How to disable server-to-server (s2s)?
Michael Hackett
simple question, but one to which I haven't yet found an answer.
I have set up a Prosody server for our organization that I want to be
isolated and protected. I don't want the content passing through other
networks and I don't want others outside the company to be able to
read the message traffic from our server. I think this is a reasonable
goal (and the main reason I decided to set up our own server rather
than just use Google Talk), but please correct me if I'm wrong.
Assuming this is all good, my question is: How do I stop Prosody from
trying to connect to other servers? It won't get a response, since the
s2s port is blocked, but I'd like to just turn it off. I disabled the
'dialback' module, but I'm still seeing the following in the log after
a user connects:
Feb 28 15:37:20 s2sout82a1488 info Beginning new connection
attempt to proxy.eu.jabber.org (208.68.163.220:5269)
Feb 28 15:38:20 s2sout82a1488 warn Destroying incomplete session
mysite.com->proxy.eu.jabber.org due to inactivity
Feb 28 15:38:20 s2sout82a1488 info Disconnecting
mysite.com[s2sout_unauthed], <stream:error> is: connection-timeout
Feb 28 15:38:20 s2sout82a1488 info Out of connection options,
can't connect to proxy.eu.jabber.org
Feb 28 15:38:20 s2sout82a1488 info s2s disconnected: mysite.com-
>proxy.eu.jabber.org (stream error)
Feb 28 15:38:20 s2sout82a1488 info Destroying outgoing session
mysite.com->proxy.eu.jabber.org
Feb 28 15:38:20 s2sout82a1488 info sending error replies for 1
queued stanzas because of failed outgoing connection to
proxy.eu.jabber.org
Any assistance would be much appreciated. Setting up Prosody has been
a really good experience so far -- great work! If I can just close off
this hole, and answer one other question (in a separate message),
we'll be all set to go!
Cheers,
-- Michael
Matthew Wild
On 28 February 2010 19:58, Michael Hackett <mhac...@kanayo.com> wrote:
> Hello, kind Prosody developers and users! I have what I hope is a
> simple question, but one to which I haven't yet found an answer.
>
> I have set up a Prosody server for our organization that I want to be
> isolated and protected. I don't want the content passing through other
> networks and I don't want others outside the company to be able to
> read the message traffic from our server. I think this is a reasonable
> goal (and the main reason I decided to set up our own server rather
> than just use Google Talk), but please correct me if I'm wrong.
>
Nope, this is an excellent plan. It really irks me when I see
organisations using 3rd-party instant messaging. Having full control
of it (and being able to use shared-rosters, logging and other
policies etc.) is a much better plan.
> Assuming this is all good, my question is: How do I stop Prosody from
> trying to connect to other servers?
Hopefully the solution is simple, put into your config file (under
Host "*" if you want it to apply to all hosts):
disallow_s2s = true
Hope this helps and you enjoy using Prosody :)
Matthew
Michael Hackett
> On 28 February 2010 19:58, Michael Hackett <mhac...@kanayo.com> wrote:
>> trying to connect to other servers?
>
> Hopefully the solution is simple, put into your config file (under
> Host "*" if you want it to apply to all hosts):
>
> disallow_s2s = true
>
> Hope this helps and you enjoy using Prosody :)
> Matthew
Perfect! Very simple, indeed. Thanks, Matthew!
Matthew Wild
On 25 April 2013 17:03, David Hjelle <dahj...@gmail.com> wrote:
> Hi!
>
> I'm running prosody 0.8.2. I tried putting
>
> disallow_s2s = true
>
> in the config file, both in the general section and under the appropriate
> virtual host, but it seems to still be registering a connection listener for
> s2s communications.
Yes, this is expected. disallow_s2s is a high-level option, and works
per-host. It doesn't have any control over the lower levels, such as
networking.
If you want to disable s2s for the whole server, set disallow_s2s in
the global section, and separately disable binding the port with:
s2s_ports = {} -- i.e. an empty list
For the next version we have made s2s itself a plugin, which means if
no virtual host is using it then it won't get loaded and thus no port
will be opened :)
Regards,
Matthew
