Why ejabberd

Our requirements were:

• Secure SSH based communication
• Get all chats logged on the server. This is more about archiving than about audit trails.
• Available through debian/ubuntu’s apt based package management system

Why not OpenFire?

OpenFire seems to be the more common solution. As far as we can tell it has some weird dependencies specific to the Sun Java VM implementation. At the very least, people have tried to build debian apt packages but I’ve not seen any success to date.Namely, you can’t (currently) get OpenFire installed soley via apt without having to start compiling things by hand. If you know differently, please let us know.Just to be clear - a very specific requirement for us was that everything was installable from stock debian/ubuntu deb packages. We chose to reject any solution that required compiling sources. Your mileage may vary on this point.

Okay, so how?

First up, ensure your system is up to date and then grab ejabberd

/etc/munin/plugins/sudo apt-get update
sudo apt-get upgrade
sudo apt-get install ejabberd

Configuration

Installing is the easy bit. Figuring out how to configure ejabberd on debian / ubuntu was the tricky part. The documentation isn’t clear, and doesn’t seem to be very debian / ubuntu specific.

/etc/munin/plugins/sudo vi /etc/ejabberd/ejabberd.cfg

The changes we made are outlined below.

/etc/munin/plugins/%% Admin user
{acl, admin, {user, "nemo", "sysmonblog.co.uk"}}.
{acl, admin, {user, "coral", "sysmonblog.co.uk"}}.
{acl, admin, {user, "dory", "sysmonblog.co.uk"}}.
%% Hostname
{hosts, ["sysmonblog.co.uk"]}.
%% Notify this user whenever a new account is registered
{registration_watchers, ["nemo@sysmonblog.co.uk"]}.
%% This stops "in band" account registration 
%% by any existing user
{access, register, [{deny, all}]}.

We also changed starttls to starttls_required in the following stanza, to (hopefully) prevent non ssl/tls enabled connections:

/etc/munin/plugins/% Ordinary client-2-server service
[{5222, ejabberd_c2s, [{access, c2s},
{max_stanza_size, 65536},
starttls_required, {certfile, "/etc/ejabberd/ejabberd.pem"},
{shaper, c2s_shaper}]},

Next, stop/start the ejabberd daemon

/etc/munin/plugins/sudo /etc/init.d/ejabberd stop
# it should tell you it isn't running
sudo /etc/init.d/ejabberd start

and finally, create the accounts (the configs above only said that these accounts would be admins. You still need to create (or register) the accounts).

/etc/munin/plugins/
ejabberdctl register nemo sysmonblog.co.uk xx
ejabberdctl register coral  sysmonblog.co.uk xx
ejabberdctl register dory   sysmonblog.co.uk xx
...

replace xx with a more suitable set of passwords

SSL / TLS certificates

When installed via apt a ssl certificate will be generated for you automatically. However the “common name” will be set to “ejabberd”. It ought to match the domain/ip you use for your “server” setting, in this case “sysmonblog.co.uk”.Some clients won’t care. Adium does, and refuses to remember to trust the certificate if the domain is wrong. Which means you can connect, but each time you restart you need to tell it the certificate is okay.To fix this:

/etc/munin/plugins/
sudo cp /etc/ejabberd/ejabberd.pem \
    /etc/ejabberd/orig.ejabberd.pem
openssl req -new -x509 -newkey rsa:1024 -days 3650 \
    -keyout privkey.pem -out server.pem
openssl rsa -in privkey.pem -out privkey.pem
cat privkey.pem >> server.pem
rm privkey.pem
sudo mv server.pem /etc/ejabberd/ejabberd.pem

It’ll ask you for a password in the first openssl step. It doesn’t seem to matter what you pick.Of the other questions, the one that matters is Common Name which should be your domain name.

/etc/munin/plugins/
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []: sysmonblog.co.uk
Email Address []:

Firewalls and ports

Ensure any firewalling you have will allow port 5222 and 5223 through.

Connecting from your Client

Pidgin is a fabulous IM client available for both Windows and Linux. The Mac OS X port is called Adium.Both these tools allow you to consolidate MSN, Windows Live, Yahoo!, GTalk, AOL and many other accounts into a single place. You no longer need multiple IM clients, and you don’t get all the ads. Explore the plugins available for both and you will discover a rich world of features to improve your IM lifestyle.They both also support Jabber.

• Account name would be nemo@sysmonblog.co.uk
• Password would be as set above
• Server should be the ip or domain name of the machine running your ejabberd server. It doesn’t need to the same domain as you are using in your account names above.
• Port should be 5222. If that fails, try 5223.

The last two might be tucked away under advance/preferences/options. But they are specific to the account you are adding. They aren’t global Pidgin/Adium settings.

See Also

The manual has a section on configuration variables and what they do. You probably want to stop/start the ejabberd process (using the init.d lines shown above) if you make further changes to your ejabberd.cnf

Ken covers specifics of running ejabberd on Amazon EC2 instances, and the svn dns records required for making federation work properly. Federation allows your jabber users to chat with other jabber users, who’re registered on different jabber servers.

Feedback

If you have any better examples or feedback let us know in the comments, or drop us an email on sysmonblog@googlemail.com.