1### 2###' ejabberd configuration file 3### 4### 5 6### The parameters used in this configuration file are explained in more detail 7### in the ejabberd Installation and Operation Guide. 8### Please consult the Guide in case of doubts, it is included with 9### your copy of ejabberd, and is also available online at 10### http://www.process-one.net/en/ejabberd/docs/ 11 12### The configuration file is written in YAML. 13### Refer to http://en.wikipedia.org/wiki/YAML for the brief description. 14### However, ejabberd treats different literals as different types: 15### 16### - unquoted or single-quoted strings. They are called "atoms". 17### Example: dog, 'Jupiter', '3.14159', YELLOW 18### 19### - numeric literals. Example: 3, -45.0, .0 20### 21### - quoted or folded strings. 22### Examples of quoted string: "Lizzard", "orange". 23### Example of folded string: 24### > Art thou not Romeo, 25### and a Montague? 26--- 27###. ======= 28###' LOGGING 29 30## 31## loglevel: Verbosity of log files generated by ejabberd. 32## 0: No ejabberd log at all (not recommended) 33## 1: Critical 34## 2: Error 35## 3: Warning 36## 4: Info 37## 5: Debug 38## 39loglevel: 4 40 41## 42## rotation: Disable ejabberd's internal log rotation, as the Debian package 43## uses logrotate(8). 44log_rotate_size: 0 45log_rotate_date: "" 46 47## 48## overload protection: If you want to limit the number of messages per second 49## allowed from error_logger, which is a good idea if you want to avoid a flood 50## of messages when system is overloaded, you can set a limit. 51## 100 is ejabberd's default. 52log_rate_limit: 100 53 54## 55## watchdog_admins: Only useful for developers: if an ejabberd process 56## consumes a lot of memory, send live notifications to these XMPP 57## accounts. 58## 59## watchdog_admins: 60## - "bob@example.com" 61 62###. =============== 63###' NODE PARAMETERS 64 65## 66## net_ticktime: Specifies net_kernel tick time in seconds. This options must have 67## identical value on all nodes, and in most cases shouldn't be changed at all from 68## default value. 69## 70## net_ticktime: 60 71 72###. ================ 73###' SERVED HOSTNAMES 74 75## 76## hosts: Domains served by ejabberd. 77## You can define one or several, for example: 78## hosts: 79## - "example.net" 80## - "example.com" 81## - "example.org" 82## 83hosts: 84 - "localhost" 85 86## 87## route_subdomains: Delegate subdomains to other XMPP servers. 88## For example, if this ejabberd serves example.org and you want 89## to allow communication with an XMPP server called im.example.org. 90## 91## route_subdomains: s2s 92 93###. ============ 94###' Certificates 95 96## List all available PEM files containing certificates for your domains, 97## chains of certificates or certificate keys. Full chains will be built 98## automatically by ejabberd. 99## 100certfiles: 101 - "/etc/ejabberd/ejabberd.pem" 102 103## If your system provides only a single CA file (CentOS/FreeBSD): 104## ca_file: "/etc/ssl/certs/ca-bundle.pem" 105 106###. ================= 107###' TLS configuration 108 109## Note that the following configuration is the default 110## configuration of the TLS driver, so you don't need to 111## uncomment it. 112## 113define_macro: 114 'TLS_CIPHERS': "HIGH:!aNULL:!eNULL:!3DES:@STRENGTH" 115 'TLS_OPTIONS': 116 - "no_sslv2" 117 - "no_sslv3" 118 - "no_tlsv1" 119 - "cipher_server_preference" 120 - "no_compression" 121 ## 'DH_FILE': "/path/to/dhparams.pem" # generated with: openssl dhparam -out dhparams.pem 2048 122 123## c2s_dhfile: 'DH_FILE' 124## s2s_dhfile: 'DH_FILE' 125c2s_ciphers: 'TLS_CIPHERS' 126s2s_ciphers: 'TLS_CIPHERS' 127c2s_protocol_options: 'TLS_OPTIONS' 128s2s_protocol_options: 'TLS_OPTIONS' 129 130###. =============== 131###' LISTENING PORTS 132 133## 134## listen: The ports ejabberd will listen on, which service each is handled 135## by and what options to start it with. 136## 137listen: 138 - 139 port: 5222 140 ip: "0.0.0.0" 141 module: ejabberd_c2s 142 starttls: true 143 starttls_required: false 144 protocol_options: 'TLS_OPTIONS' 145 max_stanza_size: 1048576 146 shaper: c2s_shaper 147 access: c2s 148 149 ## port: 5269 150 ## ip: "::" 151 ## module: ejabberd_s2s_in 152 153 - 154 port: 5280 155 ip: "127.0.0.1" 156 module: ejabberd_http 157 request_handlers: 158 "/ws": ejabberd_http_ws 159 "/bosh": mod_bosh 160 "/api": mod_http_api 161 ## "/pub/archive": mod_http_fileserver 162 web_admin: true 163 ## register: true 164 ## captcha: true 165 tls: true 166 protocol_options: 'TLS_OPTIONS' 167 168 ## 169 ## ejabberd_service: Interact with external components (transports, ...) 170 ## 171 ## - 172 ## port: 8888 173 ## ip: "::" 174 ## module: ejabberd_service 175 ## access: all 176 ## shaper_rule: fast 177 ## ip: "127.0.0.1" 178 ## privilege_access: 179 ## roster: "both" 180 ## message: "outgoing" 181 ## presence: "roster" 182 ## delegations: 183 ## "urn:xmpp:mam:1": 184 ## filtering: ["node"] 185 ## "http://jabber.org/protocol/pubsub": 186 ## filtering: [] 187 ## hosts: 188 ## "icq.example.org": 189 ## password: "secret" 190 ## "sms.example.org": 191 ## password: "secret" 192 193 ## 194 ## ejabberd_stun: Handles STUN Binding requests 195 ## 196 - 197 port: 3478 198 transport: udp 199 module: ejabberd_stun 200 201 ## 202 ## To handle XML-RPC requests that provide admin credentials: 203 ## 204 ## - 205 ## port: 4560 206 ## ip: "::" 207 ## module: ejabberd_xmlrpc 208 ## maxsessions: 10 209 ## timeout: 5000 210 ## access_commands: 211 ## admin: 212 ## commands: all 213 ## options: [] 214 215 ## 216 ## To enable secure http upload 217 ## 218 ## - 219 ## port: 5444 220 ## ip: "::" 221 ## module: ejabberd_http 222 ## request_handlers: 223 ## "": mod_http_upload 224 ## tls: true 225 ## protocol_options: 'TLS_OPTIONS' 226 ## dhfile: 'DH_FILE' 227 ## ciphers: 'TLS_CIPHERS' 228 229## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text 230## password storage (see auth_password_format option). 231disable_sasl_mechanisms: "digest-md5" 232 233###. ================== 234###' S2S GLOBAL OPTIONS 235 236## 237## s2s_use_starttls: Enable STARTTLS for S2S connections. 238## Allowed values are: false, optional or required 239## You must specify 'certfiles' option 240## 241s2s_use_starttls: required 242 243## 244## S2S whitelist or blacklist 245## 246## Default s2s policy for undefined hosts. 247## 248## s2s_access: s2s 249 250## 251## Outgoing S2S options 252## 253## Preferred address families (which to try first) and connect timeout 254## in seconds. 255## 256## outgoing_s2s_families: 257## - ipv4 258## - ipv6 259## outgoing_s2s_timeout: 190 260 261###. ============== 262###' AUTHENTICATION 263 264## 265## auth_method: Method used to authenticate the users. 266## The default method is the internal. 267## If you want to use a different method, 268## comment this line and enable the correct ones. 269## 270auth_method: internal 271 272## 273## Store the plain passwords or hashed for SCRAM: 274## auth_password_format: plain 275auth_password_format: scram 276## 277## Define the FQDN if ejabberd doesn't detect it: 278## fqdn: "server3.example.com" 279 280## 281## Authentication using external script 282## Make sure the script is executable by ejabberd. 283## 284## auth_method: external 285## extauth_program: "/path/to/authentication/script" 286 287## 288## Authentication using SQL 289## Remember to setup a database in the next section. 290## 291## auth_method: sql 292 293## 294## Authentication using PAM 295## 296## auth_method: pam 297## pam_service: "pamservicename" 298 299## 300## Authentication using LDAP 301## 302## auth_method: ldap 303## 304## List of LDAP servers: 305## ldap_servers: 306## - "lw" 307## 308## Encryption of connection to LDAP servers: 309## ldap_encrypt: none 310## ldap_encrypt: tls 311## 312## Port to connect to on LDAP servers: 313## ldap_port: 389 314## ldap_port: 636 315## 316## LDAP manager: 317## ldap_rootdn: "dc=example,dc=com" 318## 319## Password of LDAP manager: 320## ldap_password: "******" 321## 322## Search base of LDAP directory: 323## ldap_base: "dc=example,dc=com" 324## 325## LDAP attribute that holds user ID: 326## ldap_uids: 327## - "mail": "%u@mail.example.org" 328## 329## LDAP filter: 330## ldap_filter: "(objectClass=shadowAccount)" 331 332## 333## Anonymous login support: 334## auth_method: anonymous 335## anonymous_protocol: sasl_anon | login_anon | both 336## allow_multiple_connections: true | false 337## 338## host_config: 339## "public.example.org": 340## auth_method: anonymous 341## allow_multiple_connections: false 342## anonymous_protocol: sasl_anon 343## 344## To use both anonymous and internal authentication: 345## 346## host_config: 347## "public.example.org": 348## auth_method: 349## - internal 350## - anonymous 351 352###. ============== 353###' DATABASE SETUP 354 355## ejabberd by default uses the internal Mnesia database, 356## so you do not necessarily need this section. 357## This section provides configuration examples in case 358## you want to use other database backends. 359## Please consult the ejabberd Guide for details on database creation. 360 361## 362## MySQL server: 363## 364## sql_type: mysql 365## sql_server: "server" 366## sql_database: "database" 367## sql_username: "username" 368## sql_password: "password" 369## 370## If you want to specify the port: 371## sql_port: 1234 372 373## 374## PostgreSQL server: 375## 376## sql_type: pgsql 377## sql_server: "server" 378## sql_database: "database" 379## sql_username: "username" 380## sql_password: "password" 381## 382## If you want to specify the port: 383## sql_port: 1234 384## 385## If you use PostgreSQL, have a large database, and need a 386## faster but inexact replacement for "select count(*) from users" 387## 388## pgsql_users_number_estimate: true 389 390## 391## SQLite: 392## 393## sql_type: sqlite 394## sql_database: "/path/to/database.db" 395 396## 397## ODBC compatible or MSSQL server: 398## 399## sql_type: odbc 400## sql_server: "DSN=ejabberd;UID=ejabberd;PWD=ejabberd" 401 402## 403## Number of connections to open to the database for each virtual host 404## 405## sql_pool_size: 10 406 407## 408## Interval to make a dummy SQL request to keep the connections to the 409## database alive. Specify in seconds: for example 28800 means 8 hours 410## 411## sql_keepalive_interval: undefined 412 413###. =============== 414###' TRAFFIC SHAPERS 415 416shaper: 417 ## 418 ## The "normal" shaper limits traffic speed to 1000 B/s 419 ## 420 normal: 1000 421 422 ## 423 ## The "fast" shaper limits traffic speed to 50000 B/s 424 ## 425 fast: 50000 426 427## 428## This option specifies the maximum number of elements in the queue 429## of the FSM. Refer to the documentation for details. 430## 431max_fsm_queue: 10000 432 433###. ==================== 434###' ACCESS CONTROL LISTS 435acl: 436 ## 437 ## The 'admin' ACL grants administrative privileges to XMPP accounts. 438 ## You can put here as many accounts as you want. 439 ## 440 admin: 441 user: 442 - "admin@localhost" 443 444 ## Don't use a regex, to prevent others from obtaining permissions after registering such an account. 445 bots: 446 - user: "echelon23@localhost" 447 - user: "wfgbot23@localhost" 448 449 # Keep playernames short and easily typeable for everyone 450 validname: 451 user_regexp: "^[0-9A-Za-z._-]{1,20}$" 452 453 ## 454 ## Blocked users 455 ## 456 ## blocked: 457 ## user: 458 ## - "baduser@example.org" 459 ## - "test" 460 461 ## Local users: don't modify this. 462 ## 463 local: 464 user_regexp: "" 465 466 ## 467 ## More examples of ACLs 468 ## 469 ## jabberorg: 470 ## server: 471 ## - "jabber.org" 472 ## aleksey: 473 ## user: 474 ## - "aleksey@jabber.ru" 475 ## test: 476 ## user_regexp: "^test" 477 ## user_glob: "test*" 478 479 ## 480 ## Loopback network 481 ## 482 loopback: 483 ip: 484 - "127.0.0.0/8" 485 - "::1/128" 486 - "::FFFF:127.0.0.1/128" 487 488 ## 489 ## Bad XMPP servers 490 ## 491 ## bad_servers: 492 ## server: 493 ## - "xmpp.zombie.org" 494 ## - "xmpp.spam.com" 495 496## 497## Define specific ACLs in a virtual host. 498## 499## host_config: 500## "localhost": 501## acl: 502## admin: 503## user: 504## - "bob-local@localhost" 505 506###. ============ 507###' SHAPER RULES 508 509shaper_rules: 510 ## Maximum number of simultaneous sessions allowed for a single user: 511 max_user_sessions: 10 512 ## Maximum number of offline messages that users can have: 513 max_user_offline_messages: 514 - 5000: admin 515 - 100 516 ## For C2S connections, all users except admins use the "normal" shaper 517 c2s_shaper: 518 - none: admin 519 - none: bots 520 - normal 521 ## All S2S connections use the "fast" shaper 522 s2s_shaper: fast 523 524###. ============ 525###' ACCESS RULES 526access_rules: 527 ## This rule allows access only for local users: 528 local: 529 - allow: local 530 ## Only non-blocked users can use c2s connections: 531 c2s: 532 - deny: blocked 533 - allow 534 ## Only admins can send announcement messages: 535 announce: 536 - allow: admin 537 ## Only admins can use the configuration interface: 538 configure: 539 - allow: admin 540 ## Expected by the ipstamp module for XpartaMuPP 541 ipbots: 542 - allow: bots 543 muc_admin: 544 - allow: admin 545 ## Bots must be able to create nodes for games, ratings and boards lists 546 pubsub_createnode: 547 - allow: admin 548 - allow: bots 549 ## In-band registration allows registration of any possible username. 550 ## To disable in-band registration, replace 'allow' with 'deny'. 551 register: 552 - deny: blocked 553 - allow: validname 554 ## Only allow to register from localhost 555 trusted_network: 556 - allow: loopback 557 ## Do not establish S2S connections with bad servers 558 ## If you enable this you also have to uncomment "s2s_access: s2s" 559 ## s2s: 560 ## - deny: 561 ## - ip: "XXX.XXX.XXX.XXX/32" 562 ## - deny: 563 ## - ip: "XXX.XXX.XXX.XXX/32" 564 ## - allow 565 566## =============== 567## API PERMISSIONS 568## =============== 569## 570## This section allows you to define who and using what method 571## can execute commands offered by ejabberd. 572## 573## By default "console commands" section allow executing all commands 574## issued using ejabberdctl command, and "admin access" section allows 575## users in admin acl that connect from 127.0.0.1 to execute all 576## commands except start and stop with any available access method 577## (ejabberdctl, http-api, xmlrpc depending what is enabled on server). 578## 579## If you remove "console commands" there will be one added by 580## default allowing executing all commands, but if you just change 581## permissions in it, version from config file will be used instead 582## of default one. 583## 584api_permissions: 585 "console commands": 586 from: 587 - ejabberd_ctl 588 who: all 589 what: "*" 590 "admin access": 591 who: 592 - access: 593 - allow: 594 - acl: loopback 595 - acl: admin 596 - oauth: 597 - scope: "ejabberd:admin" 598 - access: 599 - allow: 600 - acl: loopback 601 - acl: admin 602 what: 603 - "*" 604 - "!stop" 605 - "!start" 606 "public commands": 607 who: 608 - ip: "127.0.0.1/8" 609 what: 610 - "status" 611 - "connected_users_number" 612 613## By default the frequency of account registrations from the same IP 614## is limited to 1 account every 10 minutes. To disable, specify: infinity 615registration_timeout: 3600 616 617## 618## Define specific Access Rules in a virtual host. 619## 620## host_config: 621## "localhost": 622## access: 623## c2s: 624## - allow: admin 625## - deny 626## register: 627## - deny 628 629###. ================ 630###' DEFAULT LANGUAGE 631 632## 633## language: Default language used for server messages. 634## 635language: "en" 636 637## 638## Set a different default language in a virtual host. 639## 640## host_config: 641## "localhost": 642## language: "ru" 643 644###. ======= 645###' CAPTCHA 646 647## 648## Full path to a script that generates the image. 649## 650## captcha_cmd: "/usr/share/ejabberd/captcha.sh" 651 652## 653## Host for the URL and port where ejabberd listens for CAPTCHA requests. 654## 655## captcha_host: "example.org:5280" 656 657## 658## Limit CAPTCHA calls per minute for JID/IP to avoid DoS. 659## 660## captcha_limit: 5 661 662###. ==== 663###' ACME 664## 665## In order to use the acme certificate acquiring through "Let's Encrypt" 666## an http listener has to be configured to listen to port 80 so that 667## the authorization challenges posed by "Let's Encrypt" can be solved. 668## 669## A simple way of doing this would be to add the following in the listening 670## section and to configure port forwarding from 80 to 5281 either via NAT 671## (for ipv4 only) or using frontends such as haproxy/nginx/sslh/etc. 672## - 673## port: 5281 674## ip: "::" 675## module: ejabberd_http 676 677acme: 678 679 ## A contact mail that the ACME Certificate Authority can contact in case of 680 ## an authorization issue, such as a server-initiated certificate revocation. 681 ## It is not mandatory to provide an email address but it is highly suggested. 682 contact: "mailto:example-admin@example.com" 683 684 685 ## The ACME Certificate Authority URL. 686 ## This could either be: 687 ## - https://acme-v01.api.letsencrypt.org - (Default) for the production CA 688 ## - https://acme-staging.api.letsencrypt.org - for the staging CA 689 ## - http://localhost:4000 - for a local version of the CA 690 ca_url: "https://acme-v01.api.letsencrypt.org" 691 692###. ======= 693###' MODULES 694 695## 696## Modules enabled in all ejabberd virtual hosts. 697## 698modules: 699 mod_adhoc: {} 700 mod_admin_extra: {} 701 mod_announce: # recommends mod_adhoc 702 access: announce 703 mod_blocking: {} # requires mod_privacy 704 mod_caps: {} 705 mod_carboncopy: {} 706 mod_client_state: {} 707 mod_configure: {} # requires mod_adhoc 708 ## mod_delegation: {} # for xep0356 709 mod_disco: {} 710 ## mod_echo: {} 711 ## ipstamp module used by XpartaMuPP to insert IP addresses into the gamelist 712 mod_ipstamp: {} 713 ## mod_irc: {} 714 mod_bosh: {} 715 ## mod_http_fileserver: 716 ## docroot: "/var/www" 717 ## accesslog: "/var/log/ejabberd/access.log" 718 ## mod_http_upload: 719 ## # docroot: "@HOME@/upload" 720 ## put_url: "https://@HOST@:5444" 721 ## thumbnail: false # otherwise needs the identify command from ImageMagick installed 722 ## mod_http_upload_quota: 723 ## max_days: 30 724 mod_last: {} 725 ## XEP-0313: Message Archive Management 726 ## You might want to setup a SQL backend for MAM because the mnesia database is 727 ## limited to 2GB which might be exceeded on large servers 728 ## mod_mam: {} # for xep0313, mnesia is limited to 2GB, better use an SQL backend 729 mod_muc: 730 ## host: "conference.@HOST@" 731 access: 732 - allow 733 access_admin: muc_admin 734 access_create: muc_admin 735 access_persistent: muc_admin 736 max_users: 5000 737 default_room_options: 738 allow_change_subj: false 739 logging: true 740 max_users: 1000 741 persistent: true 742 mod_muc_admin: {} 743 mod_muc_log: 744 outdir: "/lobby/logs" 745 dirtype: plain 746 file_format: plaintext 747 timezone: universal 748 ## mod_multicast: {} 749 mod_offline: 750 access_max_user_messages: max_user_offline_messages 751 mod_ping: 752 send_pings: true 753 ## mod_pres_counter: 754 ## count: 5 755 ## interval: 60 756 mod_privacy: {} 757 mod_private: {} 758 ## mod_proxy65: {} 759 mod_pubsub: 760 access_createnode: pubsub_createnode 761 ## reduces resource comsumption, but XEP incompliant 762 ignore_pep_from_offline: true 763 ## XEP compliant, but increases resource comsumption 764 ## ignore_pep_from_offline: false 765 last_item_cache: false 766 plugins: 767 - "flat" 768 - "hometree" 769 - "pep" # pep requires mod_caps 770 mod_push: {} 771 mod_push_keepalive: {} 772 mod_register: 773 ## 774 ## Protect In-Band account registrations with CAPTCHA. 775 ## 776 ## captcha_protected: true 777 ## 778 ## Set the minimum informational entropy for passwords. 779 ## 780 ## password_strength: 32 781 ## 782 ## After successful registration, the user receives 783 ## a message with this subject and body. 784 ## 785 ## welcome_message: 786 ## subject: "Welcome!" 787 ## body: |- 788 ## Hi. 789 ## Welcome to this XMPP server. 790 ## 791 ## When a user registers, send a notification to 792 ## these XMPP accounts. 793 ## 794 ## registration_watchers: 795 ## - "admin1@example.org" 796 ## 797 ## Only clients in the server machine can register accounts 798 ## 799 ## ip_access: trusted_network 800 ## 801 ## Local c2s or remote s2s users cannot register accounts 802 ## 803 ## access_from: deny 804 access: register 805 mod_roster: 806 versioning: true 807 ## mod_shared_roster: {} 808 mod_stats: {} 809 mod_time: {} 810 ## mod_vcard: 811 ## search: false 812 ## mod_vcard_xupdate: {} 813 ## Convert all avatars posted by Android clients from WebP to JPEG 814 ## mod_avatar: # this module needs compile option --enable-graphics 815 ## convert: 816 ## webp: jpeg 817 mod_version: {} 818 mod_stream_mgmt: 819 resend_on_timeout: if_offline 820 ## Non-SASL Authentication (XEP-0078) is now disabled by default 821 ## because it's obsoleted and is used mostly by abandoned 822 ## client software 823 ## mod_legacy_auth: {} 824 ## The module for S2S dialback (XEP-0220). Please note that you cannot 825 ## rely solely on dialback if you want to federate with other servers, 826 ## because a lot of servers have dialback disabled and instead rely on 827 ## PKIX authentication. Make sure you have proper certificates installed 828 ## and check your accessibility at https://check.messaging.one/ 829 mod_s2s_dialback: {} 830 mod_http_api: {} 831 832## 833## Enable modules with custom options in a specific virtual host 834## 835## host_config: 836## "localhost": 837## modules: 838## mod_echo: 839## host: "mirror.localhost" 840 841## 842## Enable modules management via ejabberdctl for installation and 843## uninstallation of public/private contributed modules 844## (enabled by default) 845## 846 847allow_contrib_modules: true 848 849###. 850###' 851### Local Variables: 852### mode: yaml 853### End: 854### vim: set filetype=yaml tabstop=8 foldmarker=###',###. foldmethod=marker: 855 856