Security and conformance updates

- Publish abbuse addresse using mod_disco

Allow users to change password with client

- ...

seqs/ejabberd.sh

@@ -2,6 +2,7 @@
 
 toolName=ejabberd
 toolConfLoc="/etc/ejabberd/ejabberd.yml"
+toolAdminConf="/etc/ejabberd/ejabberdctl.cfg"
 # for http upload
 toolStorageLoc="/var/ejabberd"
 certRoot="/etc/letsencrypt"
@@ -14,9 +15,9 @@ myPass=
 step_1_info() { echo "Install $toolName via apt"; }
 step_1_alias() { ALIAS="install"; }
 step_1() {
- exe apt update
+  exe apt update
- exe apt install -y $toolName
+  exe apt install -y $toolName
- exe systemctl stop $toolName
+  exe systemctl stop $toolName
 }
 
 step_2_info() { echo "Use certificate from local letsencrypt"; }
@@ -57,12 +58,13 @@ step_3() {
     # create storage for http upload
     exe mkdir -p "$toolStorageLoc"
     exe chown root:$toolName "$toolStorageLoc"
-  	exe chmod 770 "$toolStorageLoc"
+    exe chmod 770 "$toolStorageLoc"
   fi
+  # Erlang-VM to listen only on local interface
+  exe sed -i "s/#\(INET_DIST_INTERFACE=127\.0\.0\.1\)/\1/" "$toolAdminConf"
 }
 
-MissingConfEntry="\
+MissingConfEntry="Seq's basic configuration file \"$SEQDIR/ejabberd.yml\" missing.
-Seq's basic configuration file \"$SEQDIR/ejabberd.yml\" missing.
 Backup $toolConfLoc and create a configuration manually.
 
 Some essential settings needed:

seqs/ejabberd.yml

@@ -1,4 +1,5 @@
 loglevel: 3
+hide_sensitive_log_data: true
 
 log_rotate_size: 0
 log_rotate_date: ""
@@ -18,18 +19,19 @@ listen:
     ## file and uncomment these lines:
     ##
     certfile: "/etc/ejabberd/ejabberd.pem"
-    starttls: true
+    ## starttls: true
     ##
     ## To enforce TLS encryption for client connections,
     ## use this instead of the "starttls" option:
     ##
-    ## starttls_required: true
+    starttls_required: true
     ##
     ## Custom OpenSSL options
     ##
     protocol_options:
       - "no_sslv3"
-    ##   - "no_tlsv1"
+      - "no_tlsv1"
+      - "no_tlsv1_1"
     max_stanza_size: 65536
     shaper: c2s_shaper
     access: c2s
@@ -67,14 +69,16 @@ listen:
 
 ## Disabling digest-md5 SASL authentication. digest-md5 requires plain-text
 ## password storage (see auth_password_format option).
-disable_sasl_mechanisms: "digest-md5"
+disable_sasl_mechanisms:
-
+  - "digest-md5"
-s2s_use_starttls: optional
+  - "x-oauth2"
 
+s2s_use_starttls: required
 s2s_certfile: "/etc/ejabberd/ejabberd.pem"
-
 s2s_protocol_options:
   - "no_sslv3"
+  - "no_tlsv1"
+  - "no_tlsv1_1"
 
 outgoing_s2s_families:
    - ipv4
@@ -84,6 +88,22 @@ outgoing_s2s_timeout: 10000
 auth_method: internal
 auth_password_format: scram
 
+###.  ===============
+###'  DATABASE _SETUP
+
+### MySQL server:
+###
+#sql_type: mysql
+#sql_server: "localhost"
+#sql_database: "db_name"
+#sql_username: "db_user"
+#sql_password: "db_pass"
+## Keepalive in seconds
+#sql_keepalive_interval: 28800
+#sql_pool_size: 5
+
+###.  ===============
+###'  TRAFFIC SHAPERS
 shaper:
   ##
   ## The "normal" shaper limits traffic speed to 1000 B/s
@@ -176,7 +196,13 @@ modules:
   mod_client_state: {}
   mod_configure: {} # requires mod_adhoc
   ##mod_delegation: {} # for xep0356
-  mod_disco: {}
+  mod_disco:
+    server_info:
+      -
+        modules: all
+        name: "abuse-addresses"
+        urls:
+          - "mailto:jabberadmin@mydomain.eu"
   mod_echo: {}
   mod_irc: {}
   mod_http_bind: {}
@@ -224,7 +250,7 @@ modules:
       - "flat"
       - "hometree"
       - "pep" # pep requires mod_caps
-  ## mod_register:
+  mod_register:
     ##
     ## Protect In-Band account registrations with CAPTCHA.
     ##
@@ -257,6 +283,9 @@ modules:
     ##
     ##   access_from: deny
     ##   access: register
+    
+    # No registration, but allow existing accounts to change password
+    access: none
   mod_roster:
     versioning: true
   mod_shared_roster: {}
@@ -264,7 +293,8 @@ modules:
   mod_time: {}
   mod_vcard:
     search: false
-  mod_version: {}
+  mod_version:
+    show_os: false
 
 ##
 ## Enable modules with custom options in a specific virtual host