Table of contents ================= 1 Running ejabberd 1.1 Getting started 1.2 Using privileged TCP ports 1.2 Custom options for Erlang emulator 1.3 Backups 1.4 Using IPv6 1.5 Using captcha 2 Hostname issues 3 PAM authentication 4 Using DBMS for data storage 5 External modules 6 Upgrading from earlier versions 1 Running ejabberd ================== 1.1 Getting started ------------------- For a quick start, simply execute `dpkg-reconfigure ejabberd` and fill out the prompts according to your wishes. 1.2 Using privileged TCP ports ------------------------------ The ejabberd daemon is owned by user ejabberd, so it cannot bind to privileged ports (below 1024). The error message in /var/log/ejabberd/ejabberd.log looks similar to the following: E(<0.242.0>:ejabberd_listener:80): Failed to open socket for {443, ejabberd_c2s, [{access,c2s}, {max_stanza_size, 65536}, starttls, {certfile, "/etc/ejabberd/ejabberd.pem"}, {shaper, c2s_shaper}]}: eacces If you want ejabberd to listen for example port 443 you could redirect it to port 5222 (the default XMPP port) by a firewall rule. For example: iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 5222 1.3 Custom options for Erlang emulator -------------------------------------- You can add extra options to the erl command line like -pa /usr/local/lib/ejabberd/ebin by adding them to ERL_OPTIONS in /etc/default/ejabberd directly or through executing `dpkg-reconfigure ejabberd`. 1.4 Backups ----------- The package always makes a backup of the ejabberd database if it's running when it is upgraded or removed. The backup files are stored in the /var/backups/ejabberd-.* directory. To make a backup yourself, either run /var/lib/dpkg/info/ejabberd.prerm upgrade or something like mkdir /var/backups/ejabberd-backup-manual chown ejabberd:ejabberd /var/backups/ejabberd-backup-manual ejabberdctl backup \ /var/backups/ejabberd-backup-manual/ejabberd-database-"$(date +%Y-%m-%dT%H:%M:%S)" 1.5 Using IPv6 -------------- Since ejabberd 14.07-2, IPv6 is enabled by default, as it is for the Debian kernel. The IPv6 listeners also handle IPv4, so all is well. If you want to go back to IPv4 only, replace 'ip: "::"' with 'ip: "0.0.0.0"' for all listeners in ejabberd.yml. 1.6 Using captchas ------------------ The captcha generation script uses the "convert" program from the "imagemagick" package. As it depends on a lot of packages related to graphics and X Window System, it is listed as suggested. Therefore, if you intend to enable captcha support for your multi-user conferences be sure to install imagemagick besides enabling captcha in the ejabberd configuration file. Also the "graphicsmagick-imagemagick-compat" package can be installed instead of "imagemagick" -- it provides the "convert" program compatible with that of imagemagick. 2 Hostname issues ================= Since ejabberd 17.08-1, the default ERLANG_NODE name is ejabberd@localhost, which makes it easy to relocate ejabberd to a different host. In earlier versions the Mnesia database used by ejabberd was tightly bound to the hostname because the ERLANG_NODE name was ejabberd@. Here, special care is needed if for some reason the hostname changes. Further information can be found in /usr/share/doc/ejabberd/NEWS.Debian.gz. 3 PAM authentication ==================== ejabberd uses the "epam" binary from the erlang-p1-pam package as a helper program to perform PAM authentication. Depending on the PAM plugins used, the process accessing these plugins might have to be run with elevated privileges. The official ejabberd Installation and Operation Guide simplemindedly suggests to make epam setuid root which would make it work for any possible case. Debian's erlang-p1-pam package, on the other hand, ships the epam program with the setuid and setgid bits cleared, and here is why: * Setuid and setgid programs present a serious potential security risk and are a target for exploitation attempts (especially programs which are made setuid root). * Different PAM plugins have different requirements for the privileges of the user working with them, for instance, to use the shadow passwords database for authentication, it is sufficient for the accessing process to be in the group "shadow"; to use LDAP backend, no elevation of privileges is needed at all. Taking into account the fact that ejabberd uses internal authentication by default (using its own private database), the decision of what special access rights to set for the epam program is left to the system administrator. To maintain non-standard access rights for the epam binary, it is advised to use dpkg-statoverride, as suggested by the Debian policy (section 10.9 "Permissions and owners") -- ejabberd package configuration scripts honor this setting so it survives upgrades. As an example, to make epam setgid shadow, you can use: dpkg-statoverride --add root shadow 02755 /usr/lib/erlang/p1_pam/bin/epam and to make epam setuid root you can do: dpkg-statoverride --add root ejabberd 04754 /usr/lib/erlang/p1_pam/bin/epam (Note that we set o-x there so that only users in the ejabberd group are able to elevate their privileges by executing this program.) When ejabberd is started via systemd, you will have to edit the ejabberd.service file and set the following: [Service] PrivateDevices=false NoNewPrivileges=false Otherwise it will be impossible for the epam helper program to gain the configured setuid and/or setgid privileges. With systemd >= 218 you can simply create an override with `systemctl edit ejabberd.service` and put [Service] PrivateDevices= PrivateDevices=false NoNewPrivileges= NoNewPrivileges=false in there. With systemd < 218 the changes must be made manually. In order to not loose the changes upon upgrades, remove the symlink /etc/systemd/system/multi-user.target.wants/ejabberd.service and replace it with a copy of /lib/systemd/system/ejabberd.service before making the changes. Remember to do a `systemctl daemon-reload` afterwards. 4 Using DBMS for data storage ============================= The ejabberd Installation and Operation Guide mentions that ejabberd is able to use various DBMS engines to manage most of ejabberd's data, such as user accounts, rosters, offline messages, pubsub storage etc. Starting with ejabberd 14.07-1, all officially supported DBMS engines are supported through the Debian package, as ejabberd is now compiled and installed with support for ODBC, MySQL and PostgreSQL. You have to install the according erlang-* package listed in the "Suggests" section of ejabberd though. Note that it appears that currently the only way to use Microsoft SQL Server as a database backend is via ODBC (and the FreeTDS ODBC driver). 5 External modules ================== Several 3rd-party modules from https://github.com/processone/ejabberd-contrib are available through the ejabberd-contrib package or individually as ejabberd-mod-. Not all modules from the github repository are currently packaged, if you need more, please contact the package maintainer. If you want to develop your own module, the ejabberd-contrib repository is the best place to start. Please see the Readme.md or scroll downwards on https://github.com/processone/ejabberd-contrib All header files are available there as well as through the debian packages. To install a custom module, copy the resulting beam file(s) to a directory in which the Erlang emulator running ejabberd looks for compiled files. The best way to handle external modules is to maintain a special directory for them under "/usr/local", e.g. "/usr/local/lib/ejabberd/ebin". To make Erlang emulator know about this directory, see 1.3. See the erl(1) manual page for more info on the "-pa" Erlang emnulator command line option. 6 Upgrading from earlier versions ================================= See https://docs.ejabberd.im/admin/upgrade/. Authors ======= Torsten Werner Sergei Golovan Konstantin Khomoutov Philipp Huebner Sat, 15 Jan 2022 12:10:28 +0100