A modern & private chat system (XMPP with Prosody and Conversations)

Here is a(n unfinished) recipe for a modern chat server using XMPP (which you may recall I like). It needs polishing but I’m publishing it right now to make sure it can start being useful to anyone who needs it.  I hope there are no glaring security mistakes, please let me know if you see any.

What do we get?

The users will use Conversations while on the server-side we use prosody.

We will be able to get our messages on all connected devices at the same time, share pictures, audio clips and files simply and instantly, retrieve more chat history from the server and, once we go down in the metro and lose connectivity, get our messages when we regain access to the Internet.

What do we need?

As prosody will be running all the time (as users may want to chat at any time, that’s how a server runs), this implies we have somewhere to run prosody, a server running Debian or a NAS, or possibly a VPS.

What do we do?

Server

  1. Create DNS entries (official documentation) pointing to our server’s IP address:
    1. for the xmpp server proper, xmpp.yourdomain.tld (can be an A record or a CNAME)
    2. as well as SRV records so the apps and other servers can easily find it (must officially point to an A record, and not a CNAME record)
    3. and an entry for our file transfer proxy (more on this in a bit), proxy.yourdomain.tld (must be an A record, ie: pointing to an IP address)
  2. Install prosody:
    sudo apt install prosody
  3. Get important extensions (XEPs) to enable the modern features such as on the fly file sharing. (Official documentation on modules)
    • to simplify, we’ll get a current copy of all of prosody’s community extensions and then only enable the ones we need
    • create a directory for the extensions:
      sudo mkdir /usr/lib/prosody/prosody-modules/
    • download the extensions with mercurial (sudo apt install mercurial if you don’t have it):
      sudo hg clone https://hg.prosody.im/prosody-modules/ prosody-modules /usr/lib/prosody/prosody-modules/
  4. Configure prosody to fit our needs.
    With your favourite text editor, open /etc/prosody/prosody.cfg.lua in order to:

    • tell prosody to look for the extensions in our directory of downloaded extensions before the usual place:
      plugins_path = {“/usr/lib/prosody/prosody-modules”}
    • enable the needed extensions
      • smacks, carbons, mam, mam_archive, csi, http_upload, blocking
    • configure a vhost (virtual host) for yourdomain.tld. For me it’s:
       VirtualHost "axelsimon.net"
       ssl = {
       key = "/etc/letsencrypt/axelsimon.net/live/privkey.pem";
       certificate = "/etc/letsencrypt/axelsimon.net/live/fullchain.pem";
       options = {"no_sslv2", "no_sslv3", "no_ticket", "no_compression", "cipher_server_preference", "single_dh_use", "single_ecdh_use"} ;
       }
      Component "conference.axelsimon.net" "muc"
      Component "proxy.axelsimon.net" "proxy65"
    • That last line above ensures we have a proxy configured
    • For easy account configuration from the app, set:
      allow_registration = true;
    • Also, ensure you have:
      c2s_require_encryption = true;
  5. Generate aTLS (SSL) certificate to secure the connection between the apps and the server
    1. letsencrypt -d yourdomain.tld (and not xmpp.yourdomain.tld)
  6. Open the right ports on our router’s firewall (if there is one) to let apps and other servers reach our lovingly configured instance prosody.
    1. This means ports 5222, 5269, 5000 for the proxy, and 5280 & 5281 for Jingle file transfers

Don’t forget to restart prosody so it can take in consideration your changes to its configuation file:
sudo prosodyctl restart

For reference, here is La Quadrature du Net’s jabber (XMPP) service’s configuration file.

App

  1. Install Conversations (from F-Droid or Google Play, if you must)
  2. Add account:
    1. Jabber ID: whatyouwant@yourdomain.tld
    2. Password: something reasonably secure, for Ohrmazd’s sake
    3. Register new account on server: yes, tick this
  3. Add your friends, since this is a brand new account:
    1. Click + at the top of the screen, to start a new conversations (right, get the name now?)
    2. Click on the little person silhouette with a + next to it, to add a contact
  4. Start a conversation with your friend 🙂

If both are using Conversations, you’ll  also be able to secure the conversation using OMEMO, a nifty and promising end-to-end encryption mechanism. This means even if you don’t trust whomever is running the server, or if the server is in some way compromised, your messages are safe from prying eyes.

You can also send pictures and sounds with the paper clip icon, at the top of the conversation window.

That’s it 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *