= Jabber Admin =

== Jabber Daemon ==

We use [[http://www.ejabberd.im/|ejabberd]]

== Erlang Cookie ==

All nodes must have the same erlang cookie. When installing a new node replace the default Debian cookie with one copied from `~ejabberd/.erlang_cookie`.

== SSL Certificate ==

We require TLS communication with the jabber daemon to avoid exposing Kerberos passwords.

When installing a new node make sure to copy `/etc/ejabberd/ejabberd.pem` from another node. The current certificate is valid until 2018 and signed by the HCoop CA.

== Firewall ==

The IANA service names `xmpp-client` (port 5222) and `xmpp-server` (port 5269) must be open to the world at large.

For ferm:

{{{
proto tcp dport (xmpp-client xmpp-server) ACCEPT;
}}}

Port `4369` (epam) must be open to all other `ejabberd` nodes, but should '''not''' be open to the world at large. Unfortunately this requires maintaining a list of IPs at present (we really should rewrite fwtool).

{{{
proto tcp daddr (...) dport 4369 ACCEPT;   
}}}

== PAM Configuration ==

{{{#!wiki caution
TODO
}}}
----
CategorySystemAdministration