Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
yosamino 3 hours ago

I've run an XMPP server in various states of professionalism for around 20 years now. From mom's basement all the way to a colocated server with a similar setup that's described in the post.

The only caveat I have not been able to solve is hosting an xmpp server for a different domain, like it's possible with email.

A client connecting the account joe.doe@example.ORG will find the server it wants to connect to via SRV to be , e.g., xmpp14.example.COM and expect a TLS certificate for "example.ORG" which that server does not have (nor can/should easily get) - which makes sense in a lot of ways, but limits the ways one can offer hosting services.

If anyone has creative solutions I'm all ears.

nicoco 2 hours ago | parent | next [-]

I know at least two services that offer hosting with your own domain: https://my.snikket.org/ and https://account.conversations.im/domain/ so I suppose it is not that complex to setup.

yosamino 2 hours ago | parent [-]

Correct, but that means you cannot share that domain securely with, let's say, a website. No ?

singpolyma3 2 hours ago | parent | prev [-]

You need a certificate for the domain you are going to serve of course. You can get one with ACME DNS challenges pretty easily (I have my clients set up a CNAME for the _acme-challenge subdomain of their domain).

yosamino 2 hours ago | parent [-]

I worded that poorly.

Yes, that is of course correct. But that means that your clients have to trust you without technical safeguards, that you will not use this to get for certificates for purposes other than XMPP.

Which, in my mind, is a problem if the domain is not used just for XMPP, but lets say for a website as well.

Joe_Cool an hour ago | parent [-]

You should be able to do that via DNS SRV entries.

  _xmpp-client._tcp.domain.tld. TTL IN SRV priority weight port target
  _xmpps-client._tcp.domain.tld. TTL IN SRV priority weight port target

  example:
  _xmpp-client._tcp.not-my-domain.com. 3599 IN SRV 5 0 5222 jabber.my-domain.com.
You could also build a reverse proxy setup. Then you wouldn't need the keys to the SSL certs. But that is probably overkill to run at your client: https://wiki.xmpp.org/web/Tech_pages/XEP-0368

I don't think I have seen a client complain about the cert being for jabber.my-domain.com Which one is giving trouble there?

source: https://datatracker.ietf.org/doc/html/rfc6120

https://wiki.xmpp.org/web/SRV_Records