Monday, August 06, 2007

Build Your Own IM Server with Jabber

Instant messaging is a great business communications tool. For example, here at Enterprise Networking Planet the staff and writers all work in their pajamas at home, at far-flung points all over the globe. ENP's crusty editor-with-a-heart-of-gold Perry White lives in a villa in the South of France. I send in my columns from a sailboat currently anchored at Raratonga. Sure, we can exchange emails, but there are times when a live exchange is better. *

Jabberd 2, the Open Source IM Server

You can throttle bandwidth, limit the number of concurrent users, host multiple virtual domains, and send inspirational broadcast messages to all users. To sum up, it's a pretty nice package.
If you drop in to Instant Messaging Planet you'll see dozens of IM servers listed, with all kinds of features and price tags. And you'll find all kinds of great information about the industry and how IM is used. Some products even transmit streaming video and sound. Jabberd 2 is not concerned with features like that. All it does is transmit live text messages between two people. It runs on many Unix variants and Windows (though Windows support is still experimental), and it serves clients on any platform. It is licensed under the GPL, and it is free of cost.
Don't confuse Jabberd 2 with Jabber. Jabber is a set of streaming XML protocols and technologies; it is the codebase from which all manner of IM servers and clients are built.
Jabberd 2 is fairly easy to set up and maintain, but Jabberd 2 binary distributions aren't common, so this article will run through a source install on a Linux server. First install the following programs. If you install them from packages, be sure to also fetch their associated dev or devel packages:
  • OpenSSL version 0.9.6b or higher
  • Berkeley DB version 4.1.24 or higher
  • Libidn version 0.3.0 or higher
You may also elect to use MySQL or PostgreSQL for your data store. This article shows how to use the Berkeley DB for the data store because it is the simplest, and it works fine for small private servers with a few users. For larger numbers of users and better security you'll want MySQL or PostgreSQL.

Setting Up The Jabberd 2 Server

Task number one is creating a "jabber" user and group:
# groupadd jabber
# useradd -g jabber jabber
Jabberd 2 needs its own logfile and file to store PIDs (process identifiers.) If you don't create a separate logfile, it will dump everything into the syslog.
# mkdir -p /usr/local/var/jabberd/pid/
# chown -R jabber:jabber /usr/local/var/jabberd/pid/
# mkdir -p /usr/local/var/jabberd/log/
# chown -R jabber:jabber /usr/local/var/jabberd/log

Unpack, Configure, And Install

The default installation directory is /usr/local. This can be changed with the usual ./configure options; run ./configure --help to see them. Then do the usual download, unpack, configure, make, and make install procedure. In this example the configuration options put Jabberd's configuration files in /etc/jabberd, enable Libidn, OpenSSL, Berkeley DB, and disable MySQL support:
$ tar zxvf jabberd-2.0s6.tar.gz
$ cd jabberd-2.0s6
$ ./configure --sysconfdir=/etc/jabberd --enable-idn --enable-ssl enable-db --disable-mysql
$ make
# make install
Now you should change ownership and permissions on /etc/jabberd/. These files contain passwords, so they need to be writable only by root, and readable only by members of the jabber group:
# chown root:jabber /etc/jabberd/
# chmod -R 640 /etc/jabberd/


The server hostname must be set in both /etc/jabberd/c2s.xml and /etc/jabberd/sm.xml. (You do have name resolution working, don't you?) You can get away with using the just the hostname for LAN use only; for remote access the fully-qualified domain name is necessary. A plain old static, routable IP will work as well. In c2s.xml look for
<!-- Local network configuration -->
In sm.xml, look for the ID line under <!-- Session manager configuration -->.
Next, create the /usr/local/var/jabberd/db directory to hold your Berkeley DB data store, and chown it to the jabber user and group. Then edit two entries in c2s.xml. The first one is
<!-- Authentication/registration database configuration -->
<!-- Backend module to use -->
For the second, verify that the filepath to your database store is correct:
<!-- Berkeley DB module configuration -->
<!-- Directory to store database files under -->

Test The Server

And now, the moment of truth. Fire it up and connect with the Jabber-capable IM client of your choice:
jabber@windbag:~# /usr/local/bin/jabberd
Your account name is; or, hopefully you are using more sensible names. What clients are supported? Literally hundreds for Linux, Windows, MacOS, and other platforms. See Jabber :: Software :: Clients for a list.
Public registration is enabled by default, so anyone who knows your server address can register an account. For LAN use, or for a few selected remote users, you can set up simple network access controls in c2s.xml. For example, this restricts access to a single local subnet only, plus a single remote IP:
<allow ip='' mask=''/>
<allow ip='' mask=''/>
<allow ip=''/>

Managing Users

There are no tools for adding or removing users from the Berkeley DB data store. If you wish to disable public registration, control user access, and have the ability to add and delete users, use MySQL or PostgreSQL. There are no Jabberd 2 tools for removing or adding users, you'll use the standard MySQL/Postgre tools. See the Jabberd 2 Installation and Administration Guide for instructions on using these.

Starting And Stopping

Be sure to run Jabberd 2 only as the jabber user -- never as root. Running any service as root is a big security risk. And it will initialize the Berkeley DB as root, so the jabber user will be unable to write to it. Which means nothing will work.
Stopping jabberd means stopping these five processes: router, resolver, sm, c2s, and s2s. Manually stopping and starting becomes tedious; look in Appendix A.8 for instructions on downloading and customizing an RC startup file. Appendix A.9 describes how to use daemontools in place of an RC file. Daemontools is the better choice for keeping it running and recovering from interruptions.
Because this is a simple private Linux text messaging server, you will avoid most of the usual nasties found in Windows instant messaging. However, wise admins are always cautious- pay careful attention to file permissions and user access, and watch your logs for signs of malicious activity.
Don't forget these IM ports when you're configuring your firewall:
  • port 5222, non-SSL client
  • port 5223, SSL client
  • port 5269, server-to-server

More Features

Jabberd 2 supports encrypted transport via OpenSSL. See chapter 5.2. "Configuring Jabberd 2 for SSL Connections" of the Administration Guide for instructions. You may configure your server to accept both cleartext and SSL connections, or you may require SSL.
You can throttle bandwidth, limit the number of concurrent users, host multiple virtual domains, and send inspirational broadcast messages to all users. To sum up, it's a pretty nice package.


  • Jabberd Project
  • Instant Messaging Planet Security page

  • Got a little couch potato?
    Check out fun summer activities for kids.


    Randal L. Schwartz said...

    What’s “postgre”? If you mean PostgreSQL, that’s pronounced “post gres cue ell”, which is usually shortened to “post gres” and hence “postgres”, not “postgre”.

    FERRYE said...