There is no such document or list that we can share. In general i would suggest enabling and enforcing TLS encryption for all connections (client and web admin). And maybe also using firewall to limit the access (especially to the web admin part).
As we said OMEMO is a client side feature. You should ask developers of the clients you are using. As far as i remember OMEMO can work in group chat only when all participants support it.
Is it safer in some way to install OpenFire not as root user? Thank you!
If you mean installation on Linux, then you can run install via sudo command. Openfire will create a user openfire:openfire to run its daemon, so it won’t be running as a root. In Windows case a service is running as a System user.
I use Centos. I understand that I can do it with other user, but does that add security or is there no dufference really? Cheers.
I think there won’t be much difference. Openfire user is created only to run Openfire and only should have access to Openfire files.
Hi guys. The new question is what do you guys use for FQDN and for main domain in your servers? What is the best setup DNS wise?
I currently have domain parked on another server, and pointed A record to XMPP server and also added SRV records that Openfire requested. Is that the best way to do this? How do you setup?
Also I was looking for some simple explanation on how to install SSL certificates via admin panel, could not find any. Could someone guide me through this process? where do I get a signing key which i need to provide to CA to get a signed certificate? Please assist.
I read a bit about certbot, but Im still confused about how does that certbot get the info that it needs to retrieve certificate? Do I need to provide Let’s Encrypt with any info, or does certbot do all the work, finding domains that need certificates?
Also which certbot do I need for my Openfire server? Standalone?
Thanks!
Nothing?
I like to set things up like you would email. so my xmpp domain would be mydomain.com. This would make the jid (user) look like speedy@mydomain.com
Then, you’d make an A record like xmpp.mydomain.com
Next create your SRV record that points to the newly created A record.
If you want to use a public CA, then get it for xmpp.mydomain.com, as the root domain should also be covered.
I dont recall how to create the CSR or if openfire does that…it might have to be done via java tooling…I can check tomorrow when I"m at work.
I don’t have experience with lets encrypt…so I can’t help you there.
Thanks speedy. I guess this is the exact DNS setup I have now, and it seems to work ok.
I wil try to investigate myself a bit more about that Let’s Encrypt business when i find a bit more time too. Sad that there is no clear documentation how to do everything. 
Cheers!
There is some documentation here Openfire: TLS Guide although it is a bit outdated. When there are so few developers and they don’t have much time to code, documentation is the most lagging behind thing usually. I will try to add a few newer bits to that document later. On my job i’m working with a system which costs a pile of money and in their documentation they don’t cover how to generate private keys, csr, etc. Their support told me it’s your job to know how to do such things 
I think you can use OpenSSL also to generate a private key and csr. It doesn’t have to be keytool. There is also a new plugin Certificate Manager, which allows to setup a hotplug folder to add new certiticates dynamically (say from Let’s encrypt bot).
This is hard to cover in a single document (all the options that can be).
Hi wroot. I was doing some work manually tryting to install SSL certificate, I came to the point where I have to do a chown command to change ownership of certificates for Openfire to be able to read them and use them, but when i did this chown openfire … i got this:
chown: invalid user: ‘openfire’
Then I checked the user list:
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
mysql:x:997:995:MySQL server:/var/lib/mysql:/sbin/nologin
I don’t see any openfire user. you mentioned that it gets created automatically. What do I do at this point? thanks!
Ive been also trying to install SSL. I have got the certbot, which installed certificate into the server for FQDN of the server (my.domain.com). Was not able to install for XMPP server name (domain.com), because it is pointing to different IP address (as discussed before), then i have copied those files to hotdeploy directory, changed their names to full domain name of certificate e.g. my.domain.com.cert and my.domain.com.key
changed permissions to daemon (i assume this is the user in charge of openfire, since there is no other user created for openfire to run), and chmod them to 400. I got this now:
total 8
-r-------- 1 daemon root 3554 Aug 26 13:10 my.domain.com.cert
-r-------- 1 daemon root 1708 Aug 26 13:09 my.domain.com.key
nothing got deployed or installed…
I was thinking that maybe that Hotdeploy option does not work? Then I copied the .key and .cert contents into manual “Import Private Key and Certificate” through Openfire administration page, and tried to import that way, and I got:
"There was an error while trying to import the private key and signed certificate. Internal server error: The supplied certificate chain does not cover the domain of this XMPP service. "
Whats my next move? I guess this SRV record thing is not really working, if you want to have a certificates that covers subdomain and domain name.
Any suggestions?
It is possible that this openfire user doesn’t have a password. I haven’t tried to login with it. When doing chown command use openfire:openfire as you must also specify a group as far as i remember.
Can’t help with certificates. I only used self signed ones and never hosted Openfire on internet. I think SRV record is only meant to solve networking/dns issues, but not to make certificate issued for different domain to work. Unless i misunderstood and you actually have a cert issued for domain.com which is also your xmpp domain. If so, then maybe someone having more experience can comment on that.
I tried with openfire:openfire, got this:
chown: invalid user: ‘openfire:openfire’.
Even on my admin panel it says:
“OS Process Owner: daemon”. Can anyone else confirm that Openfire automatically creates user “openfire” to run Openfire service?
At this point I have a subdomain my.domain.com pointed to XMPP server IP, but main domain itself (domain.com) is parked on another server. the SRV records worked fine up to this point. There must some way to solve this? Or is the only way to point domain A record to XMPP server too? In that case i wont be able to setup a website on the same domain name…
I found something else. it seems that there is no user created to run openfire after installation. The default user seems to be daemon. I found these lines in /etc/sysconfig/openfire:
#If there is a different user you would like to run openfire as,
#change the following line.
#OPENFIRE_USER=“daemon”
Did we missed something somewhere?
Also I tried changing this entry in this file, but I could not start openfire after that, I assume it because of all permissions etc. Would you confirm me that, please?
Thanks
I haven’t played with rpm version a lot, maybe it uses different mechanism, but when i install deb version on Ubuntu and run sudo ls -l /usr/share/openfire it shows openfire openfire as the owner of all files and folders.
Your users login as user@domain.com, not as user@my.domain.com, so certificate must cover domain.com. You can have different services on one domain name, like website and email. XMPP uses 5222, website will use 8080 or 443. I think it should work. Or change your XMPP domain to my.domain.com.
On my Centos 7 server all openfire files are daemon daemon.
The problem with SRV record way of running XMPP server is that I cannot get certificate with certbot from Let’s Encrypt, since the main domain is pointed to another server (where the website would be). I had SRV records, it worked fine, but only with self signed certificate.
Could someone tell me, what does this feature “File Transfer Proxy Settings” actually do?
Its written port 7777, which is blocked on my server, so is this feature important? As far as I noticed it only enables “XEP-0065: SOCKS5 Bytestreams (Proxy)” for Compliance, but no idea what it actually do.
The only file transfer I have now is the HTTP File Upload, which just gives an URL to download file from the server. Is there another file transfer method available? Maybe there is a way to transfer files directly peer to peer?
Also I noticed that enabling HTTP BIND Settings allows the HTTP File Upload to work, although it does not say anything about upload in the description (“HTTP binding allows clients using the HTTP protocol to connect to the server.”). The ports are quite strange too: 7070 and 7443 (which is the one that is listed on the URL when sending file with HTTP File Upload. Is that all normal?
Media Proxy feature. Does anyone use this one? Could someone please tell me few things about this one too?
Thanks!
xmpp clients can gererally tranfer files between each other. Usually this is done via p2p, but if p2p is unavailable (due to nat, different sub nets, etc), the server can proxy the file through it using port 7777 if configured and allowed.