A few notes on the selected configuration first:

  • The server is running Debian Lenny (current stable)
  • The chosen Jabber server is ejabberd. It is well-maintained, apparently conform to standards and quite powerful. It is also the server powering jabber.org.
  • A full SSL certificate (key + certificate) will be assumed to be available in /etc/ssl/certs/my-ssl-cert.pem. Since it holds the private key, the file has -rw-r---- permissions for root:ssl-cert. We will only use client-server encryption and authentication since we trust the server and users (for the record, point-to-point encryption is sometimes possible using GnuPG).
  • Since we know exactly who should connect to the server, we will disable client-based registration. Adding users will be done with the CLI on the server.
  • All installation commands listed below assume you have root privileges. Either log in as root or use sudo.

Now that we know what we need, let's install the server.

  1. Install the server
    aptitude install -R ejabberd
    Depending on your configuration, debconf might have skipped manual configuration. Use the following command to make an initial administration account for the server and specify its hostname.
    dpkg-reconfigure ejabberd
  2. Stop the server
    /etc/init.d/ejabberd stop
  3. Edit the configuration file at /etc/ejabberd.cfg.
    1. Change the various references to /etc/ejabberd/ejabberd.pem to your own certificate (/etc/ssl/certs/my-ssl-cert.pem).
    2. Disable mod_register: comment all relevant lines with a %
    3. Disable mod_irc (you don't want everyone to use IRC, do you ?): comment all relevant lines with a %
    4. optional: Set the webadmin to use SSL and only accept local connections
      {5280, ejabberd_http, [
      {ip, {127, 0, 0, 1}},
      {certfile, "/etc/ssl/certs/my-ssl-cert.pem"}
    5. optional: change the language
    6. optional: add a watchdog_admin to be alerted when something goes wrong.
  4. Remember how we restricted access on the SSL certificate? It's time to give ejabberd access to the file.
    adduser ejabberd ssl-cert
  5. Open ports 5222/tcp and 5269/tcp in your firewall. iptables has aliases for both, respectively xmpp-client and xmpp-server. Note that if you rely on a single isolated Jabber server, you don't need to open port 5269 since it's only used for server-to-server communication.
  6. Start the server
    /etc/init.d/ejabberd start

That's it. To register an account, you can use ejabberdctl. For example

ejabberdctl register xr jabber.localdomain my-secret-password

Note that this is a simple setup. ejabberd can do much more, like connecting to a LDAP server, or limiting the used bandwidth... Refer to the documentation for more information.

Appendix: data transfers

Jabber supports data transfers. However, it relies on additional ports on the client, a bit like active FTP transfers.

In Pidgin, you can configure the port range in the preferences. Be sure to open the ports on the client firewall (TCP only).

If you don't do this, you'll have to rely on a proxy server for data transfers. ejabberd includes such a proxy but it also has to be configured. Relying on an existing proxy is also possible but this means that the proxy will have access to the transferred files and it will slow down the transfers.