Using Jabberd as a Private Instant Messaging Service

Introduction

Have you ever thought about using a private Instant Messaging (IM) service for your own organization, family, or friends? A service with no ads, no fees, no intrusive messages from strangers; a service that does not require you to use a proprietary operating system? In short, an IM system that puts YOU in charge?

Well, such a service/protocol exists...it is called Jabber. You can use it as a completely private system, with encrypted client connections. You can also set it up so that your IM service can talk to any other Jabber system in the world, much like SMTP e-mail. Here are the features that attracted me to Jabber:

• Open source code with published protocol specifications
• Thousands of Jabber servers/domains in use today
• No licensing fees or cost...just your time and some hardware
• Jabber servers can run on GNU/Linux and other operating systems
• May very well become THE standard IM protocol for the Internet via the IETF's XMPP Working Group
• Uses XML streams...can be debugged with a TELNET client
• Commercial solutions are available for those who want them
• Active developer community
• Multiuser chat rooms
• Uses client/server model with TCP connections (works fine through NAT boxes)
• Simple addressing scheme([email protected])
• SSL/TLS encryption is supported for client connections
• End-to-end encryption of messages is possible with some clients using PGP or GnuPG
• Simple directory service
• Jabber clients are light-weight and available for multiple operating systems (including Linux and *BSD)
• There are many Jabber clients to choose from

Another advantage of the Jabber system is that it is easily extensible for custom applications. For example, it can allow messaging between applications or devices, not just people!

In this HOWTO, I will go step-by-step through the process of building a private/organizational Jabber server on Red Hat Linux. Most of the instructions should work on other distributions, but I have not tested any others.

Why did I write this? Although the Jabber.Org web site has excellent documentation, it does not give you a step-by-step guide to setting up a private Jabber server that runs as a service and has reasonable security defaults. I wrote this primarily as a reference manual for myself. If you have any suggestions or corrections, please e-mail me here:  [email protected]

Getting the Code

Most of the software is available at www.jabber.org, but I have placed it here for your convenience. All of the files are source code except for the daemontools package, which is a Linux RPM for the x86 architecture. If you are running a non-x86 architecture or you are using an OS other than GNU/Linux, you may want to download the code elsewhere.

Prerequisites

• Read all documentation from jabber.org and all documentation files that come packed in the software!
• The most current version of OpenSSL should already be installed (check with rpm -q openssl)
• You should have a separate /usr or /usr/local partition. (I have a 7.7GB /usr partition)
• If you want to connect to the server from the Internet, You MUST have DNS setup properly! This means that the hostname of your Jabber server needs to be a Fully Qualified Domain Name (FQDN), DNS resolution must be setup properly on your Jabber server, and the appropriate "A" record must exist in the zonefile for your domain. If possible, it would not hurt to have the pointer ("PTR") record for your IP address map to the same FQDN so that DNS reverse-lookups match the "A" record. If you are not sure what your hostname is, use the hostname command.

Environment

My testing and production environment:

• Red Hat 8.0 x86 and Red Hat 7.2 x86
• Private LAN with static RFC-1918 IP address for server
• Static IP address on separate NAT firewall for Internet access to Jabber server
• Fully Qualified Domain Name (FQDN) for the Jabber server

Assumptions

• You want to install jabberd at /usr/local/jabber
• You will run this as a private IM service behind a firewall for a small organization
• There will be < 100 users
• Connections from outside the firewall are only allowed via SSL/TLS
• Clients are not allowed to register themselves
• There is a directory /home/someuser/Downloads where all the scripts, tarballs, and other software are located
• You have configured any external firewalls or firewall software on the Jabber server to allow the appropriate TCP connections
• In this HOWTO, I will use the fictitious FQDN of im.jabs.org for the Jabber server. I will also assume that the server's IP address is 172.17.77.2.

Step-by-Step Installation Instructions

1. Unpack and compile jabber-1.4.2.tar

   [root@im Downloads]# cp jabber-1.4.2.tar.gz /usr/local
   [root@im Downloads]# cd /usr/local
   [root@im local]# gunzip jabber-1.4.2.tar.gz
   [root@im local]# tar xvf jabber-1.4.2.tar
   [root@im local]# mv jabber-1.4.2 jabber
   [root@im local]# rm jabber-1.4.2.tar
   [root@im local]# cd jabber
   

   Read the README file!

   [root@im jabber]# ./configure --enable-ssl
   Running Jabber Configure
   ========================
   
   Searching for SSL...            Found.
   Getting pth settings..../configure: line 1: pth-config: command not found
   ./configure: line 1: pth-config: command not found
   ./configure: line 1: pth-config: command not found
   
   .....
   ...
   ..
   ...
   .....
   
   creating pth_acmac.h
   creating pth_acdef.h
   
   Now please type `make' to compile. Good luck.
   
   Setting Build Parameters...     Done.
   Generating Settings Script...   Done.
   
   You may now type 'make' to build your new Jabber system.
   
   [root@im jabber]# make
   

2. Now, let us create a user named "jabber" and some directories with the proper permissions. You will note that we first make sure that UID 400 is not in use. Since the user "jabber" only exists for running jabberd, we are giving it a UID < 500.

   [root@im jabber]# grep :400: /etc/passwd
   [root@im jabber]# useradd -u 400 -M -d /usr/local/jabber jabber
   [root@im jabber]# mkdir --mode 0770 /etc/jabberd
   [root@im jabber]# mkdir --mode 0770 /var/run/jabberd
   [root@im jabber]# mkdir --mode 0770 /var/log/jabberd
   [root@im jabber]# chown jabber.jabber /etc/jabberd
   [root@im jabber]# chown jabber.jabber /var/run/jabberd
   [root@im jabber]# chown jabber.jabber /var/log/jabberd
   

3. Now, let us unpack, compile, and install the multiuser conference component...

   	
   [root@im Downloads]# cp mu-conference-0.5.2.tar.gz /usr/local/jabber
   [root@im Downloads]# cd /usr/local/jabber
   [root@im jabber]# gunzip mu-conference-0.5.2.tar.gz
   [root@im jabber]# tar -xvf mu-conference-0.5.2.tar
   [root@im jabber]# rm mu-conference-0.5.2.tar
   [root@im jabber]# cd mu-conf*
   

   Read the README file!

   
   [root@im mu-conference-0.5.2]# make
   	
   

4. Now, let us unpack, compile, and install the JUD component...

   	
   [root@im Downloads]# cp jud-0.5.tar.gz /usr/local/jabber
   [root@im Downloads]# cd /usr/local/jabber
   [root@im jabber]# gunzip jud-0.5.tar.gz
   [root@im jabber]# tar -xvf jud-0.5.tar
   [root@im jabber]# mv jud-ansi-c jud-0.5
   [root@im jabber]# rm jud-0.5.tar
   [root@im jabber]# cd jud-0.5
   

   Read the README file!

   
   [root@im jud-0.5]# make
   
   

5. Now, let us take care of some permissions and some file/directory tasks (don't forget to use your FQDN instead of "im.jabs.org")...

   	
   [root@im jabber]# mkdir /usr/local/jabber/spool/im.jabs.org
   [root@im jabber]# cd /usr/local/
   [root@im local]# chown -R jabber.jabber /usr/local/jabber
   [root@im local]# chmod 0770 /usr/local/jabber
   

6. Now, let us install the daemontools package...

   [root@im Downloads]# rpm -ivh daemontools-0.70-5.i686.rpm
   warning: daemontools-0.70-5.i686.rpm: V3 DSA signature: NOKEY, key ID f9651d5a
   Preparing...                ########################################### [100%]
      1:daemontools            ########################################### [100%]
   Execute "/etc/rc.d/init.d/svscan" to start svscan daemon.
   [root@im Downloads]# rpm -q daemontools
   daemontools-0.70-5
   

7. Let us add the jabber TCP ports to /etc/services. Open up your favorite text editor and add the following lines to the bottom of the file:

   # Jabber Ports
   jabc            5222/tcp                        # Unencrypted jabber client-to-server
   jabc-ssl        5223/tcp                        # SSL encrypted jabber client-to-server
   jabs2s          5269/tcp                        # Jabber server-to-server
   

8. In the box below, we will rename the highly-annotated jabber.xml config file into a file called jabber.xml.org, and make a copy in /etc/jabberd for reference. We will also copy jabber.xml.c2s and jabber.xml.s2s to /etc/jabberd. We will copy jabber.xml.c2s to jabber.xml. This will be your working config file. We will also make sure that the config files have the appropriate ownership and permissions.
   
   (If you want to enable server-to-server Jabber links so that users in your Jabber domain can communicate with users in any other Jabber domain, simply copy jabber.xml.s2s to jabber.xml instead.)
   
   Here are the config files:
   
   jabber.xml.org - Original config file included in the jabber-1.4.2 tarball
   jabber.xml.c2s - My config for a private IM server
   jabber.xml.s2s - My config for an organizational IM server WITH connectivity to the Jabber network
   
   You will need to right-click and save, specifying the proper file name, because your browser may try to interpret the XML and append .xml to the filename. If you already downloaded the vanjabfiles.tar.gz tarball and gunzipped/untarred it, then you will not need to download them here.
   
   

   [root@im Downloads]# cp -v jabber.xml.* /etc/jabberd/
   `jabber.xml.c2s' -> `/etc/jabberd/jabber.xml.c2s'
   `jabber.xml.s2s' -> `/etc/jabberd/jabber.xml.s2s'
   [root@im Downloads]# cd /usr/local/jabber
   [root@im jabber]# mv jabber.xml jabber.xml.org
   [root@im jabber]# cp -v jabber.xml.org /etc/jabberd
   `jabber.xml.org' -> `/etc/jabberd/jabber.xml.org'
   [root@im jabber]# cd /etc/jabberd
   [root@im jabberd]# cp -v jabber.xml.c2s jabber.xml
   `jabber.xml.c2s' -> `jabber.xml'
   [root@im jabberd]# chown jabber.jabber *
   [root@im jabberd]# chmod 0660 *
   [root@im jabberd]# ls -l
   total 60
   -rw-rw----    1 jabber   jabber       8380 Jul 27 01:48 jabber.xml
   -rw-rw----    1 jabber   jabber       8380 Jul 22 07:27 jabber.xml.c2s
   -rw-rw----    1 jabber   jabber      20667 Jul 19 18:49 jabber.xml.org
   -rw-rw----    1 jabber   jabber       9620 Jul 27 01:48 jabber.xml.s2s
   

   Note:  My config files are considerably stripped down from the original, which comes with the tarball. The original contains many useful comments that you may need to reference while customizing your configuration. My config files contain only what is needed for a private IM server. One allows server-to-server links (.s2s), and one does not (.c2s)
   
   
   
9. Now, let's setup the Linux run scripts so that jabberd can be started and stopped automatically, as well as managed like any other server daemon.
   
   First, grab this script (unless you already grabbed my tarball) and save it in your Download directory:  jabberd.run
   
   Now do the following as root:

   [root@im Downloads]# cp jabberd.run /etc/init.d/jabberd
   [root@im Downloads]# cd /etc/init.d
   [root@im init.d]# chown root.root /etc/init.d/jabberd
   [root@im init.d]# chmod 0750 /etc/init.d/jabberd
   [root@im init.d]# ls -l jabberd
   -rwxr-x---    1 root     root         2983 Jul 17 23:22 jabberd
   [root@im init.d]# chkconfig --add jabberd
   [root@im init.d]# chkconfig --list jabberd
   jabberd         0:off   1:off   2:off    3:on    4:on    5:on    6:off
   

   
   
10. Now, let's setup automatic log rotation using this config file (also already in my tarball):   jabberd.logrotate
    
    Global defaults are configured in /etc/logrotate.conf
    
    Do the following as root:

    [root@im Downloads]# cp jabberd.logrotate /etc/logrotate.d/jabberd
    [root@im Downloads]# cd /etc/logrotate.d
    [root@im logrotate.d]# chown root.root jabberd
    [root@im logrotate.d]# chmod 0660 jabberd
    [root@im logrotate.d]# ls -l jabberd
    -rw-rw----    1 root     root          217 Jul 17 23:35 jabberd
    

    
    

Step-by-Step Configuration Instructions

1. Edit the /etc/jabberd/jabber.xml file to reflect your particular setup, especially the hostname and IP addresses. There are multiple places where you will have to substitute your own FQDN and IP address for "im.jabs.org" and "172.17.77.2". Also remember to use your own administrative JIDs instead of "[email protected]".
2. Make a TLS/SSL certificate (self-signed) and place it in the /usr/local/jabber directory. MAKE SURE that you use your hostname/FQDN in the Common Name field of the X.509 certificate dialog.

   # cd /usr/local/jabber
   [root@im jabber]# /usr/bin/openssl req -new -x509 -newkey rsa:1024 -days 3650 -keyout privkey.pem -out key.pem
   Using configuration from /usr/share/ssl/openssl.cnf
   Generating a 1024 bit RSA private key
   .................++++++
   ........++++++
   writing new private key to 'privkey.pem'
   Enter PEM pass phrase:
   Verifying password - Enter PEM pass phrase:
   -----
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [GB]:TW
   State or Province Name (full name) [Berkshire]:Taipei County
   Locality Name (eg, city) [Newbury]:Nankang
   Organization Name (eg, company) [My Company Ltd]:Jabs, Ltd.
   Organizational Unit Name (eg, section) []:IT Department
   Common Name (eg, your name or your server's hostname) []:im.jabs.org
   Email Address []:[email protected]
   
   [root@im jabber]# /usr/bin/openssl rsa -in privkey.pem -out privkey.pem
   read RSA key
   Enter PEM pass phrase:
   writing RSA key
   
   [root@im jabber]# cat privkey.pem >> key.pem
   [root@im jabber]# rm privkey.pem
   [root@im jabber]# chown jabber.jabber key.pem
   [root@im jabber]# chmod 0400 key.pem
   [root@im jabber]# ls -l key.pem
   -r--------    1 jabber   jabber       2274 Jul 17 16:53 key.pem
   

3. Make sure you are logged in as user root (or su - root), then start the server to test...

   [root@im root]# /etc/init.d/jabberd start
   Starting jabberd: jabberd.
   [root@im root]# 20030717T15:45:40: [notice] (-internal): initializing server
   
   [root@im root]# /etc/init.d/jabberd status
   
    Status for Jabberd ...
   
   jabber   26536     1  0 23:45 pts/4    00:00:00 /usr/local/jabber/jabberd/jabber
   

   Note: There may be a warning about a directory or file that doesn't exist. This is O.K. as long as the server starts up (which can be tested with pgrep -l jabberd or /etc/init.d/jabberd status). The directory or file will be automatically created.
4. Check to see that the proper TCP ports are listening:

   [jabber@im jabber]$ netstat -ta
   Active Internet connections (servers and established)
   Proto Recv-Q Send-Q Local Address           Foreign Address         State
   tcp        0      0 *:jabc                  *:*                     LISTEN
   tcp        0      0 im.jabs.org:jabc-ssl    *:*                     LISTEN
   tcp        0      0 *:5353                  *:*                     LISTEN
   tcp        0      0 *:x11                   *:*                     LISTEN
   tcp        0      0 *:http                  *:*                     LISTEN
   tcp        0      0 mysql:smtp          *:*                     LISTEN
   

5. Add three test users, one of which is listed as the server admin in your config file. Three test users will allow you to test login & authentication, presence notifications, instant messaging, JUD, and multi-user conferencing. In order to create test users, follow the instructions in the Administration section below.
6. Now test the following to make sure your server is running correctly:
   
   
   • client logins from private LAN
   • client logins from Internet
   • messages or chat sessions between users
   • make sure logfiles are being written to in /var/log/jabberd
   • make sure PID file exists in /var/run/jabberd
   • use run script to stop, start, restart, and check the status of jabberd
   • create a multiuser conference room (as detailed in the Administration section) and make sure that all three of your test users can chat

Getting Started with Administration

Since user auto-registration is disabled in this configuration, you will need to create user accounts yourself. This could be automated in various ways, such as e-mail request forms, web registration forms, your favorite scripting language, etc. The simple bash scripts below will get you started (they are also included in the vanjabfiles tarball). You can simply modify them to suit your own needs.

Note:  The jabadd and jabdel scripts assume that you are using my configuration templates. The <timeout>0</timeout> directive must be in the <xdb> section of the jabber.xml config file.

If you use the scripts, place them in /usr/local/sbin, change the ownership to root.root, and change the permissions to 0770 on all of the jab* scripts. This way, only root can invoke them. Don't forget to change the $FQDN variable in the script, or it will not work.

To check out some statistics for your Jabber server, use this script:   jabstats

For a quick listing of all user accounts on the server, use this script:   jablist

To backup your config files, user account, and other spool files, use this script:   jabbackup

To add a new user, and optionally add vCard info for that user, use this script:   jabadd

In case you are wondering what the minimum user.xml file is for a new account, I have listed a "skeleton" file below, which would be named myuser.xml:

<xdb>
<password xmlns='jabber:iq:auth' xdbns='jabber:iq:auth'>mypass</password>
<query xmlns='jabber:iq:register' xdbns='jabber:iq:register'>
<username>myuser</username>
<password xmlns='jabber:iq:auth'>mypass</password>
<x xmlns='jabber:x:delay' stamp='20030805T15:45:10'>registered</x>
</query>
</xdb>

To delete a user, you may simply remove their user.xml file from the proper spool directory, or you can use this script:   jabdel

Note:  If the user is still logged in when you delete them, when they logout, an imcomplete user.xml file will be written in the spool directory. They will not be able to login, but the file will remain. Also, this method of removing a user from your Jabber server does not remove any entries that the user may have had in the JUD. You have been warned...

To change passwords, you can edit the user's user.xml file directly.

Adding permanent conference rooms:

This is best done by logging into the Jabber server with a Jabber client as the configured MUC administrator. Then you can create the conference room and set the topic. With my configuration, regular users cannot create their own multiuser conference rooms. Conference rooms can be destroyed by removing their entry in the rooms.xml file and the associated .xml file in the same directory. Jabberd must then be restarted.

Other administrative tasks:

After reading the Jabberd Administration Guides at Jabber.Org, make sure that the jabberd admin user can set the MOTD and send a message to all users. You should also test publishing user info to the JUD, and searching the JUD.

Here is a link to Ken Wermann's good advice for Jabberd administrators:    Admin Advice

Security Notes

• SSL/TLS protects the contents from being snooped during transit, but it does NOT prevent a cracker from connecting with his/her own SSL/TLS Jabber client and guessing passwords. When you create an account, use a good password. This should not be a big hardship on your users, as they can select a "remember password" checkbox on most clients.
• My jabberd server is configured to run as user "jabber", not "root", so that buffer overflows will not result in root access. It is up to you whether or not to allow shell logins for user "jabber". You may wish to perform all Jabber admin chores while logged in as user "jabber". I chose to disable those logins with this command:

  [root@im root]# usermod -s /bin/false jabber

  I currently login as root to add users and administer the server.
• You will note that in my jabber config files, I only allow non-SSL/TLS Jabber client connections to the loopback address. I do this for several reasons:
  
  
  1. Prevent internal or external clients from attaching without encryption
  2. Allow diagnostics to occur from a non-encrypted client session or TELNET session from the server itself
  3. Allow a non-encrypted client connection to the Jabber server through an SSH tunnel (this works fine)
• Another way to improve security for an Internet-connected private Jabber server is to change the default TCP port for SSL/TLS client connections to something else. This may keep your Jabber services from being discovered by an automated port/network scanner. Try a port between 60,000 and 65,535. The only downside to this is that your users will have to be instructed to configure their clients with the alternate port.
• The default TCP ports for jabberd are:
  
  5222 - Jabber client
  5223 - Jabber client with SSL/TLS encryption
  5269 - Jabber server-to-server link (not encrypted)
  
• My configuration files do not have a section for the Jabber.Org Jabber User Directory (JUD). When your users publish their info in the JUD, it will not be entered into the global (and public) directory, just the local directory on your server.

Unresolved Issues

Here is a short list of problems I ran into:

• Log rotation does not work correctly. Sending a SIGHUP during log rotation does NOT have the desired effect with jabberd. Jabberd will keep writing to the original file (e.g. record.log.1) instead of to the new file. I have seen postings on this issue. My not-so-good workaround is to setup a cron job that runs /etc/init.d/jabberd restart right after the weekly logrotation occurs. This happens during non-working hours. If anyone has a better solution, I would love to hear it!
• Sending a SIGHUP to jabberd prints a status message on the screen that leads one to believe that the configuration file has been re-read, but in actuality the changes do not seem to be applied. Only a restart seems to activate the changes. If anyone has a better solution, I would love to hear it!
• Deleting users seems to be problematic when auto-register is disabled, since a user who is on-line while the account is deleted will still have a user.xml file written to the spool directory. The user will be unable to login again after a minute or so has gone by, but the file still exists.
• Some Jabber clients seem to have a hard time "browsing" for chat rooms. This seems to be an issue with the client's support of the feature, and not with the server software itself.
• There seems to be some confusion and interoperability problems concerning vCard (personal information) formats within the Jabber community. The vCard-XML format is discussed in JEP-0054. I based my jabadd script vCard format on the Psi 0.9 client's XML output, while also consulting JEP-0054. I think there is room for improvement in this area.

All of these issues may be addressed by the upcoming Jabberd 2 server software.

A Note on Jabber Clients

I have tried a number of Jabber clients for Linux and for Win32. The selection (and ease of installation) of clients is currently better for Windows than for Linux. I have tried a number of clients for Linux, including Gaim, and the only one that I really like is Psi. It has a clean interface, is easy to setup, and works on Linux, Windows, and Mac OS X. There are binary packages available for several popular Linux distros, including Psi v0.9 for Red Hat 9. The Red Hat 9 RPMs include the QSSL libraries for SSL/TLS encryption, which can be a "bear" to find and install properly otherwise. For convenience, I have placed the Red Hat 9 RPMs and the Win32 installer for Psi v0.9 on this server. The Psi web site should be checked for newer software and documentation.

The Psi web site:    psi.affinix.com

The Jabber client page at Jabber.Org has a complete listing of clients for each OS.

Links to other jabber resources

• Jabber System Administrator News Group (NNTP)
• Jabberstudio Script Repository
• Jabberd Home (jabber 1.4.x and 2.x)
• Peter Saint-Andre's Jabber page
• Good linux-mag.com article on Jabber
• O'Reilly Jabber programming book
• Jabber Australia
• IM News Site:  InstantMessagingPlanet.Com
• All about the vCard standard

Conclusion

Setting up your own IM server with jabberd is not difficult, and it allows your organization to control its own instant messaging. In this way, security can be maintained. Hopefully, IM protocols will soon be standardized by the IETF so that IM will become a ubiquitous, distributed service similar to e-mail, but much more immediate and flexible.

Have fun with your Jabber server!