The purpose is two-fold:
- To simplify the example config.
- To avoid old TLS configuration to be persistent across
server updates: this might bring security problems, because
what's considered "modern" now might be insecure in the future.
Specify a larger 'max_stanza_size' limit for c2s connections in the
default configuration in order to reduce the risk of this limit being
hit by legitimate traffic (such as avatar uploads).
Specify a 'max_stanza_size' limit for incoming s2s connections in the
example configuration, but use a relatively large value in order to
minimize the risk of this limit being hit by legitimate traffic.
After some discussion with the community it was decided to
clean the configuration file from excessive comments and
explicitly configured default values. Also, mod_mam and
mod_http_upload have been added.
The rationale for this is to have a clean and not bloated
configuration file which doesn't scare away newcomers and
which has all features from the Compliance Suite 2018 (XEP-0387)
enabled by default.
For further configuration an admin is encouraged to read the
documentation at https://docs.ejabberd.im/admin/configuration
Even if no suitable C graphics libraries are detected
at compile time, the package is still usable because it
provides `eimp:get_type/1` which is used by mod_avatar.
1. Add a request handler in ejabberd_http and explain how to configure the http listener so that the challenges can be solved.
2. Make acme configuration optional by providing defaults in ejabberd_acme.
3. Save the CA that the account has been created in so that it creates a new account when connecting to a new CA.
4. Small spec change in acme configuration.
The option is supposed to replace existing options 'c2s_certfile',
's2s_certfile' and 'domain_certfile'. The option accepts a list
of file paths (optionally with wildcards "*") containing either
PEM certificates or PEM private keys. At startup, ejabberd sorts
the certificates, finds matching private keys and rebuilds full
certificates chains which can be used by fast_tls. Example:
certfiles:
- "/etc/letsencrypt/live/example.org/*.pem"
- "/etc/letsencrypt/live/example.com/*.pem"