Build Your Own IM Server with Jabber
More enterprise users are discovering instant messaging every day. With Jabber, you can build your own private IM server for the cost of hardware. Here's how with Linux.
Instant messaging is a great business communications tool. For example, here at Enterprise Networking Planet the staff and writers all work in their pajamas at home, at far-flung points all over the globe. ENP's crusty editor-with-a-heart-of-gold Perry White lives in a villa in the South of France. I send in my columns from a sailboat currently anchored at Raratonga. Sure, we can exchange emails, but there are times when a live exchange is better. *
Jabberd 2, the Open Source IM Server
Don't confuse Jabberd 2 with Jabber. Jabber is a set of streaming XML protocols and technologies; it is the codebase from which all manner of IM servers and clients are built.
Jabberd 2 is fairly easy to set up and maintain, but Jabberd 2 binary distributions aren't common, so this article will run through a source install on a Linux server. First install the following programs. If you install them from packages, be sure to also fetch their associated dev or devel packages:
- OpenSSL version 0.9.6b or higher
- Berkeley DB version 4.1.24 or higher
- Libidn version 0.3.0 or higher
You may also elect to use MySQL or PostgreSQL for your data store. This article shows how to use the Berkeley DB for the data store because it is the simplest, and it works fine for small private servers with a few users. For larger numbers of users and better security you'll want MySQL or PostgreSQL.
Setting Up The Jabberd 2 Server
Task number one is creating a "jabber" user and group:
# groupadd jabber
# useradd -g jabber jabber
Jabberd 2 needs its own logfile and file to store PIDs (process identifiers.) If you don't create a separate logfile, it will dump everything into the syslog.
# mkdir -p /usr/local/var/jabberd/pid/
# chown -R jabber:jabber /usr/local/var/jabberd/pid/
# mkdir -p /usr/local/var/jabberd/log/
# chown -R jabber:jabber /usr/local/var/jabberd/log
Unpack, Configure, And Install
The default installation directory is /usr/local. This can be changed with the usual ./configure options; run ./configure --help to see them. Then do the usual download, unpack, configure, make, and make install procedure. In this example the configuration options put Jabberd's configuration files in /etc/jabberd, enable Libidn, OpenSSL, Berkeley DB, and disable MySQL support:
$ tar zxvf jabberd-2.0s6.tar.gz
$ cd jabberd-2.0s6
$ ./configure --sysconfdir=/etc/jabberd --enable-idn --enable-ssl enable-db --disable-mysql
# make install
Now you should change ownership and permissions on /etc/jabberd/. These files contain passwords, so they need to be writable only by root, and readable only by members of the jabber group:
# chown root:jabber /etc/jabberd/
# chmod -R 640 /etc/jabberd/
The server hostname must be set in both /etc/jabberd/c2s.xml and /etc/jabberd/sm.xml. (You do have name resolution working, don't you?) You can get away with using the just the hostname for LAN use only; for remote access the fully-qualified domain name is necessary. A plain old static, routable IP will work as well. In c2s.xml look for
<!-- Local network configuration -->
In sm.xml, look for the ID line under <!-- Session manager configuration -->.
Next, create the /usr/local/var/jabberd/db directory to hold your Berkeley DB data store, and chown it to the jabber user and group. Then edit two entries in c2s.xml. The first one is
<!-- Authentication/registration database configuration -->
<!-- Backend module to use -->
For the second, verify that the filepath to your database store is correct:
<!-- Berkeley DB module configuration -->
<!-- Directory to store database files under -->
Test The Server
And now, the moment of truth. Fire it up and connect with the Jabber-capable IM client of your choice:
Your account name is firstname.lastname@example.org; or, hopefully you are using more sensible names. What clients are supported? Literally hundreds for Linux, Windows, MacOS, and other platforms. See Jabber :: Software :: Clients for a list.
Public registration is enabled by default, so anyone who knows your server address can register an account. For LAN use, or for a few selected remote users, you can set up simple network access controls in c2s.xml. For example, this restricts access to a single local subnet only, plus a single remote IP:
<allow ip='127.0.0.0' mask='255.0.0.0'/>
<allow ip='192.168.1.0' mask='255.255.255.0'/>
There are no tools for adding or removing users from the Berkeley DB data store. If you wish to disable public registration, control user access, and have the ability to add and delete users, use MySQL or PostgreSQL. There are no Jabberd 2 tools for removing or adding users, you'll use the standard MySQL/Postgre tools. See the Jabberd 2 Installation and Administration Guide for instructions on using these.
Starting And Stopping
Be sure to run Jabberd 2 only as the jabber user -- never as root. Running any service as root is a big security risk. And it will initialize the Berkeley DB as root, so the jabber user will be unable to write to it. Which means nothing will work.
Stopping jabberd means stopping these five processes: router, resolver, sm, c2s, and s2s. Manually stopping and starting becomes tedious; look in Appendix A.8 for instructions on downloading and customizing an RC startup file. Appendix A.9 describes how to use daemontools in place of an RC file. Daemontools is the better choice for keeping it running and recovering from interruptions.
Because this is a simple private Linux text messaging server, you will avoid most of the usual nasties found in Windows instant messaging. However, wise admins are always cautious- pay careful attention to file permissions and user access, and watch your logs for signs of malicious activity.
Don't forget these IM ports when you're configuring your firewall:
- port 5222, non-SSL client
- port 5223, SSL client
- port 5269, server-to-server
Jabberd 2 supports encrypted transport via OpenSSL. See chapter 5.2. "Configuring Jabberd 2 for SSL Connections" of the Administration Guide for instructions. You may configure your server to accept both cleartext and SSL connections, or you may require SSL.
You can throttle bandwidth, limit the number of concurrent users, host multiple virtual domains, and send inspirational broadcast messages to all users. To sum up, it's a pretty nice package.
* The first sentence is true.