Hello. I am looking for someone to install openfire on my server, with all needed features, set up SSL, OMEMO support, configure Firewall, make everything as secure as possible using OpenFire and also make an installation tutorial with all steps done for my personal use, so I could do all that myself, when needed. If you are able to do all that, then please contact me and we will discuss a remuneration for this work. Thank You.
Luksias, OMEMO is client side, so you’ll need a client that supports it. The rest is easy enough. Some things to keep in mind in your scope…
is this for internal use or will be accessible from the internet?
Will you be using ldap/ad?
Will you want to use an external database like mysql or ms sql?
since you mentioned ssl…openfire creates a self-signed cert. if you’d like a trusted cert from a public CA, then you’ll need to have an external domain
Where do you want openfire placed on the network? dmz, lan? do you want to run a reverse proxy?
Hello. So Openfire should support OMEMO out of the box? If I use clients with OMEMO support it should just work?
The setup is for external use, to secure communication for an organisation, desktops and mobile.
Not sure if I need that LDAP/AD. Would you recommend implementing that for the setup that i need? Does that add more security? Im not familiar with that.
I am using MariaDB - that seems to be setup all good.
SSL: Is there an actual difference for a simple users if you use CA approved certificate or not? Security level is still the same, or not? I do have an external domain. Main domain is parked at different server, but i have A record and SERV records done to point to Openfire server with FQDN set as example: my.server.com. seems to work.
Would you recommend reverse proxy?
correct…omemo is e2e encryption, so its client driven. it should work out of the box with openfire.
ldap/ad might be considered if you already have it in your environment, and if you want to use a single login. If you don’t already have AD or LDAP, then there is no need to add it.
Cert from a 3rd party trusted CA is helpful if you want to federate your server with others. It will also (usually) prevents the certificate pops ups on clients (similar to how web browsers do with self signed certs).
Since your server will be internet facing, and no need to connect back to your lan; putting it on the DMZ would be ok…no real need to run it through a reverse proxy.
Could you please list things that need to be sorted/configured to have a most secure Openfire installation possible?
Also, i managed to test OMEMO messages from mobile device to browser, but I can’t figure out how to encrypt Group chat messages. Maybe you could help me here, please?
There is no such document or list that we can share. In general i would suggest enabling and enforcing TLS encryption for all connections (client and web admin). And maybe also using firewall to limit the access (especially to the web admin part).
As we said OMEMO is a client side feature. You should ask developers of the clients you are using. As far as i remember OMEMO can work in group chat only when all participants support it.
Is it safer in some way to install OpenFire not as root user? Thank you!
If you mean installation on Linux, then you can run install via sudo command. Openfire will create a user openfire:openfire to run its daemon, so it won’t be running as a root. In Windows case a service is running as a System user.
I use Centos. I understand that I can do it with other user, but does that add security or is there no dufference really? Cheers.
I think there won’t be much difference. Openfire user is created only to run Openfire and only should have access to Openfire files.