From efec28ada7c798986b8b5e9fe4bf7f4327f5c77b Mon Sep 17 00:00:00 2001
From: Badlop <badlop@process-one.net>
Date: Fri, 21 Mar 2008 16:17:37 +0000
Subject: [PATCH] * doc/guide.tex: Document s2s_default_policy and s2s_host
 (EJAB-575) * doc/guide.html: Likewise

SVN Revision: 1246
---
 ChangeLog      |  6 ++++++
 doc/guide.html | 12 ++++++++++++
 doc/guide.tex  | 12 ++++++++++++
 3 files changed, 30 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index b36e509b3..cc71b9891 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2008-03-21  Badlop  <badlop@process-one.net>
+
+	* doc/guide.tex: Document s2s_default_policy and
+	s2s_host (EJAB-575)
+	* doc/guide.html: Likewise
+
 2008-03-21  Christophe Romain <christophe.romain@process-one.net>
 
 	* src/pam/epam.erl: Seek epam binary into priv/bin (EJAB-573)
diff --git a/doc/guide.html b/doc/guide.html
index 5acec86be..8a26e710d 100644
--- a/doc/guide.html
+++ b/doc/guide.html
@@ -709,6 +709,13 @@ use STARTTLS for s2s connections.
 file containing a SSL certificate.
 </DD><DT CLASS="dt-description"><B><TT>{domain_certfile, Domain, Path}</TT></B></DT><DD CLASS="dd-description"> 
 Full path to the file containing the SSL certificate for a specific domain.
+</DD><DT CLASS="dt-description"><B><TT>{s2s_default_policy, allow|deny}</TT></B></DT><DD CLASS="dd-description">
+The default policy for incoming and outgoing s2s connections to other Jabber servers.
+The default value is <TT>allow</TT>.
+</DD><DT CLASS="dt-description"><B><TT>{{s2s_host, Host}, allow|deny}</TT></B></DT><DD CLASS="dd-description">
+Defines if incoming and outgoing s2s connections with a specific remote host are allowed or denied.
+This allows to restrict ejabberd to only stablish s2s connections 
+with a small list of trusted servers, or to block some specific servers.
 </DD></DL><P>For example, the following simple configuration defines:
 </P><UL CLASS="itemize"><LI CLASS="li-itemize">
 There are three domains. The default certificate file is <TT>server.pem</TT>.
@@ -757,6 +764,8 @@ c2s connections are listened for on port 5222 and 5223 (SSL) and denied
 for the user called &#X2018;<TT>bad</TT>&#X2019;.
 </LI><LI CLASS="li-itemize">s2s connections are listened for on port 5269 with STARTTLS for secured
 traffic enabled.
+Incoming and outgoing connections of remote Jabber servers are denied,
+only two servers can connect: "jabber.example.org" and "example.com".
 </LI><LI CLASS="li-itemize">Port 5280 is serving the Web Admin and the HTTP Polling service. Note
 that it is also possible to serve them on different ports. The second
 example in section&#XA0;<A HREF="#webinterface">??</A> shows how exactly this can be done.
@@ -815,6 +824,9 @@ connected to port 5237 with password &#X2018;<TT>ggsecret</TT>&#X2019;.
   }.
   {s2s_use_starttls, true}.
   {s2s_certfile, "/path/to/ssl.pem"}.
+  {s2s_default_policy, deny}.
+  {{s2s_host,"jabber.example.org"}, allow}.
+  {{s2s_host,"example.com"}, allow}.
 </PRE><P>Note, that for jabberd 1.4- or WPJabber-based
 services you have to make the transports log and do XDB by themselves:
 </P><PRE CLASS="verbatim">  &lt;!--
diff --git a/doc/guide.tex b/doc/guide.tex
index faf378daa..a9e3ba809 100644
--- a/doc/guide.tex
+++ b/doc/guide.tex
@@ -774,6 +774,13 @@ There are some additional global options:
   file containing a SSL certificate.
   \titem{\{domain\_certfile, Domain, Path\}} \ind{options!domain\_certfile}
   Full path to the file containing the SSL certificate for a specific domain.
+  \titem{\{s2s\_default\_policy, allow|deny\}}
+  The default policy for incoming and outgoing s2s connections to other Jabber servers.
+  The default value is \term{allow}.
+  \titem{\{\{s2s\_host, Host\}, allow|deny\}}
+  Defines if incoming and outgoing s2s connections with a specific remote host are allowed or denied.
+  This allows to restrict ejabberd to only stablish s2s connections 
+  with a small list of trusted servers, or to block some specific servers.
 \end{description}
 
 For example, the following simple configuration defines:
@@ -828,6 +835,8 @@ In this example, the following configuration defines that:
   for the user called `\term{bad}'.
 \item s2s connections are listened for on port 5269 with STARTTLS for secured
   traffic enabled.
+  Incoming and outgoing connections of remote Jabber servers are denied,
+  only two servers can connect: "jabber.example.org" and "example.com".
 \item Port 5280 is serving the Web Admin and the HTTP Polling service. Note
   that it is also possible to serve them on different ports. The second
   example in section~\ref{webinterface} shows how exactly this can be done.
@@ -888,6 +897,9 @@ In this example, the following configuration defines that:
   }.
   {s2s_use_starttls, true}.
   {s2s_certfile, "/path/to/ssl.pem"}.
+  {s2s_default_policy, deny}.
+  {{s2s_host,"jabber.example.org"}, allow}.
+  {{s2s_host,"example.com"}, allow}.
 \end{verbatim}
 Note, that for \ind{jabberd 1.4}jabberd 1.4- or \ind{WPJabber}WPJabber-based
 services you have to make the transports log and do \ind{XDB}XDB by themselves: