One you have installed Tigase XMPP Server on a machine, you’re going to want to use it. If you are just using for local communications on a network behind a router, you’re all set. Enjoy and use!
However, if you want to have people from other computers outside your network connect to your server, you’re going to have to go through a few more steps to show your server out to the public.
This guide is merely a recommendation of how to get a local server to be open to incoming communications. Any time you open ports, or take other security measures you risk compromising your network security. These are only recommendations, and may not be appropriate for all installations. Please consult your IT Security expert for securing your own installation.
XMPP, being a decentralized communication method, relies on proper DNS records to figure out where and how an XMPP server is setup. Operating an XMPP Server will require you to properly setup DNS routing so not only can clients connect to you, but if you decide to run a federated server and enable server to server communication, you will need to do the same. If you already have a DNS server already, you should have little issue adding these records. If you do not have a DNS setup pointing to your server, you may use a free dynamic name service such as dynu.com.
You will not be able to use an IP Address or a CNAME record to setup an XMPP Server. While it’s not required, an A record can provide some other benefits such serving as a backup in case the SRV record is not configured right.
You will need to set SRV records both for client-to-server (c2s) communication and, if you plan to use it, server to server (s2s) communication. We recommend both records are entered for every server as some resources or clients will check for both records. For this example we will use tigase.org is our domain, and xmpp as the xmpp server subdomain.
SRV records have the following form:
_service._protocol.name. TTL class SRV Priority weight port target.
The key is as follows:
For our example server, the SRV records will then look like this:
_xmpp-client._TCP.tigase.org 86400 IN SRV 0 5 5222 xmpp.tigase.org
_xmpp-server._TCP.tigase.org 86400 IN SRV 0 5 5269 xmpp.tigase.org
If you have a cell phone on a separate network with an XMPP client, you can now try to login to test the server. If that is not handy, you can use an online tool to check proper DNS records such as kingant’s: https://kingant.net/check_xmpp_dns/ and it will tell you if anything is missing.
Once your server is setup, you may need to open at least two ports. By default XMPP communication happens on ports 5222/5269, to which point SRV records. Other ports used by the server are:
3478
(TURN or STUN, plain socket, TCP and UDP)5349
(TURN or STUN, over TLS, TCP and UDP)5222
(default XMPP socket port)5223
(legacy XMPP socket port)5269
(default s2s port, i.e.: federation support)5277
(component protocol port, e.g.: for external components)5280
(default BOSH port)5290
(default WebSocket port)8080
(HTTP API component port)9050
(JMX Monitoring)If for any reason you can’t use default ports and have to change them it’s possible to point SRV records those ports. Please keep in mind, that you have to open those ports for incoming connections in your firewall. In case you are using iptables
you can use following command to include those ports in your rules:
iptables -A INPUT -p tcp -m tcp --dport 5222 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 5223 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 5269 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 5277 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 5280 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 5290 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 9050 -j ACCEPT
Both ports should be setup to use TCP only. If for any reason you want to make service available for different ports you can:
forward those ports to default Tigase ports (this is especially useful under *nix operating system if you want to utilize ports lower than 1024
while running, as recommended, Tigase service from user account - there is a limitation and user accounts can bind to ports lower than 1024
), for example using iptables
rules (in following example we are making available Tigase SSL websocket port available under port 443
, which is usually opened in corporate firewalls):
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 5291