Block users not on roster

I’ve looked all through the various filter plug-ins & I can not find anywhere a way to make it so that external users (ie. googletalk users) can not send messages or add user requests to our users without our users first adding them to their list.

This is a huge security issue if you wish to run an environment where users can chat with external users from other jabber services but have it so that other jabber services can’t be used to send spam to your users.

Any help here?

Hi Hez,

XMPP allows to use privacy lists. If you are using Spark you must enable the XMPP Debugger before you login, then you can create a privacy list. So it may be a pain for every user to manage a privacy list using the XMPP Debugger if you are using Spark.

If you have only a few experienced users you may take a look at http://www.igniterealtime.org/community/docs/DOC-1036 - creating and maintaining lists is not very hard. Something like this should work:

    • allow your domain my_comapny.com
      2…99 - allow friendly users
    • deny everything else
<iq> <query xmlns='jabber:iq:privacy'>
  <list name='foo'>
   <item type='jid' value='my_company.com' action='allow' order='1'/>
   <item type='jid' value='external@other_company.com' action='allow' order='2'/>
   <item action='deny' order='100'/>
  </list> </query>
</iq>

http://www.igniterealtime.org/projects/openfire/plugins/packetfilter/readme.html could be an option. Anyhow you must manage the lists.

LG

Hez,

A couple things you can do one is only allow traffic from your local domain to your local domain. The rules would be something like :

allow any from *@mydomain to *@mydomain

drop to any from any

Then you can do any special case rules (the external users you want in) between those two rules.

Hope that helps,

Nate

Yeah, I’m aware of solutions to block all & what can be done client side but I need something server side. I’m just looking for some sort of filter that prevents messages being sent to people by an account not on their roster (& I need it server side).

We have 1 or 2 big wigs who don’t want people to be able to send them direct messages without first being on their list, especially from a google account.

I played around with the subscription plug-in but it isn’t quite flexible enough because it basically auto accepts or completely rejects subscription requests (& this still doesn’t block direct messages).

I can setup ACLs to strictly manage their traffic but then anytime they want to add someone I have to do it for them.

They are all using iChat by the way.