xmpp - how to open ejabberd server to public

Question

i recently installed ejabberd on Ubuntu 12.04 LTS. I made the necessary configuration and am able to connect using a xmpp client PSI on a different computer using LAN ip. Now I want to allow my ejabberd server to be accessible from the public url, but have been unsuccessful. I have done the following:

1. Assuming my public domain is example.domain.com and the public IP is 123.123.10.210

2. opened port 5222 5269 and 5280.

   iptables -A INPUT -p tcp --dport 5222 -j ACCEPT iptables -A INPUT -p tcp --dport 5269 -j ACCEPT iptables -A INPUT -p tcp --dport 5280 -j ACCEPT

3. added the following to my host file:

   123.123.10.210 example.domain.com

4. Allow ubuntu firewall:

   sudo ufw allow 5222 sudo ufw allow 5269 sudo ufw allow 5280

5. Here is my ejabberd.cfg:

---

%%%
%%%     Debian ejabberd configuration file
%%%     This config must be in UTF-8 encoding
%%%
%%% The parameters used in this configuration file are explained in more detail
%%% in the ejabberd Installation and Operation Guide.
%%% Please consult the Guide in case of doubts, it is available at
%%% /usr/share/doc/ejabberd/guide.html

%%% This configuration file contains Erlang terms.
%%% In case you want to understand the syntax, here are the concepts:
%%%
%%%  - The character to comment a line is %
%%%
%%%  - Each term ends in a dot, for example:
%%%      override_global.
%%%
%%%  - A tuple has a fixed definition, its elements are
%%%    enclosed in {}, and separated with commas:
%%%      {loglevel, 4}.
%%%
%%%  - A list can have as many elements as you want,
%%%    and is enclosed in [], for example:
%%%      [http_poll, web_admin, tls]
%%%
%%%  - A keyword of ejabberd is a word in lowercase.
%%%    The strings are enclosed in "" and can have spaces, dots...
%%%      {language, "en"}.
%%%      {ldap_rootdn, "dc=example,dc=com"}.
%%%
%%%  - This term includes a tuple, a keyword, a list and two strings:
%%%      {hosts, ["jabber.example.net", "im.example.com"]}.
%%%

%%%   ===================================
%%%   OVERRIDE OPTIONS STORED IN DATABASE

%%
%% Override global options (shared by all ejabberd nodes in a cluster).
%%
%%override_global.

%%
%% Override local options (specific for this particular ejabberd node).
%%
%%override_local.

%%
%% Remove the Access Control Lists before new ones are added.
%%
%%override_acls.


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% Options which are set by Debconf and managed by ucf

%% Admin user
{acl, admin, {user, "admin", "localhost"}}.

%% Hostname
{hosts, ["localhost", "example.domain.com"]}.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%


%%%   =========
%%%   DEBUGGING

%%
%% loglevel: Verbosity of log files generated by ejabberd.
%% 0: No ejabberd log at all (not recommended)
%% 1: Critical
%% 2: Error
%% 3: Warning
%% 4: Info
%% 5: Debug
%%
{loglevel, 4}.

%%
%% watchdog_admins: If an ejabberd process consumes too much memory,
%% send live notifications to those Jabber accounts.
%%
%%{watchdog_admins, ["[email protected]"]}.


%%%   ================
%%%   SERVED HOSTNAMES

%%
%% hosts: Domains served by ejabberd.
%% You can define one or several, for example:
%% {hosts, ["example.net", "example.com", "example.org"]}.
%%
%% (This option is defined by debconf earlier)
%% {hosts, ["localhost"]}.

%%
%% route_subdomains: Delegate subdomains to other Jabber server.
%% For example, if this ejabberd serves example.org and you want
%% to allow communication with a Jabber server called im.example.org.
%%
%%{route_subdomains, s2s}.


%%%   ===============
%%%   LISTENING PORTS

%%
%% listen: Which ports will ejabberd listen, which service handles it
%% and what options to start it with.
%%
%5222
{listen,
 [
  {5222, ejabberd_c2s, [
            {access, c2s},
            {access, register},
            {shaper, c2s_shaper},
            {max_stanza_size, 65536},
                        %%zlib,
            starttls, {certfile, "/etc/ejabberd/ejabberd.pem"}
               ]},

  %%
  %% To enable the old SSL connection method (deprecated) in port 5223:
  %%
  %%{5223, ejabberd_c2s, [
  %%            {access, c2s},
  %%            {shaper, c2s_shaper},
  %%            {max_stanza_size, 65536},
  %%                    zlib,
  %%            tls, {certfile, "/etc/ejabberd/ejabberd.pem"}
  %%               ]},
%5269
  {5269, ejabberd_s2s_in, [
               {shaper, s2s_shaper},
               {max_stanza_size, 131072}
              ]},

  %% External MUC jabber-muc
  %%{5554, ejabberd_service, [
  %%                {ip, {127, 0, 0, 1}},
  %%                {access, all},
  %%                {shaper_rule, fast},
  %%                {host, "muc.localhost", [{password, "secret"}]}
  %%                ]},

  %% Jabber ICQ Transport
  %%{5555, ejabberd_service, [
  %%                {ip, {127, 0, 0, 1}},
  %%                {access, all},
  %%                {shaper_rule, fast},
  %%                {hosts, ["icq.localhost", "sms.localhost"],
  %%                       [{password, "secret"}]}
  %%                ]},

  %% AIM Transport
  %%{5556, ejabberd_service, [
  %%                {ip, {127, 0, 0, 1}},
  %%                {access, all},
  %%                {shaper_rule, fast},
  %%                {host, "aim.localhost", [{password, "secret"}]}
  %%                ]},

  %% MSN Transport
  %%{5557, ejabberd_service, [
  %%                {ip, {127, 0, 0, 1}},
  %%                {access, all},
  %%                {shaper_rule, fast},
  %%                {host, "msn.localhost", [{password, "secret"}]}
  %%                ]},

  %% Yahoo! Transport
  %%{5558, ejabberd_service, [
  %%                {ip, {127, 0, 0, 1}},
  %%                {access, all},
  %%                {shaper_rule, fast},
  %%                {host, "yahoo.localhost", [{password, "secret"}]}
  %%                ]},

  %% External JUD (internal is more powerful,
  %% but doesn't allow to register users from other servers)
  %%{5559, ejabberd_service, [
  %%                {ip, {127, 0, 0, 1}},
  %%                {access, all},
  %%                {shaper_rule, fast},
  %%                {host, "jud.localhost", [{password, "secret"}]}
  %%                ]},
%5280
  {5280, ejabberd_http, [
             %%{request_handlers,
             %% [
             %%  {["pub", "archive"], mod_http_fileserver}
             %% ]},
             %%captcha,
             http_bind,
             http_poll,
             web_admin
            ]}

 ]}.

%%
%% max_fsm_queue: Enable limiting of lengths of "message queues"
%% for outgoing connections. Roughly speaking, each message in such
%% queues represents one XML stanza queued to be sent into
%% an output stream it is serving.
%% The default value is an atom 'undefined' which specifies no limiting.
%%
%% When specified globally, this option limits the message queue lengths
%% for all ejabberd_c2s_in and ejabberd_service listeners,
%% as well as for outgoing s2s connections.
%%
%% This option can also be specified as an option for ejabberd_c2s_in
%% and ejabberd_service listeners, in wich case it will override
%% the value of the global option.
%%
{max_fsm_queue, 1000}.

%%
%% s2s_use_starttls: Enable STARTTLS + Dialback for S2S connections.
%% Allowed values are: true or false.
%% You must specify a certificate file.
%%
{s2s_use_starttls, true}.

%%
%% s2s_certfile: Specify a certificate file.
%%
{s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.

%%
%% domain_certfile: Specify a different certificate for each served hostname.
%%
%%{domain_certfile, "example.org", "/path/to/example_org.pem"}.
%%{domain_certfile, "example.com", "/path/to/example_com.pem"}.

%%
%% S2S whitelist or blacklist
%%
%% Default s2s policy for undefined hosts.
%%
%%{s2s_default_policy, allow}.

%%
%% Allow or deny communication with specific servers.
%%
%%{{s2s_host, "goodhost.org"}, allow}.
%%{{s2s_host, "badhost.org"}, deny}.

%%
%% The maximum allowed delay for retry to connect
%% after a failed connection attempt to a remote server, in seconds.
%% The default value is 300 seconds (5 minutes). 
%%
%% The reconnection algorythm works like this: if connection fails,
%% ejabberd makes an initial random delay between 1 and 15 seconds,
%% then retries, and if this attempt fails, makes another delay,
%% twice as long as previous. These attempts are performed either
%% until a successful connection is made or until the next calculated
%% delay is greated or equal than the value of s2s_max_retry_delay.
%%
%%{s2s_max_retry_delay, 300}.

%%
%% Outgoing S2S options
%%
%% Preferred address families (which to try first) and connect timeout
%% in milliseconds.
%%
%%{outgoing_s2s_options, [ipv4, ipv6], 10000}.


%%%   ==============
%%%   AUTHENTICATION

%%
%% auth_method: Method used to authenticate the users.
%% The default method is the internal.
%% If you want to use a different method,
%% comment this line and enable the correct ones.
%%
{auth_method, internal}.

%%
%% Authentication using external script
%% Make sure the script is executable by ejabberd.
%%
%%{auth_method, external}.
%%{extauth_program, "/path/to/authentication/script"}.

%%
%% Authentication using ODBC
%% Remember to setup a database in the next section.
%%
%%{auth_method, odbc}.

%%
%% Authentication using PAM
%%
%%{auth_method, pam}.
%%{pam_service, "pamservicename"}.

%%
%% Authentication using LDAP
%%
%%{auth_method, ldap}.
%%
%% List of LDAP servers:
%%{ldap_servers, ["localhost"]}.
%%
%% Encryption of connection to LDAP servers (LDAPS):
%%{ldap_encrypt, none}.
%%{ldap_encrypt, tls}.
%%
%% Port connect to LDAP server:
%%{ldap_port, 389}.
%%{ldap_port, 636}.
%%
%% LDAP manager:
%%{ldap_rootdn, "dc=example,dc=com"}.
%%
%% Password to LDAP manager:
%%{ldap_password, "******"}.
%%
%% Search base of LDAP directory:
%%{ldap_base, "dc=example,dc=com"}.
%%
%% LDAP attribute that holds user ID:
%%{ldap_uids, [{"mail", "%[email protected]"}]}.
%%
%% LDAP filter:
%%{ldap_filter, "(objectClass=shadowAccount)"}.

%%
%% Anonymous login support:
%%   auth_method: anonymous
%%   anonymous_protocol: sasl_anon | login_anon | both
%%   allow_multiple_connections: true | false
%%
%%{host_config, "public.example.org", [{auth_method, anonymous},
%%                                     {allow_multiple_connections, false},
%%                                     {anonymous_protocol, sasl_anon}]}.
%%
%% To use both anonymous and internal authentication:
%%
%%{host_config, "public.example.org", [{auth_method, [internal, anonymous]}]}.


%%%   ==============
%%%   DATABASE SETUP

%% ejabberd uses by default the internal Mnesia database,
%% so you can avoid this section.
%% This section provides configuration examples in case
%% you want to use other database backends.
%% Please consult the ejabberd Guide for details about database creation.

%% NOTE that ejabberd in Debian supports "out of the box"
%% only mnesia (default) and ODBC storage backends.
%% Working with MySQL and PostgreSQL DB backends requires
%% building and installation of the corresponding Erlang modules,
%% not distributed as a part of ejabberd.
%% Refer to /usr/share/doc/ejabberd/README.Debian for details.

%%
%% MySQL server:
%%
%%{odbc_server, {mysql, "server", "database", "username", "password"}}.
%%
%% If you want to specify the port:
%%{odbc_server, {mysql, "server", 1234, "database", "username", "password"}}.

%%
%% PostgreSQL server:
%%
%%{odbc_server, {pgsql, "server", "database", "username", "password"}}.

Answer 1

1. Verify that connections really go through to the server.

   On an Internet-connected box use telnet, nc or a similar command to verify connecting to well-known ports of your server works. Do

   $ telnet 123.123.10.210 5222
   

   and then type in some gibberish and press Enter to send it—you should receive an XML stanza from your server telling you you've sent a malformed stream and indicating a stream closure (to exit telnet session, press Crl-] then enter q and hit Enter).

   If this command hangs and then times out or outright fails, you have a network connectivity problem.

   When you're checking it's really handy to have an instance of tcpdump running to see if clien't packets come in and replies come out:

   # tcpdump -n -i eth0 'tcp and (port 5222 or port 5269)'
   

   (substitute the name of your Internet-connected interface instead of eth0).

2. You must have a proper DNS setup for your XMPP domain.

   That is, if your users have JIDs in example.domain.com, everyone on the Internet should be able to ask their DNS servers about how to contact users with JIDs in that domain using XMPP. This is done using SRV records. The DNS server(s) maintaining the example.domain.com must have two DNS records:

   • _xmpp-client._tcp.example.domain.com pointing to the host and port of the server accepting client connections (so they should be 123.123.10.210 and 5222).
   • _xmpp-server._tcp.example.domain.com pointing to the host and port of the server accepting server connections (so they should be 123.123.10.210 and 5269).

   More info here.

   Run

   $ host -t srv _xmpp-client._tcp.gmail.com
   $ host -t srv _xmpp-server._tcp.gmail.com
   

   to get some idea about how it should look like.

One more thing to be aware here is that if your server is in a DMZ (not directly connected to Internet but mediated by a NAT device) the firewall setup should be more involved. But before delving into this please check the connectivity as explained above.