search

processone / ejabberd

Robust, Ubiquitous and Massively Scalable Messaging Platform (XMPP, MQTT, SIP Server)
https://www.process-one.net/en/ejabberd/
Other
6k stars 1.5k forks source link

ejabberd cannot connect to some specific servers #4163

Closed jabberdquestions closed 4 months ago

jabberdquestions commented 4 months ago

Hello!

It is my first time using ejabberd and I am enjoying it! But I am facing an issue that I could not find the root of it

After following tutorials I have configured ejabberd, did proper modifications to have 100% in XMPP compliance test and everything is working fine with an exception

Clients can connect between my domain without any issue, same with external XMPP servers but with some servers the connection is not working and I do not understand the reason. I am going to paste here some of the logs I found:

[info] <0.2208.1>@ejabberd_listener:accept/7:273 (<0.4383.1>) Accepted connection [::ffff:external_ip]:59580 -> [::ffff:my_server_ip]:5269
[info] <0.4383.1>@ejabberd_s2s_in:process_closed/2:132 Closing inbound s2s connection yax.im -> my_domain: TLS failed: starttls_unsupported
[warning] <0.4383.1>@ejabberd_s2s_in:terminate/2:288 (tcp|<0.4383.1>) Failed to secure inbound s2s connection: TLS failed: starttls_unsupported
[info] <0.2208.1>@ejabberd_listener:accept/7:273 (<0.4383.1>) Accepted connection [::ffff:external_ip]:59580 -> [::ffff:my_server_ip]:5269
[info] <0.4383.1>@ejabberd_s2s_in:process_closed/2:132 Closing inbound s2s connection yax.im -> my_domain: TLS failed: starttls_unsupported
[warning] <0.4383.1>@ejabberd_s2s_in:terminate/2:288 (tcp|<0.4383.1>) Failed to secure inbound s2s connection: TLS failed: starttls_unsupported
[info] <0.4387.1>@ejabberd_s2s_in:process_closed/2:132 Closing inbound s2s connection jabber.today -> my_domain: Stream closed by peer: invalid-namespace

I am running ejabberd 23.01-1 and I really want that anyone can connect to my server. I am sure that I am missing something but I cannot find the mistake. Any help would be appreciated! @licaon-kter

licaon-kter commented 4 months ago

Put your sanitized config on https://gist.github.com and attach the link here

Ain't 23.10 in backports?

jabberdquestions commented 4 months ago

Thank you for the reply!

Put your sanitized config on https://gist.github.com and attach the link here

Ain't 23.10 in backports?

Here you have my config file: https://gist.github.com/jabberdquestions/78d39fc368c1284b455327d5db215658

About the version, I am using ejabberd on Debian bookworm. I installed it from Debian repo and I just checked it and it seems the last version available. If it is not the last version I will update it manually then

licaon-kter commented 4 months ago

I'd upgrade to 23.10: https://packages.debian.org/bookworm-backports/ejabberd

(Read the upgrade instructions for mysql: https://docs.ejabberd.im/admin/upgrade/from_23.01_to_23.04/)

Set s2s_use_starttls: required and remove mod_s2s_dialback, then restart.

I can connect just fine to those domains, fyi

jabberdquestions commented 4 months ago

I'd upgrade to 23.10: https://packages.debian.org/bookworm-backports/ejabberd

(Read the upgrade instructions for mysql: https://docs.ejabberd.im/admin/upgrade/from_23.01_to_23.04/)

Sure! I will do it, thanks for the hints!

Set s2s_use_starttls: required and remove mod_s2s_dialback, then restart.

I can connect just fine to those domains, fyi Those errors are gone and they are working fine now, thanks a lot!

Just two more questions:

  1. After reviewing logs, I am seeing the following log. Does it mean an issue with jabber.calyxinstitute.org ?

    [info] <0.15809.108>@ejabberd_s2s_in:process_closed/2:132 Closing inbound s2s connection jabber.calyxinstitute.org -> my_domain: TLS failed: SSL_do_handshake failed: error:0A0000C1:SSL routines::no shared cipher
[warning] <0.15809.108>@ejabberd_s2s_in:terminate/2:288 (tls|<0.15809.108>) Failed to secure inbound s2s connection: TLS failed: SSL_do_handshake failed: error:0A0000C1:SSL routines::no shared cipher

  2. As others I do not like spam and I do not want that someone use my server to spam others. I have enabled default captcha script and modified a bit but I am not an expert with imagemagick (convert) and I would like to use a more custom solution. My first approach that comes to me is to open an external script (for example in python and that returns the binary image) but it needs some extra step (modify apparmor profile?) that I am not aware. Is it possible to execute an external script from captcha.sh in another programming language that returns the binary image captcha? If it is possible, I think that explaining how to do it would help server operators to fight spam easily

licaon-kter commented 4 months ago

Not sure what's up with Calyx :neutral_face:

Yes, you can put any script for captcha, do look at the provided https://github.com/processone/ejabberd/blob/master/tools/captcha-ng.sh too

/close this if fixed

jabberdquestions commented 4 months ago

Okay thank you

Just to confirm before closing it. I tried to call my python script from captcha-ng.sh but it did not work (I guess because of permissions with ejabberd because when I executed locally it worked), is it possible to replace captcha-ng.sh with captcha.py for example?

licaon-kter commented 4 months ago

Should be ok, maybe python3 scriptname... or whatever

jabberdquestions commented 4 months ago

Okay thank you, I will try. Thanks for the help