
and the jabber server says "I'm not localhost, clear off!" Anyone
have a good workaround?
Posted by Nick Barnes on 2004-07-14 09:57
Use a client which allows to specify the server to connect to
separately from the user's JID (for example Psi, Exodus, and Gaim
support this). Also, usage of the <alias> directive in
pthsock_client may be possible to alias localhost to the actual
server name. There's some documentation in jadc2s (which should be
compatible) concerning this.
Posted by Maqi (admin) on 2004-07-14 10:30
I had the same problem using an SSH tunnel, and I worked around
it by editing my /etc/hosts file to map the server name I was
trying to connect to to 127.0.0.1. Then, you can put the real
server name in the client, but instead of doing a dns lookup and
trying to connect to your server's ip, it goes to 127.0.0.1. Of
course, that won't work if you need the server name to map to a
real IP for other things.
Posted by James on 2004-09-28 11:33
On the ssh setup .. just create your ssh tunnel with port
forwarding. Then on connection info, fill out normally including
the server name. On most of the clients I have tested, there is a
"Connect via server" set this to localhost.
Works great. Haven't had any problems with time outs or other issues.
Posted by on 2004-09-30 08:02
Make sure you have GNU Pth installed
Get jabberd's source from its home page
Untar, ./configure, make
Launch jabberd: jabberd/jabberd -h
Normally, you have to enter the hostname in the jabberd's configuration file but the jabberd:cmdline magic in there sets the hostname by using command line parameters for now.
Start your favourite Jabber client and register with your server
If you encounter problems read on.
I install the pth1.4.0 in /usr/local/pth,
but when I configure the jabberd-1.4.3, it tell me I havenot installed the pth1.4.0 or high?
Posted by charles on 2003-11-28 01:59
ft,need add pass in configure file, if do it with configure
Posted by charles on 2003-11-28 02:08
For 1.4.3 on *BSD, edit
jabberd-1.4.3/jsm/modules/mod_auth_crypt.c, change '#include
"crypt.h"' to '#include "unistd.h"'. Otherwise, it won't
Posted by Joannou Ng on 2003-12-02 09:46
If you have the problem like charles below remember to edit your
/etc/ld.so.conf and add /usr/local/lib(or your pth library path)
then run /sbin/ldconfig to load them.
Posted by Tom Mulkins on 2003-12-03 17:31
I got past this by changing ./configure
if [ -n "$PTH_CFLAGS" ]; then
if [ -n "$PTH_LIBS" ]; then
In my case, `pth-config --cflags` returned an empty string, even though Pth built and installed successfully.
Posted by Russ in San Diego on 2004-05-04 13:47
I am new guy to Linux... I installed Jabber-.1.4.1 Server on my Redhat Linux 9 machine as a client i installed Gaim-1.0.2
I run the following command ....to send Jabber server as background process....
[jabber@redhat jabber-1.4.1]$ ./jabberd/jabberd -h
redhat 2>/dev/null &
then I got the command prompt with this message
What is this  3930 ..... is this port no 3930 ... but in jabber.xml file i sure that port no is 5222...
if no need to worry with this message can I assume that Jabber Server has been started....
next point from telnet when I type the folloing command mysysname 5222 then i got the message like invalid command....
what i done from telnet was ...
telnet> redhat 5222
telnet> telnet redhat 5222
I am in totally confused way that how to register the Giam user into Jabberd server .... I had notes select the options like tools>accounts> something like that.... From where could i found these options .... for is there any GUI mode from gaim/jabber... if so plz tell me the process how to get that GUI... I am hanging here for the rest of process (registration)....
I would made jabber server for intranet purpose ...
I would Really appreciate if some body helps me regarding this issues...
Thanx in Advance ...
Zameer Ahmed Syed
Posted by zameer ahmed syed on 2004-11-02 00:01
For info on telnet: man telnet. (of course, you have to enter
"telnet redhat 5222" on a *shell* prompt!)
For info on Linux: Google.
For info on Gaim: Gaim website.
Your comment will get deleted shortly.
Posted by Maqi (admin) on 2004-11-02 03:48
How do you add chatrooms
Posted by Lee Strawther on 2004-12-15 11:27
The 1.4.x version of the jabberd server may be downloaded at http://jabberd.jabberstudio.org/1.4/. This directory includes any builds that have been made for specialized platforms (Solaris builds, RPMs, .debs, etc.). Note again that this includes the core jabberd server only -- add-on components are located elsewhere (refer to the Component Admin Guide for details).
Because some server administrators have experienced problems with specialized builds and distributions of the jabberd server, we recommend that if possible you build the server from source. To do this, the only file you need to download is the tarball (.tar.gz) of jabberd 1.4.x. To install it, do the following:
Save the file to /tmp/ (or to a directory of your choice).
Open a console window and create the directory where you would like to install jabberd. We refer to this location generically as /path/to/jabber/ (one typical location is /usr/local/jabber/). Note: you may need to log in as root or use sudo to create this directory.
Type mv /tmp/jabberd-1.4.3.tar.gz /path/to/jabber/
Type cd /path/to/jabber/
Type gzip -d jabberd-1.4.3.tar.gz
Type tar -xvf jabberd-1.4.3.tar (this creates a jabberd-1.4.2/ directory containing various files and subdirectories)
Type cd jabberd-1.4.3/
If you want to enable clients to connect to your server using SSL, you must compile the server with the following command: ./configure --enable-ssl (also, note that you cannot run the server in SSL mode if you do not build the server from source).
If you are running Solaris or some other non-GNU system, be sure to use GNU make, not your native version of make. So instead of typing make you must type gmake.
The jabberd 1.4.3 software should now be installed on your machine. If you experience difficulty installing the software, please search the JADMIN mailing list (archive). If you write a mail, be sure to include complete information about your jabberd setup (including configuration files!), your operating system, relevant software versions, and so on.
Compile problems with BSD ("mod_auth_crypt.c:31: crypt.h: No
such file or directory") can be solved by changing "#include
<crypt.h>" in jsm/modules/mod_auth_crypt.h to "#include
Posted by Maqi (admin) on 2003-12-02 08:13
when I run jabberd, I get this message below
./jabberd: error while loading shared libraries: libpth.so.14: cannot open shared object file: No such file or directory
But I find libpth.so.14 file file in the /usr/local/lib directory in my machine.
Posted by jimmy on 2003-12-15 01:57
See for example
Posted by Maqi (admin) on 2003-12-15 03:06
This is what I did to fix this problem:
# export LD_LIBRARY_PATH
After that, no other problems. Hope this helps!
Posted by Brian Crittenden on 2003-12-31 08:10
You commit "ldconfig" to pick up the new library rather than
doing a manual LD_Library_path configuration. (That is if your
system supports ldconfig and ld.so.conf - make certain that
/usr/local/lib is your ld.so.conf for this to pickup)
Posted by Karyn Ulriksen on 2004-01-07 12:46
I was getting an error when i configured it with ssl.
"usr/include/openssl/kssl.h:72:18: krb5.h: No such file or
krb5 is included in kerberos, which is usually located in /usr/kerberos/include.
I had to edit the platform-settings, and add "-I/usr/kerberos/include" to the CCFLAGS variable.
Posted by Bruce on 2004-03-10 15:56
On OpenBSD, in addition to changing "#include <crypt.h>"
to "#include <unistd.h>" in jsm/modules/mod_auth_crypt.c you
also need to change "-lcrypt" to "-ldes" in jsm/Makefile.
You also need to use gmake on OpenBSD instead of make.
Posted by robin on 2004-05-01 11:44
Regarding the pth if you are dump enough (like me) you will
never get it installed ;-). I made again the rockie mistake and
tried the ./configure without the "libpth-dev". So if it seems that
you just *cannot* compile make sure you had that lib
Posted by thorsten on 2004-06-08 03:36
If you're compiling on OpenBSD 3.4 or 3.5 you need this:
Posted by dood0303 on 2004-06-13 19:50
Jabber under gentoo 2004.2, befor emerging jabberd (emerge
net-im/jabberd) you should disable ipv6 in youre USE settings other
wise it will not be able to listen to any port. The Error message
in my case was: io_select unable to listen on 5222 [(null)]:
jabberd already running or invalid interface?
Posted by Guido on 2004-09-12 17:11
Now is a good time to check if jabber is installed and will run on your machine. We are not testing full functionality at this point, only the success of the installation process. To test your installation, do the following:
Open a console and type cd /path/to/jabber/ (wherever you have installed jabberd)
Type ls -l jabberd/jabberd to view the permissions on the Jabber daemon. The output on your console should look something like this:
-rwxr-xr-x 1 user group 675892 Feb 25 2002 jabberd/jabberd
Type ./jabberd/jabberd to start the Jabber daemon. This will run the server using the default hostname of localhost. You should see one line of output in your console window:
20020923T02:50:26: [notice] (-internal): initializing server
If you get "unable to listen on (port)" errors, please make sure there is no other daemon already running on these ports. netstat -ltp gives you a list of network daemons.
When you try to start the server, you may see an error telling you that "Configuration parsing using jabber.xml failed". There are two reasons why you might experience this error. One is that the file you are pointing to does not exist; the solution is to type ./jabberd/jabberd -c /path/to/jabber.xml and thus specify the full path to your configuration file. The other reason is that the file exists but contains an XML error; the solution is to fix your XML (e.g., by pasting your entire jabber.xml file into the XML Syntax Checker at xml.com).
Open a separate console window on the same machine and type telnet localhost 5222 to connect to your server (yes, you can connect using simple old telnet!). You should see the following:
Trying 127.0.0.1... Connected to your-machine-name. Escape character is '^]'.
Now open an XML stream to your server by pasting the full text of the following XML snippet into your telnet window:
<stream:stream to='localhost' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams'>
You should immediately receive a reply from your server:
<?xml version='1.0'?> <stream:stream xmlns:stream='http://etherx.jabber.org/streams' id='some-random-id' xmlns='jabber:client' from='localhost'>
Congratulations! Your Jabber server is working.
Close the stream properly by pasting the following XML snippet into your telnet window: </stream:stream>
Stop the server by killing the process or simply typing ^C in the window where you started the server deamon.
If you get "unable to listen on (port)" errors when compile with
--enable-ipv6, remove ipv6 support in configure, or check your
system ipv6 config
Posted by on 2003-12-15 17:33
With ref to jabberd1.4.3 Administration guide:
how to open an XML stream to my server?
I am getting following error:
#telnet 127.0.0.1 5222
telnet: Unable to connect to remote host: Connection refused
Posted by Santosh on 2004-06-30 07:46
jabberd is not running or not configured to listen on 127.0.0.1.
Try "netstat -ltp" (see above). Check jabberd config.
Posted by Maqi (admin) on 2004-06-30 08:56
The jabberd program was running, but netstat -ltp did not show
it. Where would I configure it to listen on the ports? I got this
in the error.log:
[alert] (-internal): io_select unable to listen on 5222 [(null)]
[alert] (-internal): io_select unable to listen on 5269 [(null)]
but the program is still running. Tried the setup.sh,tried configuring through webmin module, and glanced over the code (which I just realized had the ports listed seemingly correctly but had to be configured to listen to ip address). Now, how do I set the range for any computer connection?
Posted by Thad on 2004-07-01 15:38
See checkpoint 2 below.
Posted by Maqi (admin) on 2004-07-02 03:15
xmlns='jabber:client' from='localhost'>Connection closed by
Any ideas ?
Posted by NuN on 2005-01-19 02:22
The jabberd server is now installed and you have verified that it is able to run on your system. Next, we will perform two more steps so that you can test the server's instant messaging functionality:
Configure the server's hostname.
Set up a spool directory for XML storage.
These two steps are discussed in detail below. Once you have completed these two steps, we will go through another testing "checkpoint" so you can verify that everything is working correctly.
You change the configuration of jabberd by editing a file named jabber.xml, which is located in your /path/to/jabber/ directory. The jabber.xml file contains a great deal of comments that help you understand what each configuration option does. However, right now all that we need to change is the hostname. So open jabber.xml in your favorite text editor (vi, emacs, etc.) and edit the line that reads as follows:
You now need to determine what your Jabber server's hostname is.
It is strongly recommended to use a fully-qualified domain name (FQDN) with an A record in the DNS tables of the open Internet. This ensures full functionality and flexibility. If you do not have access to a DNS server, you should use one of the many dynamic DNS services.
Note that once the hostname is chosen and people start to register with your server, changing the server's hostname cannot be done without major inconvenience for both users and the administrator. Choose the hostname wisely once and for all.
To configure your Jabber server's hostname, simply change 'localhost' in all places of the configuration file to 'jabber.mycompany.com' or whatever you would like. Then save your changes to the jabber.xml file.
See below for an in-depth DNS discussion (only needed for special setups).
The spool file can be as well at /var/lib/jabber/. This may be
the case if you used a package for e.g. Debian.
Posted by Thorsten on 2004-05-20 02:34
When installing jabber on WindowsXP I initially had a few
problems getting it going after editing the jabber.xml, like
changing the hostname for example, but it turned out to be the
editor. Jabber doesnt seem to like any windows based xml editors I
had. In the end I had to use gvim for windows and then it started
Posted by phantom on 2004-09-10 02:25
As mentioned above, one of the core functions performed by a Jabber server is the storage of user-related information. This information includes the user's authentication credentials (username and password) and contact list (in Jabber this is called a "roster"); sometimes this information also includes the user's vCard and various client preferences. By default, this information is stored on the filesystem in a subdirectory of /path/to/jabber/spool/ that must match the name of the hostname you configured above. So if you configured jabber.xml to think that jabberd is running as jabber.mycompany.com, you must create a /path/to/jabber/spool/jabber.mycompany.com/ directory. In addition, this directory must be writable by the process or user that runs the Jabber daemon. Once you have done this, the Jabber daemon can save one XML file (named 'username.xml') in this directory for each user who registers with your server.
OK, now it's time to test your basic configuration.
Because you have configured the server's hostname and have set up XML storage, you can now test several things that we couldn't test in Checkpoint #1: (1) connecting from another machine; (2) registering an account; (3) sending instant messages to another user.
To test, we will again use the "telnet client" so that you can understand the XML that is sent to the server.
In the /path/to/jabber/ directory, type ./jabberd/jabberd -D to start the Jabber daemon in debug mode. You will see dozens of lines of debug information fly by in your console window.
If you get "unable to listen on (port)" errors, please make sure there is no other daemon already running on these ports. netstat -ltp gives you a list of network daemons.
Now that you have configured your host name to be a fully qualified domain name, it is possible that you will receive an error telling you that that "jabberd is unable to listen on ports 5222 and 5269". To fix this, you need to configure your server to bind to a specific IP address. First, in the <pthcsock/> section of your jabber.xml file, change <ip port="5222"/> to <ip port="5222">yourIPaddress</ip>. Second, in the dialback section of your jabber.xml file, change <ip port="5269"/> to <ip port="5269">yourIPaddress</ip>.
You will get the same error message compiling jabber with IPv6
support (1.4.3+) and no IPv6 support in the kernel (module or
Posted by PeterPramb on 2003-11-20 13:41
io_select unable to listen on 5222 [(null)]: jabberd already running or invalid interface?
io_select unable to listen on 5269 [(null)]: jabberd already running or invalid interface?
After running Jabber, Netstat shows:
[root@myth2 jabberd-1.4.3]# netstat -tlun
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:32768 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
udp 0 0 0.0.0.0:32770 0.0.0.0:*
udp 0 0 0.0.0.0:10000 0.0.0.0:*
udp 0 0 0.0.0.0:861 0.0.0.0:*
udp 0 0 0.0.0.0:111 0.0.0.0:*
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 192.168.2.251:123 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
I have tried it both with and without IP6 and SLL. What else could it be?
Posted by CHF on 2004-10-21 00:29
You added the interface's IP to the <ip/> section as
Posted by Maqi (admin) on 2004-10-21 08:09
Open a separate console window on the same machine and type telnet yourhostname 5222, where 'yourhostname' is the hostname (preferably a fully qualified domain name) you configured in your jabber.xml file. Once again you should see the following:
Trying 127.0.0.1... Connected to your-machine-name. Escape character is '^]'.
If you get "unknown host" it seems the host name can not be resolved. Check your DNS setup.
If you get "connection refused" check your Jabber configuration, it seems like the Jabber server does not listen on the specified IP/interface or is not running at all. Type netstat -ltp to list all running network daemons.
Open an XML stream to your server by pasting the full text of the following XML snippet into your telnet window. Replace 'yourhostname' with the hostname you configured jabberd to run with.
<stream:stream to='yourhostname' xmlns='jabber:client' xmlns:stream='http://etherx.jabber.org/streams'>
You should immediately receive a reply from your server:
<?xml version='1.0'?> <stream:stream xmlns:stream='http://etherx.jabber.org/streams' id='some-random-id' xmlns='jabber:client' from='yourhostname'>
If you get disconnected here, check that the host name you are telneting to matches exactly the host name you configured in the Jabberd configuration files matches exactly the host name you entered in the "from" tag in the XML above. The Jabber protocol is pretty pedantic when it comes to host names - it needs to for it supports virtual hosting.
Send the following XML to discover what information you need to provide in order to register an account on this server:
<iq id='reg1' type='get'> <query xmlns='jabber:iq:register'/> </iq>
You should receive the following reply, which tells you that name, email address, username, and password are required in order to register an account on this server:
<iq id='reg1' type='result'> <query xmlns='jabber:iq:register'> <instructions> Choose a username and password to register with this server. </instructions> <name/> <email/> <username/> <password/> </query> </iq>
If you get disconnected here, make sure that you entered the XML
of Step 4 in the same telnet session as Step 3 (i.e., you may not
close and reopen telnet between steps 3 and 4).
Make sure the hostname you are telneting to matches the hostname configured in jabber.xml (every hostname must be supplied in lowercase!).
Note that Debian Woody's Jabber packages are broken. You must enable mod_auth_plain there.
I found I had to run the jabberd from where I compiled it, NOT
where I had placed the binary.
Posted by keith hutchison on 2003-11-15 01:56
As the paths to several modules are specified as relative paths
in the default configuration file, you not only need to move the
jabberd executable but also its modules (*.so).
Posted by Maqi (admin) on 2003-12-10 11:33
I always get disconnected with the xml query (after typing
<query xmlns='jabber:iq:register'/>), so I try this instead
and it works anyway :
<iq id='reg1' type='get'>
Posted by Chat--Noir on 2003-12-30 12:11
If you get an server response "
<stream:error>Disconnected</stream:error></stream:stream>Connection closed by foreign host." and your jabber error.log says "bouncing a routed packet to ..." than you shuold have an mismatch between the -h parameter in the jabberd commandline and the jabber.xml file <host> section. Those hostnames MUST match.
Posted by Frank Matthieß on 2004-04-17 07:32
I'm using Mandrake 8.2 and found it necessary to add the
<host> tag explicitly in the .xml file, as I kept getting the
same error as Frank Matthieß. Aparantly only having it in the
.cfg file is not enough.
Posted by Fred Keet on 2004-04-17 11:45
Standard jabberd does not use a .cfg file. Probably you are
referring to some specific script wrappers which might be buggy. As
seen in the standard configuration .xml file, the <host> tag
includes a <jabberd:cmdline> tag which instructs the
configuration loader to use command line parameters for
<host/>. If the <jabberd:cmdline> tag is deleted from
the .xml configuration, of course using -h on command line ceases
Posted by Maqi (admin) on 2004-04-17 17:58
Well, I stated in the xml file following
<nd start the server with
jabberd -h troval.diak
but i still get
20040428T08:25:45: [notice] (yourhostname): bouncing a routed packet to yourhostname from 13@c2s/81B1AC0: Internal Delivery Error
when i try to telnet some commands of connect with <insert jabber client>
what am i doing wrong ?
Posted by stacato on 2004-04-28 04:26
Seems you forgot to replace "yourhostname" in the telnet session
by the actual Jabber host's name. Also, there's no need to both
change the .xml AND use the -h command line switch. Use
<host>whatever</host> in the .xml OR leave it as-is
(with the "cmdline" stuff) and use "-h name".
Posted by Maqi (admin) on 2004-04-28 04:47
So, why do we get
<error code='501'>Not Implemented</error></iq>
What is missing?
Is there something in the config xml file that is needed to allow for registration of users.
Posted by Kiran Mudiam on 2004-09-24 16:49
The default jabber.xml configuration file allows users to
register in-band. So, no, you don't need special configuration
(however, if you use other jabberd14 packages than provided by this
site, there's no guarantee "their" jabber.xml file matches the
official default one). The only part of jabber.xml dealing with
in-band registration is the
<mod_register>./jsm/jsm.so</mod_register> and the
<registerï¿½notify ...> part, see
http://jabberd.jabberstudio.org/1.4/doc/conf . Check if these parts
are present in your jabber.xml.
Posted by Maqi (admin) on 2004-09-25 06:07
The part that allows you to register is commented out by default. To avoid "<error code='501'>Not Implemented</error></iq>" you need to edit /etc/jabberd/multiple.xml and uncomment the tags <mod_register> and <register>.
Posted by Erik Ã–stlund on 2004-10-24 14:28
Next send your registration information to the server:
<iq id='reg2' type='set'> <query xmlns='jabber:iq:register'> <username>jabberuser</username> <password>secret</password> <name>myName</name> <email>firstname.lastname@example.org</email> </query> </iq>
If everything worked correctly, you will receive the following XML indicating that your registration was successful:
<iq id='reg2' type='result'/>
Note that one xdb_file failed to open file ...: No such file or directory warning at this point in jabberd's debug output is perfectly normal (as the user's spool file does not exist yet and is about to be created) and can be safely ignored.
If your spool directory is not set up properly, you will receive the following XML:
<error code='500'>Password Storage Failed</error></iq>
Similarly, if your username is already taken, you will receive the following XML:
<error code='409'>Username Not Available</error></iq>
Here I get the following error:
20041028T17:05:36: [alert] (18.104.22.168): xdb request failed, error accessing spool loaction /22.214.171.124: No such file or directory
There is such directory under spool location.
Platform: Windows XP
Posted by Igor on 2004-10-28 12:07
Check the spool directory setting in the config file (default:
"./spool", perhaps try to change to a absolute path). BTW you
really DON'T want to run with an IP as hostname. See the discussion
concerning this above.
Posted by Maqi (admin) on 2004-10-29 03:16
Now that you have registered an account, you need to log on. First, ask the server what information is required to log on:
<iq id='auth1' type='get'> <query xmlns='jabber:iq:auth'> <username>jabberuser</username> </query> </iq>
The server will then tell you what authentication information is required:
<iq id='auth1' type='result'> <query xmlns='jabber:iq:auth'> <username>jabberuser</username> <password/> <digest/> <resource/> </query> </iq>
If you do not see the <password/> tag in the server's reply, make sure mod_auth_plain or mod_auth_crypt is enabled in jabberd's configuration.
I am fine up to this step then I do this step and I am
<iq id='auth1' type='error'>
if I skip this step then I can do step 7 but not step 8, there is no response from my sever when i send
Posted by mike e. on 2004-04-19 17:17
You probably have "mod_auth_plain" commented out in your
jabber.xml file. Debian does this by default and it causes this
Posted by Ryan on 2004-05-06 22:02
This is true for the (buggy) packages of jabberd 1.4.2 in Debian
Woody only. You should use jabberd 1.4.3 anyways.
Posted by Maqi (admin) on 2004-05-07 06:33
20040514T14:00:36: [warn] (myhost.com): xdb_file failed to open file D:\Archivos de programa\JabberD\spool/myhost.com/grupo15.xml: No such file or directory
iam working under winXp and the "/" is invalid for a directory i think. it's that the problem? In that directory i have the 'grupo15.xml' file... I think that is the reason i couln't log in the server with my account.Thanks!
Posted by Demian on 2004-05-14 09:38
Nupp, XP and winX are normally able to translate the / to \. So
it seems that you have a different problem.
Posted by thorsten on 2004-05-20 02:58
You may choose either "password" (plaintext) or "digest" (encrypted) for your password; for simplicity, we will use plaintext. You must also specify a "resource" for this connection. So we will send the following XML:
<iq id='auth2' type='set'> <query xmlns='jabber:iq:auth'> <username>jabberuser</username> <password>secret</password> <resource>telnet</resource> </query> </iq>
And the server will send us the following indicating that authentication was successful:
<iq id='auth2' type='result'/>
Fine until here ... Right after this step
<iq id='auth2' type='error'>
<error code='500'>Internal Server Error</error></iq>
Posted by samuelgoto on 2004-10-16 11:42
Why do I need allow telnet in my resource???
IsnÂ´t Telnet unsecurity????
Posted by Angela on 2004-11-10 11:15
Running telnetd (the telnet *server* that allows shell access on
the remote host) is considered insecure as it's unencrypted.
However, telnet (the telnet *client*) is more or less an
all-purpose tool. For example, do "telnet www.jabber.org 80" and
try to speak to the web server running on www.jabber.org (if you
are not fluent in HTTP you won't be able to do much though
Posted by Maqi (admin) on 2004-11-10 15:46
Finally, send presence to the server so that it knows you are online and available for messaging:
The server will immediately send you a welcome message something like the following:
<message from='yourhostname' to='jabberuser@yourhostname'> <subject>Welcome!<subject> <body> Welcome to the Jabber server at localhost -- we hope you enjoy this service! For information about how to use Jabber, visit the Jabber User's Guide at http://docs.jabber.org/ </body> </message>
If desired, you may change the welcome message by modifying the text contained in the <welcome/> element of the jabber.xml file.
Next, repeat steps 3 through 8 from another machine (make sure to use a username other than "jabberuser"!). If you have your hostname and DNS tables configured correctly, everything should work from another machine just as it does on your server's machine.
When you have finished, send the following XML from your second telnet window:
<message to='jabberuser@yourhostname'> <body>hi!</body> </message>
You will see that same XML show up in your first telnet window, with the addition of a "from" address indicating the Jabber ID of the sender.
Congratulations! Your Jabber server is working fine!
It is possible that when you try to send messages, you will see an error telling you that "sending name is invalid". This is a DNS error. Make sure that you can ping your Jabber server's hostname from other locations on the network, and talk to your network administrator to ensure that your server's hostname has a valid DNS entry. In addition, you may need to add an entry for that hostname to your machine's /etc/hosts file.
Now that you have passed Checkpoint #2, close the streams properly by pasting </stream:stream> into both telnet windows, then stop the server by killing the process or simply typing ^C in the window where you started the server deamon.
There are several scripts in the Script Repository which can be used for starting/stopping the jabberd daemon. These scripts should be put in /etc/init.d/ typically and linked to from the /etc/rcX.d directories. You probably want to Google on "System-V init scripts" or do a "man chkconfig" (Red Hat) or "man update-rc.d" (Debian) if you are unfamiliar with this.
Another option to start and monitor jabberd is by using the daemontools.
Never run daemons as root. Run jabberd with "jabberd -U
jabberd", "jabberd" being a user only used for running jabberd. Be
sure to check file permissions. Config files, executables and SSL
keys should be owned by root, group jabberd, mode 640 (preventing
jabberd to mess with executables and config in any case). Spool
directories/files should be owned by jabberd, group jabberd, mode
Posted by Maqi (admin) on 2004-04-15 18:58
Gentoo users, if you didn't know already:
rc-update add jabber default
Posted by on 2004-12-18 17:16
Jabberd's log files should be rotated (compressed and stored, then starting with an empty log file) for otherwise, they grow big, eventually preventing jabberd from starting when they exceed your file system's maximum file size or took up all available drive space. So, you should use logrotate or some similar tool. Unfortunately, jabberd 1.4 needs to be stopped before rotating its log files, then restarted again.
The jabberd server enables you to grant certain administrative privileges specific users of the server by defining appropriate entries in the <admin> section of the jabber.xml configuration file. There are three main administrative privileges at this time:
The ability to read Jabber messages that are sent to the special administrative address of admin@yourjabberhostname.
The ability to view all users who are online.
The ability to send a broadcast message to all online users (e.g., informing users that the server needs to be rebooted) or to send out a "message of the day" to anyone who logs in.
The first two privileges are granted to any user who is listed in the <read> element within the <admin> section of the jabber.xml configuration file, and the right to send messages is granted to any user who is listed in a <write> element. Here is an example, using the mythical shakespeare.com Jabber server:
<admin> <read>email@example.com</read> <read>firstname.lastname@example.org</read> <write>email@example.com</write> </admin>
In this example, Hamlet, Macbeth, and King Lear all can read messages sent to the admin address and view the online users, but only King Lear can send broadcast messages and messages of the day (the "write" privilege includes the ability to read).
If you want to be able to use any of these administrative functions, make sure to add your full Jabber ID to the <admin/> section of your jabber.xml file.
To view all the online users of your server, login as as an admin user (as defined in your jabber.xml configuration file), then send either of the following bits of XML, for example by connecting over telnet or by using a Jabber client that enables you to send raw XML:
To send a broadcast message to all online users of your server, login as an admin user (as defined in your jabber.xml configuration file), then send the following XML:
<message to="yourserver.com/announce/online"> <body>This is a broadcast message!</body> </message>
Alternatively, you can login as an admin user using a Jabber client and send a message to "yourserver.com/announce/online". However, some clients complain about the missing username part of the JID, use another client then or the XML shown above.
The jabberd server is a perfect solution to concerns about sending sensitive conversations over a public network such as those offered by the legacy IM services. Because of this, many organizations run Jabber servers behind firewalls or NATs and wish to restrict access to the server.
To close your server off from the public Internet, you may want to disable communications between your server and any other servers. There are several ways to make this happen:
Close port 5269 on your firewall, since that is the port for server-to-server communications in Jabber. (You may also want to close port 5222 for client-to-server connections.)
Comment out the following lines in your jabber.xml file (these sections handle external DNS resolution and server-to-server connections):
<service id="dnsrv"> <host/> <load><dnsrv>dnsrv/dnsrv.so<dnsrv><load> <dnsrv xmlns="jabber:config:dnsrv"> <resend service="_jabber._tcp">s2s</resend> <resend>s2s</resend> <dnsrv> <service> and: <service id="s2s"> <load><dialback>dialback/dialback.so<dialback><load> <dialback xmlns='jabber:config:dialback'> <ip port="5269"/> <dialback> <service>
Now your Jabber server cannot communicate with other servers.
In this kind of set up you can also leave many of the server
identification values as "localhost". Then with the machine in the
DNS and in conjunction with an DNS that maps internal and outside
addresses to the same interface, users can connect to the machine
from outside (using SSL) or inside the firewall using the same
Posted by Robert on 2004-11-27 14:06
By default, anyone may register an account on your Jabber server (account registration is handled within the Jabber protocol, which is unlike the SMTP protocol for email). Many Jabber server administrators want to prevent this by disabling registration. To do so, comment out the following lines in your jabber.xml file as shown below:
<!-- <register notify="yes"> <instructions> Choose a username and password to register with this server. <instructions> <name/> <email/> <register> --> and: <!-- <mod_register>./jsm/jsm.so</mod_register> -->
Obviously if you disable registration over Jabber you will need to generate accounts in some other way, for example by using scripts from the Script Repository to generate the user's account spool file. The user's XML spool file is typically stored in ./spool/ (see jabberd's configuration file, xdb_file module). Keep in mind the user jabberd runs as must be able to read and write the spool files.
I'd *really* like to have moderated registration, where only
Admin can create new accounts.
Posted by Topher on 2004-02-03 18:59
I don't know about the source versions of jabberd but I
downloaded jabber-quickstart which came with a setup.sh. using
setup.sh it is possible to create new users and delete users, as
well as disabling new user registration
Posted by DA on 2004-02-05 06:37
When I initially installed Jabber 1.4 on Gentoo it's default is
to not permit users to register. Using the Quick start would allow
you to admin the users externally. I think this should solve you're
Posted by BuddaTigger on 2004-10-03 11:56
Is there a way to disable public registration, but still allow
users to change their password?
Posted by Peter Van on 2004-10-27 16:04
If you build from sources, as a quick and dirty solution change
the function mod_register_new in jsm/modules/mod_register.c
mreturn mod_register_new(mapi m, void *arg)
Posted by Maqi (admin) on 2004-11-24 03:29
It is possible to set this up in the jabber.xml file as well.
Simply comment out the registration section and leave the password
change section enabled.
Posted by Robert on 2004-11-27 14:09
It is possible to let jabberd 1.4.x authenticate users via RADIUS, PAM, LDAP, IMAP, POP3, SAMBA or MySQL. The user's data (roster...) will still be stored by XDB (typically xdb_file which uses the filesystem), only authentication will be handled externally.
For infos concerning external authentication, see the external authentication page.
Some of the more advanced applications of a Jabber server are covered here.
If you want to have several different FQDNs handled by one instance of the jabberd server (e.g., you own jabber.myserver1.net and jabber.myserver2.net and want to let run a Jabber server on both these domains without setting up two seperate jabberd installations), you can configure jabberd to respond to more than one FQDN. This is similar to virtual hosting as done by WWW servers (where typically one httpd instance serves quite a lot of different domains).
Add both hostnames to your jabber.xml file, and make sure that both hostnames are on the same line:
<service id="sessions"> ... <host>jabber.myserver1.net</host><host>jabber.myserver2.net</host> ... </service>
Normally, a Jabber server will listen on its IP on port 5222/5223 for client connections and on port 5269 for server connections. With DNS SRV records (RFC 2782), compliant clients and servers can use other ports and other IP addresses. What does this mean? Instead of looking up the Jabber server's A record in DNS, DNS is at first queried for SRV records: "I want to connect to server jabber.mydomain.org using the xmpp-client service, what IP and port should I use for that?". Servers which are XMPP compliant MUST query DNS for SRV entries before connecting to the server's A entry on port 5269. Clients SHOULD query DNS for SRV entries. For more information, see draft-ietf-xmpp-core-19.Use the following configuration for bind/named:
jabberserverhostname. 86400 A jabberserverip _xmpp-server._tcp.jabberserverhostname. 86400 IN SRV 5 0 5269 jabberserverhostname. _xmpp-client._tcp.jabberserverhostname. 86400 IN SRV 5 0 5222 jabberserverhostname. _jabber._tcp.jabberserverhostname. 86400 IN SRV 5 0 5269 jabberserverhostname.
Don't forget the "." behind the hostnames (or bind will treat the specified hostnames as "relative" names, not FQDNs).
The answer should be the IP of your Jabber server.
dig +short _xmpp-server._tcp.jabberserverhostname SRV
The answers to this query should include the hostname of the machine running the s2s service (typically the hostname of the main Jabber server which has the A record).
The answer to this query should include the hostname of the machine running the c2s service (typically the hostname of the main Jabber server which has the A record).
There is an empty list of clients, that support RFC 2782 and I
cannot even test this feature? Can anybody help me?.. In any case
at least one client should be included in this doc...
Posted by Stepan Koltsov on 2004-03-02 13:21
While this is not the right place to host a list of clients that
support certain features. However, the client list on jabber.org
will be extended shortly and should cover this topic then.
Posted by Maqi (admin) on 2004-03-02 14:32
Please add the SRV records whenever possible! It speeds up
resolving of your host by other servers as they do not have to fall
back through multiple levels of resolving.
Please to not add pure A or AAAA records for domains that are just used for transports. A/AAAA resolving is only needed to support old clients (so you still need it for the domains where user accounts are on) but all servers support SRV resolving. Not having A/AAAA records for these domains helps preventing e-mail spam (!). Spammers are harvesting mail addresses from the web and consider JabberIDs as mail addresses as well. E.g. on my mail server I get multiple mails with a faked origin address of firstname.lastname@example.org or email@example.com. My mail server could already reject these messages if there wouldn't be A or AAAA records for these domains as invalid senders.
Posted by Matthias Wimmer on 2004-06-30 06:38
Typically, the part of a Jabber server that needs the most processing power is the module that handles c2s (client-to-server) connections. With a standard jabberd 1.4.3, this module is named pthsock_client. pthsock_client should perform well up to some hundred concurrent c2s connections.
There are a few ways to improve c2s performance:
Replace pthsock_client by the more efficient jadc2s module. This should perform well up to
some thousand c2s connections.
This is quite simple.
Run multiple c2s modules on separate machines, let them all
connect to the main jabberd server by using the connect/accept
mechanism (see the example jabber.xml configuration file, running
pthsock_client externally is just the same as running JUD and other
components externally). Use round-robin DNS to let the Jabber
server's IP resolve to not one but several IPs. A problem is that
now other Jabber servers of course try to connect via s2s to not
only the main server's IP but also the other IPs. One solution is
to use port forwarding, another is to setup a SRV DNS record for
s2s (see above).
You need a lot of experience with DNS and Jabber for this solution. Also, obviously you need more hardware.
Use a faster server software, for example WPJabber. WPJabber has been
tested with 50.000 concurrent c2s connections.
This is not very difficult as WPJabber is very similar to jabberd 1.4.x. One problem may be that for WPJabber's c2s module (WPJ) you need /dev/epoll support by your operating system meaning with Linux you have to patch your kernel (note that /dev/epoll is the incompatible predecessor of sys_epoll included in Linux 2.6).
xdb_file performance can be another issue as with large setups
accessing the spool directory can be slow. Using a modern file
system or extensions such as htree on ext2/ext3 should solve this.
It is also possible to use a modified xdb_file component (WPJabber
Note that for large setups on Linux you should take a look at the 2.6 kernels as many of its enhancements target heavy server usage.
Posted by Maqi (admin) on 2003-11-25 08:29
A note on computing power requirements: Jabberd 1.4.x runs fine
on a 200MHz P1 machine with 100 concurrent users. WPJabberd is
reported to support 50.000 concurrent users on a dual processor
500MHz P3 machine. Of course, this is only valid for the server
alone. Additional components such as transports or MUC are a
Posted by Maqi (admin) on 2004-09-30 07:10
Security is a high priority for the Jabber community and for the jabberd development team in particular. Jabberd 1.4.x can be optimized for security in several ways.
For each securing technique there are drawbacks:
Depending on your needs, there are some typical solutions.
The jabberd 1.4.x enables you to secure client-server connections using SSL (server-to-server connections do not yet support SSL encryption but should do so in the 2.0 series). To do this, you must first have OpenSSL installed and then compile jabberd from source using the ./configure --enable-ssl. (If after running jabberd for a while you decide that you want to run it with SSL, you can always type make clean and then recompile the software with the --enable-ssl flag.)
The next step is to generate your certificate and key. You can do so without a password by following the following as a shell script (you can also use jabberd 1.4.3's generateSSLkey script):
OPENSSL=/usr/bin/openssl ## This generates the cert and key ## The key will be valid for 3650 days. ## Be sure to enter the FQDN (hostname) of your Jabber server as ## the "Common Name" or the certificate check of the clients will fail. $OPENSSL req -new -x509 -newkey rsa:1024 -days 3650 -keyout privkey.pem -out key.pem ## This will remove the passphrase $OPENSSL rsa -in privkey.pem -out privkey.pem ## Put it all together cat privkey.pem >> key.pem ## Cleanup rm privkey.pem
Finally, change your jabber.xml to include configuration information for SSL, as shown below:
<pthcsock> ... <ip port="5222"/> <ssl port="5223">your-ip-address</ssl> ... </pthcsock> and: <io> ... <ssl> <key ip="your-ip-address">/path/to/cert_and_key.pem</key> </ssl> ... </io>
Notice that you have to enter the server's IP address instead of your-ip-address, no hostnames are allowed.
Check the key file's permissions. It must not be world-readable for obvious security reasons. Its owner should be root, its group the group jabberd runs as, and its permissions should be rw-r----- (640).
/usr/include/openssl/kssl.h:134: parse error before
Then remember to add the path to your keberos header files; ie. -I /usr/kerberos/include
Posted by jmerritt on 2003-11-14 05:54
/usr/include/openssl/kssl.h:134: parse error before
For this error, you can also add -DOPENSSL_NO_KRB5 after -DHAVE_SSL in the 'platform-settings' file CC flags.
Posted by Roger Venable on 2003-11-17 11:44
For those like me thta have virtually no idea what I'm doing,
use the command
before the ./configure
Posted by allan marcus on 2004-01-22 11:25
The 2.0 series of jabberd will support additional authentication mechanisms using SASL. Until jabberd 2.0 is released and more Jabber clients support SASL authentication, servers will continue to support both digest authentication (mod_auth_digest) and plaintext authentication (mod_auth_plain/mod_auth_crypt).
For standard setups, enable both mod_auth_digest and - if needed - mod_auth_plain (be aware that jabberd <1.4.3 due to a bug needs mod_auth_plain enabled or account registration will fail). Providing SSL secured connections at least additionally to the standard unencrypted connections is a nice security feature in any case.
For added security, disable registration over Jabber. This will give you more control on who is allowed to register with the server. See the Intranet Setup section of this document for instructions.
Note: The so-called "zero-knowledge" authentication has been deprecated as it is vulnerable to certain attacks, and use of mod_auth_0k is NOT RECOMMENDED.
If you want to change your configuration to use mod_auth_crypt
exclusively (see the discussion above, you probably don't want to
do this unless you need to comply with certain company policies),
take a look at http://www.lucas-nussbaum.net/jabauthcrypt.php which
converts mod_auth_plain's data in spool files to data that can be
used by mod_auth_crypt.
Posted by Maqi (admin) on 2003-11-17 04:33
There are several ways to get help with installation and configuration issues:
Keep in mind you can get additional debug output from jabberd by specifying the -D command line option.
For real-time assistance, start your favorite Jabber client, connect to your own Jabber server or one of the public servers, and join the ongoing discussion in the firstname.lastname@example.org chatroom (i.e., the room is named "jdev" and the conferencing service is named "conference.jabber.org").
Take a look at the comments of this Guide. Read the Administrator FAQ and its comments.
Subscribe to the jadmin mailing list (archive). If you seek for assistance on the jadmin mailing list, be sure to include all necessary information (your server's configuration [files], "jabberd -D" debug output, XML exchanged with your client). Describe your problem as good as possible.
It doesn't work on my mcosx because I've no ld.conf.. how could
I correct thing to work?(When I 'm build solution it ive me some
error that he can find pthXX may times but I v'e correctly
installed these thing and done "make test" ..But it doesn't want to
work when I compile.)
Posted by Mr Pomme on 2004-03-17 02:50
MacOS X seems not to use ldconfig but dyld. See "man dyld". Google should also help. And please: Copy&Paste full error messages and BE EXACT. Otherwise people won't bother to help.
Posted by Maqi (admin) on 2004-03-17 08:44
If you are sure you have found a bug in the jabberd 1.4.x server, please report it by posting a comment here. Make sure to include detailed information about your platform and the behavior of the server (-D debug output, client XML).
However, note that with jabberd2's release development has more or less stopped on the 1.4.x server, so it is possible the issue will not get addressed.
"It seems there may be a bug in jabberd 1.4.x
regarding x:delay in presence stanzas. Specifically, if you are
connected with one resource and log on and off with another resource,
the server will add one <x/> delay child for each logoff. This can add
up to a lot of <x/> children if someone is testing a client or something
while remaining connected with the other resource (recently, I received
a presence stanza with 115 <x/> children!!!)."
Posted by Maqi (admin) on 2004-02-25 10:54
"Set user" (jabberd runs as) command line feature sets the user
BEFORE binding to TCP ports. Should bind BEFORE setting the user
for this enables jabberd to run on priviledged ports non-root. Keep
in mind the pid file (which jabberd must be able to delete when
Posted by Maqi (admin) on 2004-07-01 08:59