1. Jabber Daemon
We use ejabberd
2. Erlang Cookie
All nodes must have the same erlang cookie. When installing a new node replace the default Debian cookie with one copied from ~ejabberd/.erlang_cookie.
3. SSL Certificate
We require TLS communication with the jabber daemon to avoid exposing Kerberos passwords.
When installing a new node make sure to copy /etc/ejabberd/ejabberd.pem from another node. The current certificate is valid until 2018 and signed by the HCoop CA.
The IANA service names xmpp-client (port 5222) and xmpp-server (port 5269) must be open to the world at large.
proto tcp dport (xmpp-client xmpp-server) ACCEPT;
Port 4369 (epam) must be open to all other ejabberd nodes, but should not be open to the world at large. Unfortunately this requires maintaining a list of IPs at present (we really should rewrite fwtool).
proto tcp daddr (...) dport 4369 ACCEPT;
5. PAM Configuration