I want to set up ejabberd in corporate environment, and I want to know if ejabberd can do following things:
1. I want that only 10.0.0.0/8 subnet can use c2s.
As I understood ejabberd can't provide this?
I can firewall 5222 port so it is not a big problem, just interesting If i missed smth.
2. By default I want my users talk ONLY with jabber servers defined by me.
But, some defined users (by jid) can talk to all other servers.
3. By default I want to prevent my users from using ICQ/MSN/IRC/etc transports.
But, some defined users (by jid) can use some transports.
I don't know if it is important, but DNS records for jabber (and services) are common for all users.
Thank for help!
not very helpful
It seems not possible on ejabberd, as you said.
There's a similar question on the mailing list: deny networks with ejabberd. I don't know yet if it will work at all.
This question seems related to 2, so let's see if 2 can be solved...
If all this works, then you'll want to allow some privileged JIDs full access. I don't know if ejabberd supports currently a filtering as specific as you want. I guess you can setup a test server, register some accounts and try yourself. And take a close look at the ejabberd Guide sections (acl, accessname and listen parts). If so, post your results and maybe we can provide new ideas.
some testing
{acl, jasmine, {server, "jasmine.lvchd1"}}.
{acl, iscbuh4, {server, "jabber.iscbuh4.sim.uz.gov.ua"}}.
{acl, jabber.dp.uz.gov.ua, {server, "jabber.dp.uz.gov.ua"}}.
{access, s2smy, [{allow, iscbuh4}, {allow, jasmine}, {deny, all}]}.
{listen,
.....
{5269, ejabberd_s2s_in, [{access, s2smy}, {shaper, s2s_shaper}]},
....
]}.
I try'ed to establish incoming contact adding frommalik@jabber.dp.uz.gov.ua and outgoing to malik@jabber.dp.uz.gov.ua . That worked without any restrictions :(.
Irrelative of above written: As I see from this name 'ejabberd_s2s_in' this corresponds only to incoming connections, but what about outgoing connections?
Not yet possible
Something like the above (or maybe something more general, being able to specify ACLs about whom users are able to contact regardless of the target being reached by S2S or locally) would be neat. There is afeature request in Bugzilla for that, so vote for it, or write the code if you can.