Ejabberd Issue - Anonymous user can send presence stanza to roster member

I was under the assumption that an anonymous user cannot send a presence stanza to a registered user without a roster subscription. But using Ejabberd 2.1.2 this is happening.

How do i stop anonymous users from sending presence stanzas to registered users?

Help Please

Can somebody take a look at this question please.

adil wrote: I was under the

adil wrote:

I was under the assumption that an anonymous user cannot send a presence stanza to a registered user without a roster subscription. But using Ejabberd 2.1.2 this is happening.

First a user logins to an account in the XMPP server, for example testuser1@myserver. Then he can send stanzas (presence, message, iq).

The server usually requires the user to provide a password to verify he owns the account testuser1. Alternatively, the server can be configured to relax this requirement: do not require any password at all, or accept any password as valid. In any case, once the user is authenticated in the server, why shouldn't he be able to use all the possibilities already offered by the server to password-verified accounts?

In other words: where did you read/infer that anonymous-authenticated accounts must not be able to send presence to another password-authenticated users?

adil wrote:

How do i stop anonymous users from sending presence stanzas to registered users?

I think such restriction isn't configurable.

There is a workaround. I assume you have now one vhost that uses mixed auth: internal+anonymous. You could split it in two vhosts: one for internal auth users, and other for anonymous users. And then, configure somehow that presence stanzas from vhost2 to vhost1 to be dropped. Maybe mod_filter or other small module can be configured or modified to do this.

Anonymous Vhost and Member Vhost is different

badlop wrote:

In other words: where did you read/infer that anonymous-authenticated accounts must not be able to send presence to another password-authenticated users?

http://stackoverflow.com/questions/1958763/how-can-anonymous-users-excha....

and

http://xmpp.org/rfcs/rfc3921.html#sub (Section 6)

What i meant to emphasize is that users outside the roster of a member cannot send them a presence. That seems correct and isn't that the point of the roster anyway?

Now, my site is setup to use two separate vhosts for chat. Their setup is as follows :

{hosts, ["socialnetwork.com","public.socialnetwork.com"]}.

{host_config, "public.socialnetwork.com", [{auth_method, anonymous},
                                     {allow_multiple_connections, false},
                                     {anonymous_protocol, sasl_anon}]}.

It used to be in 2.0.0 that a logged-in anon user(user1234@public.socialnetwork.com/webchat) cannot send presence stanzas to the social network user (member1234@socialnetwork.com/webchat). We allow anon guys to chat, and exchange presence, with social network users using MUC. Once the SN user has left the MUC, the anon chat user should not be able to send a presence stanza. This used to work as expected in v2.0.0 without any mods. Is this possible now?

Are you sure the restriction was implemented in 2.0.0?

The first is a forum link. It can be indicative, but not authoritative.

The second link is the authoritative RFC, that ejabberd must obey. As it has hundreds of pages, can you mark in what paragraph you read that "an anonymous user can't send a presence stanza to an internally-registered user"? In the whole RFC, the word 'anonymous' is never mentioned.

adil wrote:

What i meant to emphasize is that users outside the roster of a member cannot send them a presence.

False. The RFC 3921 says: "a client MAY send directed presence information to another entity by including a 'to' address".

I've verified this works both in ejabberd 2.1.3 and 2.0.1. That's the oldest version I can get to run, and I don't see any relevant change between 2.0.0 and 2.0.1.

I configured similar to you. someone@anon.localhost/work logins, has an empty roster, and sends:

<presence xml:lang='es' to='badlop@localhost/work'>
  <show>away</show>
  <priority>8</priority>
  <status>asdasd</status>
</presence>

badlop@localhost/work receives the stanza, as described in RFC:

<presence from='someone@anon.localhost/work'
	to='badlop@localhost/work'
	xml:lang='es'>
  <show>away</show>
  <priority>8</priority>
  <status>asdasd</status>
</presence>
adil wrote:

That seems correct and isn't that the point of the roster anyway?

Each concept has a purpose: a presence stanza carries presence information. A presence subscription indicates that a contact wants to get the user presence information and the user granted permission to do so. A roster is a list of roster items, which can have different presence subscriptions each.

adil wrote:

It used to be in 2.0.0 that a logged-in anon user(user1234@public.socialnetwork.com/webchat) cannot send presence stanzas to the social network user (member1234@socialnetwork.com/webchat).

Are you sure it was ejabberd 2.0.0 code who was blocking delivery of such stanzas? Maybe it was the client itself who implemented that restriction: Don't accepts incoming presence stanzas from users that aren't in my roster.

adil wrote:

We allow anon guys to chat, and exchange presence, with social network users using MUC. Once the SN user has left the MUC, the anon chat user should not be able to send a presence stanza. This used to work as expected in v2.0.0 without any mods. Is this possible now?

As I said, maybe mod_filter can be configured or customized to implement such restriction.

I see

Quote:

The second link is the authoritative RFC, that ejabberd must obey. As it has hundreds of pages, can you mark in what paragraph you read that "an anonymous user can't send a presence stanza to an internally-registered user"? In the whole RFC, the word 'anonymous' is never mentioned.

Actually its the first para that got me confused "In order to protect the privacy of instant messaging users and any other entities, presence and availability information is disclosed only to other entities that the user has approved."

You're right, it doesn't mean anon cannot send a presence to another user.

Ok, can you give me an idea of how to make this mod_filter. My criteria is to exchange presence on MUC but not outside. How can i enforce that?

Check mod_filter example 4

adil wrote:

Ok, can you give me an idea of how to make this mod_filter. My criteria is to exchange presence on MUC but not outside. How can i enforce that?

Check the mod_filter page, specially the example 4 which I wrote specifically for your case. Download the module, install, configure.

Syndicate content