Open hasufell opened 5 years ago
shred
commented
5 years ago It seems so... I just had the pleasure to remove almost 4000 unwanted users from my server. :wink:
The EJABBERD_REGISTER_ADMIN_ONLY option is missing in the README.md, so I wasn't aware of it. Maybe its logic should also be reversed, so in-band registration is disabled by default, and only enabled if an env is explicitly set to true.
hasufell
commented
5 years ago Awful. I wonder how many more users of this image are affected.
shred
commented
5 years ago Also, EJABBERD_REGISTER_TRUSTED_NETWORK_ONLY is supposed to be true by default, according to the README. However this default value does not seem to be set anywhere.
youmad
commented
5 years ago I just had the pleasure to remove almost 4000 unwanted users from my server.
@shred I guess that those users were registered by a spammer. Setting EJABBERD_CAPTCHA env var to true can help save you from such situations.
hasufell
commented
5 years ago A default configuration should never be an open relay.
Is this docker image by default an open relay in such that it allows in-band registration?
https://github.com/rroemhild/docker-ejabberd/blob/40f2b5b1d4a40f24a690e98722d983d27f0c0096/conf/ejabberd.yml.tpl#L291-L298