Re: [Operators] Announce: Jabber Spam Fighting Manifesto (for public servers)

On 8 February 2018 at 08:31, Georg Lukas wrote: > If you run a public server and are committed to fighting outbound and > inbound spam, please review the text and let me know if you would agree > to sign it. Please do not sign it *yet*, in case there is feedback > requiring

Re: [Operators] xmpp is dead

+1. Also, bet on the one that can adapt stably. Matrix has already suffered interop breaks and forklift upgrades, XMPP is much better in that regard. One could even see it as the upside of the fragmentation that Matrix complains of. On 6 May 2017 08:54, "David Banes" wrote: >

Re: [Operators] spam

On 19 November 2016 at 12:52, David Banes wrote: > How about following the very large email providers lead and do something like > this; > > https://en.wikipedia.org/wiki/DMARC > https://dmarc.org/2016/02/how-can-i-tell-who-is-using-dmarc/ As other point out, DMARC is about

Re: [Operators] Obtaining XMPP-enabled certificate for server

On 20 July 2016 at 10:15, Dave Cridland <d...@cridland.net> wrote: > > > On 20 July 2016 at 10:07, Simon Josefsson <si...@josefsson.org> wrote: > >> Sam Whited <s...@samwhited.com> writes: >> >> > On Tue, Jul 19, 2016 at 4:53 AM, Simon Josef

Re: [Operators] Obtaining XMPP-enabled certificate for server

On 20 July 2016 at 10:07, Simon Josefsson wrote: > Sam Whited writes: > > > On Tue, Jul 19, 2016 at 4:53 AM, Simon Josefsson > wrote: > >> I wonder if people really care about this usage any more -- it does not > >> scale well (all

Re: [Operators] Obtaining XMPP-enabled certificate for server

On 20 July 2016 at 08:58, Florian Schmaus wrote: > For the near future, I hope that certificates using only srvNames will > become more common. But if you want to stay super "compatible" with all > sorts of XMPP software out there, then you probably want to put your > XMPP

Re: [Operators] Obtaining XMPP-enabled certificate for server

On 19 July 2016 at 17:36, Marvin Gülker wrote: > Am Tue, 19 Jul 2016 16:15:40 +0200 > schrieb Florian Schmaus : > > Isn't one problem that a cert with CN "example.org" will be valid for > > all services found on example.org (simply speaking), whereas

Re: [Operators] addressing the spam problem

On 13 January 2016 at 02:23, Kim Alvefur wrote: > On 01/12/2016 06:55 PM, Peter Saint-Andre wrote: > > Over the years we have discussed a number of potential methods for > > mitigating (I do not say solving) the spam problem. For example: > > > >

Re: [Operators] Diffie-Hellman: 2k or 4k keys?

On 24 Nov 2015 11:09 pm, "Arsimael Inshan" wrote: > > Hi there. > > When I created the DH Keys on my server, I generated 2k and 4k keys. I was told the 4k keys shouldn't be used (yet) because of incompartibillities and they wouldn't increase the security this much, but generate way

Re: [Operators] debian.org XMPP - using DANE / TLSA?

On 28 October 2015 at 21:32, Daniel Pocock wrote: > > > We are just reviewing the final configuration before announcing > debian.org XMPP > > That's great news. > Can anybody comment on DANE / TLSA? Should we only talk to servers > supporting this? > > Last time I looked,

Re: [Operators] XMPP federation over Tor : supported by Prosody, join us !

On 15 October 2015 at 21:07, Finn Herzfeld wrote: > That's pretty cool, but this whole mapping thing seems broken. Would > there be a way for a server to probe another server over the clearnet > for an onion address, then it can cache that and build it's own list? I > don't know a

Re: [Operators] Please enable Forward Secrecy for your servers!

On 5 October 2015 at 14:22, Matthew Wild wrote: > This is technically achievable using security labels > (http://xmpp.org/extensions/xep-0258.html ), though it hasn't really > been deployed that way on the public network, and not many clients > support it (though Swift and

Re: [Operators] Please enable Forward Secrecy for your servers!

On 21 July 2015 at 08:44, David Banes da...@banes.org wrote: On 20 Jul 2015, at 23:19, Jonathan Schleifer js-xmpp-operat...@webkeks.org wrote: Am 21.07.2015 um 00:10 schrieb David Banes da...@banes.org: On 20 Jul 2015, at 23:07, Peter Kieser pe...@kieser.ca wrote: On 2015-07-10 2:47

[Operators] Fwd: Openfire 3.10.0 Beta release

As sent to the jdev list: -- Forwarded message -- From: Dave Cridland d...@cridland.net Date: 21 January 2015 at 16:59 Subject: Openfire 3.10.0 Beta release To: Jabber/XMPP software development list j...@jabber.org Hey everyone, Since I took on the role of Openfire project

Re: [Operators] XMPP Security Talk to IAB

On 31 August 2014 22:28, Evgeny Khramtsov xramt...@gmail.com wrote: Sun, 31 Aug 2014 22:35:07 +0200 Jonas Wielicki xmpp-operat...@sotecware.net wrote: I left the c2s-encryption-required switch in place (there would have been out-of-band measures to reach me if that had been a problem) A

Re: [Operators] XMPP Security Talk to IAB

On 1 September 2014 12:19, Evgeny Khramtsov xramt...@gmail.com wrote: Mon, 1 Sep 2014 11:52:22 +0100 Dave Cridland d...@cridland.net wrote: On 31 August 2014 22:28, Evgeny Khramtsov xramt...@gmail.com wrote: Sun, 31 Aug 2014 22:35:07 +0200 Jonas Wielicki xmpp-operat...@sotecware.net

Re: [Operators] Google status?

On 12 August 2014 12:22, Daniel Pocock dan...@pocock.pro wrote: Can anybody comment on the current status of interop between Google (gmail.com) users and the rest of the world? The only people who can definitively comment are Google. Personally, I have a Prosody server and various clients

Re: [Operators] ECDSA certs score F

Without an RSA cert at all, can a remote server with only RSA negotiate TLS? On 5 August 2014 19:30, shm...@riseup.net shm...@riseup.net wrote: ? shm...@riseup.net wrote: hi, i was testing an xmpp server and i believe its wrong to reduce the score because of the cert which is

[Operators] Openfire (for operators)

Folks, I know quite a few of you are running Openfire - you may well have noticed, but development has been ramping up again for some time. In light of this, I've volunteered to act as Project Lead. While there's certainly plenty of work left to be done, I'm keen to get a sense of the most

Re: [Operators] dot xmpp

Taking this suggestion seriously for a moment: If there's genuine interest, the XSF (or some other body) could do this. It would mean a TLD that we controlled, allowing us to provide, and perhaps even enforce, DNSSEC and things. But it would also have significant operating costs beyond the

Re: [Operators] XMPP bashing

On 3 Feb 2014 16:44, Andreas Kuckartz a.kucka...@ping.de wrote: Claudiu Curcă: 1. Why is that comment classified as XMPP bashing? As far as I know Daniel is mostly an SIP guy and is trying to _help_ the XMPP community by pointing to that comment. But I also do not think that the comment is

Re: [Operators] XMPP forwarding and redirect?

This is possibly a better conversation to have on jdev@ or standards@ On Thu, Jan 23, 2014 at 10:27 AM, Daniel Pocock dan...@pocock.com.auwrote: For example, many free software projects (Debian, Fedora) offer their developers mail forwarding (poc...@debian.org-dan...@pocock.com.au) without

Re: [Operators] XMPP forwarding and redirect?

On Thu, Jan 23, 2014 at 10:55 AM, Cesar Alcalde lambda...@gmail.com wrote: Well, actually you could setup DNS SRV records pointing to a third party server (like the MX record for mail). So you can have a server example.org with a web server, a ftp server... And xmpp accounts @example.org

Re: [Operators] debian.org SIP and XMPP

On Sun, Jan 19, 2014 at 8:43 AM, Daniel Pocock dan...@pocock.com.au wrote: As mentioned in the other email, FOSDEM is coming up, maybe that will be an opportunity to discuss in person? (Please don't let my .au domain deceive you, I'm based in central Europe) Sadly, I don't think Matt is

Re: [Operators] debian.org SIP and XMPP

On Sat, Jan 18, 2014 at 10:37 PM, Matthew Wild mwi...@gmail.com wrote: Hi Daniel, On 18 January 2014 21:50, Daniel Pocock dan...@pocock.com.au wrote: Hi all, We have just enabled federated SIP for debian.org. It is very basic, just a SIP proxy and TURN server. People can register

Re: [Operators] Removing SSLv3 from ejabberd 2.1.x and 13.x

On Tue, Jan 7, 2014 at 2:43 AM, Peter Saint-Andre stpe...@stpeter.imwrote: And do please note that several weeks ago I updated both the manifesto and draft-saintandre-xmpp-tls to no longer say that software MUST NOT negotiate sslv3. Hopelessly wrong mailing list, but: Might be worth

Re: [Operators] Security Test Day - feedback needed!

On Mon, Jan 6, 2014 at 3:32 AM, Peter Saint-Andre stpe...@stpeter.imwrote: - - Office365 deployments Meaning the (irritatingly named) Lync? I believe that went through quite extensive S2S/TLS/Auth interop work. Certainly it's now been put on the DISA APL (as of September), and that mandates

Re: [Operators] Chatme.im to prosody

On Sun, Jan 5, 2014 at 7:52 PM, Waqas Hussain waqa...@gmail.com wrote: Prosody was the first server to allow multiple resources behind a single nick (AFAIK, I implemented it in Prosody). I think the ejabberd folks were looking into implementing that, but not sure what their progress is.

Re: [Operators] Security Test Day - feedback needed!

On Sun, Jan 5, 2014 at 8:21 PM, Peter Saint-Andre stpe...@stpeter.imwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On my personal server, I too plan to keep the encryption-required setting in place. I'm turning it off again, for S2S. C2S I had enabled anyway, but seeing as it's just

Re: [Operators] Security Test Day reminder - 4 Jan 2014

Something to note; chatting with Jesse Thompson, we found that the errors we were getting back simply didn't match the likely cases. I saw DNS errors, he saw similar. I've not isolated the actual fault yet. On Sat, Jan 4, 2014 at 2:25 PM, Valérian Saliou valer...@valeriansaliou.name wrote:

Re: [Operators] Security Test Day reminder - 4 Jan 2014

I just switched my switch - requiring encryption everywhere for the next day or so. On Fri, Jan 3, 2014 at 8:56 PM, Mike Taylor b...@bear.im wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Just a friendly note that the Security Test Day is tomorrow! I'm cross posting this notice but

Re: [Operators] The Google issue

On Thu, Nov 21, 2013 at 7:26 PM, Matthew Wild mwi...@gmail.com wrote: With all the talk about the details of the manifesto, one thing we seem to mostly only mention in passing is federation with Google, and I'm curious to gauge the opinion of people on this list. We are going to affect a lot

Re: [Operators] The Google issue

On Fri, Nov 22, 2013 at 10:14 AM, Tim Schumacher t...@bandenkrieg.hacked.jpwrote: In the pastBjörn Kempén bu...@google.com wrote on this very list, that he is one of the responsible for the federation stuff at Google XMPP, btw at the beginning of this year, the TLS-issue was already a topic:

Re: [Operators] DNSSEC

On Wed, Nov 20, 2013 at 9:16 AM, Matthias Wimmer m...@tthias.eu wrote: Hi Dave, El 2013-11-19 17:04:44, Dave Cridland escribió: I dropped a mail to the Domicilium people who look after .im today asking about DNSSEC, too. Probably it's what you meant. I just want to point this out again

Re: [Operators] DNSSEC

I found: http://www.internetsociety.org/deploy360/resources/dnssec-registrars/ And also: http://www.icann.org/en/news/in-focus/dnssec/deployment On Wed, Nov 20, 2013 at 2:51 PM, Peter Saint-Andre stpe...@stpeter.imwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 11/20/13 5:19 AM,

Re: [Operators] DNSSEC

I dropped a mail to the Domicilium people who look after .im today asking about DNSSEC, too. On Tue, Nov 19, 2013 at 4:20 PM, Peter Saint-Andre stpe...@stpeter.imwrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 It appears that more XMPP services are getting their DNS records signed

Re: [Operators] IM Observatory and Diffie-Hellman parameters

On Wed, Nov 13, 2013 at 3:31 PM, Fedor Brunner fedor.brun...@azet.skwrote: For example the server jabber.ccc.de uses 2048 bit RSA public key, but the length of the temporary key is only 1024 bit. The public key score is 90, cipher score is 90

Re: [Operators] IM Observatory and Diffie-Hellman parameters

On 13 Nov 2013 17:01, Fedor Brunner fedor.brun...@azet.sk wrote: There is good comparison website for key sizes recommendations: http://www.keylength.com/en/compare/ Enter the year until when your system should be protected and see the Discrete Logarithm Group column. Yes, that site is very

Re: [Operators] IM Observatory and Diffie-Hellman parameters

On Wed, Nov 13, 2013 at 9:44 PM, Fedor Brunner fedor.brun...@azet.skwrote: For detailed description of various attack scenarios with calculations please read ECRYPT II Yearly Report on Algorithms and Keysizes (2011-2012) http://www.ecrypt.eu.org/documents/D.SPA.20.pdf Good link; though I

Re: [Operators] IM Observatory and Diffie-Hellman parameters

On Wed, Nov 13, 2013 at 10:41 PM, Thijs Alkemade th...@xnyhps.nl wrote: On 13 nov. 2013, at 19:21, Dave Cridland d...@cridland.net wrote: To decrypt all communications using 1024-bit DH over a year is likely to be vastly bigger than for one conversation; the same isn't true for RSA

Re: [Operators] Fwd: [jdev] TLS Everywhere

On Tue, Oct 29, 2013 at 6:17 PM, Jonas Wielicki xmpp-operat...@sotecware.net wrote: Will there be a reminder for the action days? Because I don't trust myself to keep an electronic reminder actually functional until Jan 4th (yeah I know). I'm only operating a small service though (20 users),

Re: [Operators] Message delivery

On Tue, Oct 29, 2013 at 10:21 PM, Peter Saint-Andre stpe...@stpeter.imwrote: If the server you're using doesn't support XEP-0227 (Portable Import/Export Format for XMPP-IM Servers), then I agree you might have a problem. http://xmpp.org/extensions/xep-0227.html Kev knocked out a simple

Re: [Operators] [Members] [prosody-users] Re: [buddycloud-dev] Some thoughts on buddycloud security / enforcing SSL server to server in Prosody

On 23 Aug 2013 08:30, Evgeniy Khramtsov xramt...@gmail.com wrote: On 22.08.2013 09:03, Phil Pennock wrote: On 2013-08-21 at 12:52 -0600, Peter Saint-Andre wrote: 5. No server-to-server connections without TLS. 6. Require proper certificate checking (RFC 6120 / RFC 6125) for TLS

Re: [Operators] Some thoughts on xmpp security

The XSF did some interop some time back to help test TLS interop, using a custom CA. The CA software was from my previous employer, Isode. We could look into setting up servers with those certs again, I imagine, though the certs themselves would need recreating. The rest is, as you say, just a

Re: [Operators] Google Talk - enable or not?

On Sat, Jun 15, 2013 at 3:00 AM, Jesse Thompson jesse.thomp...@doit.wisc.edu wrote: I'm looking for guidance. Aren't we all? Now that Google is transitioning to Hangouts, they're no longer supporting XMPP federation. Well. In principle. But it seems there's *some* federation, but it's

Re: [Operators] spam resistance

On Fri, May 24, 2013 at 12:25 AM, Peter Saint-Andre stpe...@stpeter.imwrote: On 5/23/13 4:50 PM, Justin Uberti wrote: I just realized my statement could be parsed 2 different ways. To be clear: it is sad that spammers were more willing to adopt XMPP*than other IM networks were willing to*.

Re: [Operators] spam resistance (was: Re: google abandoning XMPP??)

On Thu, May 23, 2013 at 12:35 AM, Justin Uberti jube...@google.com wrote: That seems like an overly cynical assessment of the situation. Speaking as an individual, it is sad that spammers were more willing to adopt XMPP than other IM networks, but so it goes. I'm not sure sufficient

Re: [Operators] Spam Registrations

On Thu, May 23, 2013 at 4:36 PM, Kevin Smith ke...@kismith.co.uk wrote: There are also likely options along these lines that involve less privacy invasion than operators manually examining the accounts. A captcha for every subscription request? Only one outstanding (not reciprocated) roster

Re: [Operators] google abandoning XMPP??

On Wed, May 22, 2013 at 5:32 PM, Kim Alvefur z...@zash.se wrote: On 2013-05-22 18:22, Hannes Tschofenig wrote: PS: I am wondering whether the claimed chat spam problems mentioned in the press articles are actually true? It matches what was said before, search this list for spammy invites.

Re: [Operators] Update on spammy invites

On Wed, Mar 20, 2013 at 5:26 PM, Jesse Thompson jesse.thomp...@doit.wisc.edu wrote: Frankly, I wouldn't be aware if a public XMPP blacklist already exists, since our university doesn't have the problem of XMPP spam. It seems that the spammers are only targeting certain services, such as

Re: [Operators] Update on spammy invites

On 20 Mar 2013 23:09, Peter Viskup skupko...@gmail.com wrote: On 03/20/2013 07:03 PM, Dave Cridland wrote: Peter mentioned ensuring that open registration is blocked - I think that open registration has proved itself our equivalent of open relaying in SMTP, and we need to campaign strongly

Re: [Operators] Spammy servers

On 1 Mar 2013 17:03, Kevin Smith ke...@kismith.co.uk wrote: This sounds very thorough (and entirely reasonable). Is your setup for doing this generally available so other servers could take advantage of similar systems? I also wonder whether it'd be worthwhile restricting S2S traffic on new

Re: [Operators] Gmail federation

On Fri, Jan 11, 2013 at 1:05 PM, Marco Cirillo mara...@lightwitch.org wrote: I just pointed out that it's like this from 2006 which is when it was implemented, perhaps it can't be suprising also stated it's rather an inconveniency and that it's not compliant with the current RFC which requires

Re: [Operators] Investigation/help needed

If it's a JAR, it won't be human readable, but we might be able to look at the files (it's a ZIP of Java object code), and get a list of targetted servers. Then we just disable IBR on the affected servers, or block them. On Sep 16, 2012 12:33 AM, Peter Viskup skupko...@gmail.com wrote: Dear

Re: [Operators] Reporting DDoS attack, the idiot responsible of the attack and the server range which the drones come from.

If you have concrete suggestions for what the XSF should be doing, and/or how servers could defend themselves against spam and DDoS, I'd be interested in hearing them. My understanding is that they're both difficult problems to tackle without a lot of data processing and analysis, but that a key

Re: [Operators] Reporting DDoS attack, the idiot responsible of the attack and the server range which the drones come from.

While I agree with much of what you're saying, making a public service that's not the equivalent of an open relay is hard. Google has a lot of code assigned at detecting abuse, and a lot of this works because of the scale of their operation. I think public servers are possible, but not as they

Re: [Operators] Strange users

anything to do with it beyond a background as to when Daniel noticed. Dave. -- Dave Cridland - mailto:d...@cridland.net - xmpp:d...@dave.cridland.net - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/ - http://dave.cridland.net/ Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

Re: [Operators] Strange users

, and then telling people about the conversations these people were having. On the other hand, by publishing the address, you've already breached data confidentiality laws in some jurisdictions... Dave. -- Dave Cridland - mailto:d...@cridland.net - xmpp:d...@dave.cridland.net - acap

Re: [Operators] about srv record

On Tue Aug 16 09:47:35 2011, Kevin Smith wrote: On Mon, Aug 15, 2011 at 8:44 AM, Dave Cridland d...@cridland.net wrote: On Sat Aug 13 23:34:56 2011, Josemar Müller Lohn wrote: Is it valid to so: _xmpp-client._tcp.alice.com. CNAME _xmpp-client.bob.com. You can only get a CNAME answer when

Re: [Operators] about srv record

. A CNAME merely states to restart the resolution using the new name. Specifically, the requirement that a name with a CNAME record MUST NOT have any other records (aside from certain DNSSEC ones) would appear to support that. Dave. -- Dave Cridland - mailto:d...@cridland.net - xmpp:d

Re: [Operators] about srv record

the client balance connections to the SRV targets, but say nothing about multihomed hosts. (If we're being pedantic, a single name can only have one A record, but that record may have more than one RR). Dave. -- Dave Cridland - mailto:d...@cridland.net - xmpp:d...@dave.cridland.net - acap

Re: [Operators] Openfire 3.6.4 (jabber.iitsp.com) vs. jabber.org

thankfully have quite a few options for serious XMPP hosting, which is good - I think - for the operator community. Us implementors actually have serious competition, and therefore incentive to push our products, for one thing. Dave. -- Dave Cridland - mailto:d...@cridland.net - xmpp:d

Re: [Operators] Openfire 3.6.4 (jabber.iitsp.com) vs. jabber.org

On Mon Jul 5 11:37:27 2010, Dave Cridland wrote: On Mon Jul 5 10:59:43 2010, Nigel Kukard wrote: If it was C, I would be hacking the code and adding debugging to see where the connection is terminating ... etc. I'd be (secretly, of course) delighted if this were a reason to move from

Re: [Operators] Openfire 3.6.4 (jabber.iitsp.com) vs. jabber.org

it for client-side (it doesn't help here), and work on a fix. Thanks for the help in tracking it down. The Openfire guys might want to work on a fix, though, since it's quite useful to have server-side. Dave. -- Dave Cridland - mailto:d...@cridland.net - xmpp:d...@dave.cridland.net - acap

Re: [Operators] Google S2S issues?

the priority 20 records listed at a non-zero weight. Dave. -- Dave Cridland - mailto:d...@cridland.net - xmpp:d...@dave.cridland.net - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/ - http://dave.cridland.net/ Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

Re: [Operators] Server Software Choice

On Tue Apr 28 15:30:31 2009, Jonathan Schleifer wrote: Dave Cridland d...@cridland.net wrote: it's unlikely that even if you're reasonably proficient in, say, Java, you're unlikely to be able to dive into Openfire or Tigase and fix some bug you've just run into. I don't agree to that. Even

Re: [Operators] TLS, certificates, heartache, and pain.

On Wed Oct 15 15:10:01 2008, Pedro Melo wrote: Hi, On Oct 15, 2008, at 12:41 AM, Dave Cridland wrote: So today, out of probably hundreds of connections, one - aside from other Isode M-Link deployments - offered my server SASL EXTERNAL: 10/14 23:47:50 xmppd05979 (root) I-MBOX

Re: [Operators] TLS, certificates, heartache, and pain.

not sure that's actually working, as such. Ho hum. Dave. -- Dave Cridland - mailto:[EMAIL PROTECTED] - xmpp:[EMAIL PROTECTED] - acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/ - http://dave.cridland.net/ Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade

Re: [Operators] TLS, certificates, heartache, and pain.

On Wed Oct 15 09:51:06 2008, Norman Rasmussen wrote: On Wed, Oct 15, 2008 at 1:41 AM, Dave Cridland [EMAIL PROTECTED] wrote: Anyone got any idea why this is behaving so weirdly? Does anyone have logging they could use? Any ideas, or even better logging data, gratefully received. BTW