Hi, Am 19.02.2017 um 08:30 schrieb Johannes Schauer: > Source: ejabberd > Severity: wishlist > > Hi, > > I recently configured my ejabberd server for compliance with the > ComplianceTester by Daniel Gultsch [1] and with the IM Observatory [2]. > I would like to propose adding more example documentation to > ejabberd.yml such that it becomes easier for the user to achieve the > same. > > Here is a list of possible improvements:
while I completely agree with you, most of this should be done upstream. We try to stick as close to the upstream ejabberd.yml.template as possible. Do you want to report this at [1] or shall I forward it? You could even create a Pull Request if you like. > Admin User > ========== > > There is a small typo in the comment for admin user. It currently says: > > ## admin: > ## user: > ## - "aleksey@localhost" > ## - "erm...@example.org" > > But this now became a key/value pair and would better be written as: > > ## admin: > ## user: > ## - "aleksey": "localhost" > ## - "ermine": "example.org" It's not a typo. Both work, and the upper one is the upstream default. > TLS for s2s Communication > ========================= > > The default for this setting is currently: > > -s2s_use_starttls: optional > > which surprised me a lot. Should the default not be to always encrypt > and then the admin should make the concious choice when they want to > allow plain-text communication between servers? > > I suppose this is set to optional because the google servers do not > support this? I still would argue that the default Debian configuration > should be secure end encrypted by default. I'd suggest changing this > setting to "required" and mention that the gmail server doesn't support > it in a comment next to it. AFAIK the upstream default is no encryption at all and we change it to optional. While the google servers are one of the reasons, another one is the self-signed certificate that is used by default. Other servers might reject an encrypted connection because of that (or indirectly when dialback also fails). That said, should upstream configure that to required by default, I would not reduce it to optional. [1] https://github.com/processone/ejabberd/issues Kind regards, -- .''`. Philipp Huebner <debala...@debian.org> : :' : pgp fp: 6719 25C5 B8CD E74A 5225 3DF9 E5CA 8C49 25E4 205F `. `'` `-
signature.asc
Description: OpenPGP digital signature
