Professional Secure Installation

I tried with openfire:openfire, got this:
chown: invalid user: ‘openfire:openfire’.

Even on my admin panel it says:
“OS Process Owner: daemon”. Can anyone else confirm that Openfire automatically creates user “openfire” to run Openfire service?

At this point I have a subdomain my.domain.com pointed to XMPP server IP, but main domain itself (domain.com) is parked on another server. the SRV records worked fine up to this point. There must some way to solve this? Or is the only way to point domain A record to XMPP server too? In that case i wont be able to setup a website on the same domain name…

I found something else. it seems that there is no user created to run openfire after installation. The default user seems to be daemon. I found these lines in /etc/sysconfig/openfire:

#If there is a different user you would like to run openfire as,
#change the following line.
#OPENFIRE_USER=“daemon”

Did we missed something somewhere?

Also I tried changing this entry in this file, but I could not start openfire after that, I assume it because of all permissions etc. Would you confirm me that, please?

Thanks

I haven’t played with rpm version a lot, maybe it uses different mechanism, but when i install deb version on Ubuntu and run sudo ls -l /usr/share/openfire it shows openfire openfire as the owner of all files and folders.

Your users login as user@domain.com, not as user@my.domain.com, so certificate must cover domain.com. You can have different services on one domain name, like website and email. XMPP uses 5222, website will use 8080 or 443. I think it should work. Or change your XMPP domain to my.domain.com.

On my Centos 7 server all openfire files are daemon daemon.

The problem with SRV record way of running XMPP server is that I cannot get certificate with certbot from Let’s Encrypt, since the main domain is pointed to another server (where the website would be). I had SRV records, it worked fine, but only with self signed certificate.

Could someone tell me, what does this feature “File Transfer Proxy Settings” actually do?
Its written port 7777, which is blocked on my server, so is this feature important? As far as I noticed it only enables “XEP-0065: SOCKS5 Bytestreams (Proxy)” for Compliance, but no idea what it actually do.
The only file transfer I have now is the HTTP File Upload, which just gives an URL to download file from the server. Is there another file transfer method available? Maybe there is a way to transfer files directly peer to peer?

Also I noticed that enabling HTTP BIND Settings allows the HTTP File Upload to work, although it does not say anything about upload in the description (“HTTP binding allows clients using the HTTP protocol to connect to the server.”). The ports are quite strange too: 7070 and 7443 (which is the one that is listed on the URL when sending file with HTTP File Upload. Is that all normal?

Media Proxy feature. Does anyone use this one? Could someone please tell me few things about this one too?
Thanks!

xmpp clients can gererally tranfer files between each other. Usually this is done via p2p, but if p2p is unavailable (due to nat, different sub nets, etc), the server can proxy the file through it using port 7777 if configured and allowed.

Hey speedy! I will try to enable port 7777 and that feature, but do I need a special client/feature in client to send files p2p or should it work with same send file button which is in Gajim and other clients?
General idea is to get files sending securely via public internet p2p. Is that all I need to make it work?
Thank You.

P2p file transfer is happening directly between clients, so it most probably not encrypted, if this is what you mean by secure. As far as i remember Gajim shows two different selections for regular file transfer and http file upload, so you need to pick the one that fits your need each time.

I have enabled File Transfer proxy, and opened port 7777. Found the file sending option in Gajim, but it still doesn’t work. Doesnt send. Any ideas? Sending to Conversations app. in which it says: Receiving application/msword Unencrypted … Or Receiving Image…

Also it seems like Conversations doesn’t have the same feeature. Here I can definitelly see only HTTP File Upload feature. Or am I wrong?
Thanks

I haven’t tried with Conversations for a while, but i remember it preferring HTTP File Upload when possible. Maybe it only works with it. Try sending from Gajim to Gajim, it worked for me in the past. I was sending from IR.org account to jabber.at account.

After all testing, and installations I can tell that this software combo has many many bugs. Maybe its the clients, maybe it’s OMEMO, but messages sometimes don’t come through, sometimes don’t get unencrypted because use was offline, in group chat, users appear and disappear, there is no persistency. Really weird stuff. All I can say, that this software XMPP/Openfire is useless if it doesnt fully, clearly and easily support OMEMO. Anyone could use Signal, or any other messanger for that reason, if security is not priority.
For those who have security as a priority, there is so much more work to do from server and from clients side to fully implement OMEMO…