[Operators] requiring channel encryption

Jonathan Schleifer js-xog at webkeks.org
Wed Apr 30 07:54:04 CDT 2008

"Maissel, Joe" <joe.maissel at credit-suisse.com> wrote:

> For better or worse, we have a requirement to run both TLS required
> and non-TLS S2S services.  To connect to gmail.com we need non-TLS.
> My organization requires that non-TLS services be locked down by IP
> at the firewall level.  I also want to have open XMPP federation
> (from a firewall point of view) so for that I have must run TLS
> ONLY.  I don't have the flexibility to run it as you outline below
> (would be much easier if I did!).  This is why we require separate
> SRV records for TLS and non-TLS S2S services.  We are using the SRV
> record _xmpp-server._tls for this (as opposed to _xmpp-server._tcp),
> but I don't think ._tls is standard.

I tested it and it won't work with ejabberd. It will connect to the SRV
record _xmpp-server._tcp and wait for hours as you just filter traffic
instead of sending rejecting the connection. Thus s2s with your
server won't work with ejabberd servers.
What about this as a solution: At the firewall level, route those
servers that don't support TLS to the other s2s and let traffic from
all other IPs be routed to the s2s that requires TLS. That way you
won't even need SRV records!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
Url : http://mail.jabber.org/pipermail/operators/attachments/20080430/6de8630a/attachment.pgp 

More information about the Operators mailing list