/etc/jabberd2/s2s.xml is in jabberd2 2.6.1-3build1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 | <!-- s2s configuration -->
<s2s>
<!-- Our ID on the network (default: s2s) -->
<id>s2s</id>
<!-- The process ID file. Comment this out if you don't need to know
the process ID from outside the process (eg for control scripts) -->
<pidfile>/var/run/jabberd2/s2s.pid</pidfile>
<!-- Router connection configuration -->
<router>
<!-- IP/port the router is waiting for connections on -->
<ip>127.0.0.1</ip> <!-- default: 127.0.0.1 -->
<port>5347</port> <!-- default: 5347 -->
<!-- Username/password to authenticate as -->
<user>jabberd</user> <!-- default: jabberd -->
<pass>secret</pass> <!-- default: secret -->
<!-- The router will only allow one component to be the default
route (ie the component that receives packets destined for
unknown hosts). If you want to run more than one s2s instance,
you need to uncomment this so that s2s does not try to become
the default route. Note that all outgoing s2s communication
will go to the component that is the default route. -->
<!--
<non-default/>
-->
<!-- File containing an SSL certificate and private key to use when
setting up an encrypted channel with the router. From
SSL_CTX_use_certificate_chain_file(3): "The certificates must be
in PEM format and must be sorted starting with the subject's
certificate (actual client or server certificate), followed
by intermediate CA certificates if applicable, and ending
at the highest level (root) CA" (the latter one being optional).
If this is commented out, or the file can't be read, no attempt
will be made to establish an encrypted channel with the router. -->
<!--
<pemfile>/etc/jabberd2/server.pem</pemfile>
-->
<!-- Router connection retry -->
<retry>
<!-- If the connection to the router can't be established at
startup, we should try again this many times before exiting.
Use -1 to retry indefinitely. [default: 3] -->
<init>3</init>
<!-- If we lost the connection to the router during normal
operation (ie we've successfully connected to the router in
the past), we should try to reconnect this many times before
exiting. Use -1 to retry indefinitely. [default: 3] -->
<lost>3</lost>
<!-- Sleep for this many seconds before trying attempting a
reconnect. [default: 2] -->
<sleep>2</sleep>
</retry>
</router>
<!-- Log configuration - type is "syslog", "file" or "stdout" -->
<log type='file'>
<!-- If logging to syslog, this is the log ident -->
<ident>jabberd/s2s</ident>
<!-- If logging to syslog, this is the log facility
(local0 - local7) [default: local3] -->
<facility>local3</facility>
<!-- if logging to file, this is the filename of the logfile -->
<file>/var/log/jabberd2/s2s.log</file>
<!-- Filename of the debug logfile -->
<!--
<debug>/var/jabberd2/log/debug-${id}.log</debug>
-->
</log>
<!-- Local network configuration -->
<local>
<!-- IP and port to listen for incoming s2s connections on
(default: 0.0.0.0, 5269) -->
<ip>0.0.0.0</ip>
<port>5269</port>
<!-- Multihomed machines (with more than one interface and IP address)
need to specify outgoing S2S connections interface/address.
If not set, the <ip> section address above is used. -->
<!--
<origins>
<ip>1.2.3.4</ip>
<ip>fe80::202:b3ff:fe1e:8329</ip>
</origins>
-->
<!-- Secret used to generate dialback keys. If you have more than
one s2s instance configured, make sure that this is the same on
all of them. If this is commented out, a random one will be
generated. -->
<!--
<secret>secret</secret>
-->
<!-- File containing an SSL certificate and private key to use when setting
up encrypted s2s connections with other servers (STARTTLS + Dialback).
From SSL_CTX_use_certificate_chain_file(3): "The certificates must be
in PEM format and must be sorted starting with the subject's
certificate (actual client or server certificate), followed
by intermediate CA certificates if applicable, and ending
at the highest level (root) CA" (the latter one being optional).
If this is commented out, or the file can't be read, no attempt will be
made to establish encrypted connections with other servers. -->
<!--
<pemfile>/etc/jabberd2/server.pem</pemfile>
-->
<!-- SSL verify mode - see SSL_CTX_set_verify(3), mode parameter -->
<!--
<verify-mode>7</verify-mode>
-->
<!-- List of available TLS ciphers -->
<!--
<ciphers>DEFAULT</ciphers>
-->
<!-- File containing an optional SSL certificate chain file for SSL
connections. -->
<!--
<cachain>/etc/jabberd2/cachain.pem</cachain>
-->
</local>
<!-- input/output settings -->
<io>
<!-- Maximum number of file descriptors. Note that the number of
possible connections will be slightly less than this, because
s2s itself can use some on its own. If the supply of file
descriptors is exhausted, new incoming connections will be
denied.
These connections are mainly consumed when we make a
connection to an external jabber server, or an external jabber
server connects to us. If you don't have a lot of users then
there's probably no need for s2s to establish connections to
external jabber servers and the default value here is probably
fine. On the other hand, if you have lots of users with lots
of remote buddies in their buddylist then s2s will need to have
lots of open connections with other jabber servers and you may
need to increase this value.
Note that this value only affects how many file descriptors
jabberd is able to handle internally. You may also need to
tell your operating system to allow jabberd to use more file
descriptors. On Linux this can be done using ulimit -n or by
changing the value of /proc/sys/fd/file-max.
(default: 1024) -->
<max_fds>1024</max_fds>
<!-- Rate limiting -->
<limits>
<!-- Maximum stanza size - if more than given number of bytes
are read in one incoming stanza, the stream is closed
with policy-violation error.
Set to 0 to disable.
Values less than 16384 might not work. -->
<stanzasize>65535</stanzasize>
</limits>
<!-- Enable XEP-0138: Stream Compression -->
<!--
<compression/>
-->
</io>
<!-- Timed checks -->
<check>
<!-- Interval between checks.
Checks will be run every n seconds.
0 disables all checks except DNS expiry. (default: 60) -->
<interval>60</interval>
<!-- Queue expiry and connection timeout.
While a connection is being established and dialback is in
progress, packets are queued. If a valid connection has not
been established within this many seconds, the connection
process will be aborted and the queued packets will be
bounced. Timeout checks are made for three phases of
setting up a route authenticated through dialback:
1. Connection establishment to exchange of stream headers
2. Initiating dialback (incoming connections)
3. Completing dialback (incoming and outgoing)
If stage 1 connection establishment fails and there are
alternative hosts for this route that have not failed
recently, they will be tried too before finally giving up.
0 disables queue expiry. (default: 60) -->
<queue>60</queue>
<!-- Queue retry timeout.
If the queue is older than this timeout, the connection
will not be retried even if there are alternative hosts
that have not failed recently.
0 disables retry expiry. (default: 300) -->
<retry>300</retry>
<!-- Idle connection checks.
Connections that have not sent data for longer than this many
seconds will be dropped.
0 disables idle timeouts. (default: 86400) -->
<idle>86400</idle>
<!-- Keepalives.
Outgoing connections that have not been used for longer than
this many seconds will have a single whitespace character sent
to them. This will force the TCP connection to be closed if
they have disconnected without us knowing about it.
0 disables keepalives. (default: 0) -->
<keepalive>0</keepalive>
<!-- Interval between DNS result/bad host expiry.
0 disables expiry checks. (default: 300) -->
<dnscache>300</dnscache>
</check>
<!-- Statistics -->
<stats>
<!-- file containing count of packets that went through -->
<!--
<packet>/var/jabberd2/stats/s2s.packets</packet>
-->
</stats>
<lookup>
<!-- SRV TCP services will be resolved in the following order. The first
one that returns something will be used (ie dereferenced via an
A/AAAA lookup). If no SRV records are found, resolver will
fallback to a straight A/AAAA lookup. -->
<!-- xmpp-server is mandated by the XMPP spec -->
<srv>xmpp-server</srv>
<!-- traditionally, jabber has been used -->
<srv>jabber</srv>
<!-- If this is enabled, the resolver will look up AAAA records as well
as A records. This is needed if you want s2s to use IPv6.
Connection attempts will be made to all IPv6 hosts before trying
IPv4 (see bad host timeout below). -->
<!--
<resolve-ipv6/>
-->
<!-- Minimum time that DNS lookup results are cached (overrides max below). -->
<min-ttl>30</min-ttl>
<!-- Maximum time that DNS lookup results are cached. -->
<max-ttl>86400</max-ttl>
<!-- Time /etc/hosts lookup results are cached for (default: 86400). -->
<etc-hosts-ttl>86400</etc-hosts-ttl>
<!-- Minimum time to wait before using hosts that we have failed to
establish a connection to (unless there are no alternatives).
Do not set this too low - it is required to detect permanent
problems like broken IPv6 connectivity in order to attempt IPv4.
0 disables bad host caching. (default: 3600) -->
<bad-host-timeout>3600</bad-host-timeout>
<!-- Disable the DNS cache (negative caching will still be done).
This is likely to negatively impact performance while saving
a small amount of memory since multiple DNS requests must
then be made for every re-connection. -->
<!--
<no-cache/>
-->
</lookup>
<!-- If this is enabled, domains which share the same host will re-use
existing outgoing connections. This is a potential security risk
as the SSL connection from the first domain will be re-used too. -->
<out-conn-reuse/>
<security>
<!-- Require TLS secured S2S connections -->
<!--
<require_tls/>
-->
<!--
Domain whitelisting
-->
<!--
<enable_whitelist/>
-->
<!-- Domain whitelisting
When defined, only whitelisted domains are allowed to connect -->
<!--
<whitelist_domain>domain1.tld</whitelist_domain>
<whitelist_domain>domain2.tld</whitelist_domain>
<whitelist_domain>other.tld</whitelist_domain>
-->
</security>
</s2s>
<!--
vim: syntax=xml
-->
|