Copied Original from (and translated to English). Translations links to the original page[s]

Translation(s) : English - Francais

This page provides information about the installation and configuration of the xmpp server prosody ( a jabber server) on Debian.

The XMPP service will be offered on the host with TLS encryption.

Before starting make sure actually points to the public IP of the host (cf. DNS records)

In addition, the port5222and5269 are open to the public IP.


Installation of prosody

is with aptitude or apt, for example:

aptitude install prosody


The files

Are in /etc/prosody


By default two examples of hosts configurations files are to be found in that directory: « localhost.cfg.lua » and « ». However, onlylocalhostis activated upon installation.

A configuration file must have the extension lua.

Keep the extension if you rename or create files.

The configuration files which are actually read by prosody are in « /etc/prosody/conf.d/ ».

Typically the files in « conf.d » are symbolic links to a file in « conf.avail ».

SSL Encryption

The couple key / certificate for encryption between client / server and server / server is in « /etc/prosody/certs/ ». During installation the files localhost.cert and localhost.key are created, which are valid only for localhost, since you do not have a specific configuration for openssl yet ("/etc/ssl/openssl.cnf").

If you already have the files for Just point the configuration above. Else you will have to create them

The creation of a couple key / certificate is not the subject of this page, for that refer to the documentation for of openssl (TODO add link).

For example for a self-signed certificate:

openssl genrsa -out /etc/prosody/certs/ 2048
openssl req -new -x509 -key /etc/prosody/certs/ -out /etc/prosody/certs/ -days 1095

The footprint md5/sha1 (to distribute to your users to control the identity of the server during the first connection)

openssl x509 -fingerprint -md5 -in /etc/prosody/certs/
openssl x509 -fingerprint -sha1 -in /etc/prosody/certs/

Declaring host

The configuration of the host will be done in the file « /etc/prosody/conf.avail/ », the file may serve as a model:

cp -a /etc/prosody/conf.avail/ /etc/prosody/conf.avail/.cfg.lua

With your favorite editor change the settings for ! ?VirtualHost andenabled so you have:

VirtualHost ""
          --enabled = false -- Remove this line to enable this host

The line "- enabled = [...]" can also be removed, instead of of removing the comment like above.

Also represent the key and the SSL certificate:

          ssl = {
                  key = "/etc/prosody/certs/";
                  certificate = "/etc/prosody/certs/";

If you already have a couple key / cert on the same domain name (Common Name), for example for apache, point to it instead of the files listed above.

Now create the symbolic link in« /etc/prosody/conf.d/ » with:

ln -sf /etc/prosody/conf.avail/ /etc/prosody/conf.d/

Several host by one configuration

Here is an example to declare a single configuration for multiple hosts (thank you MattJ):

for _, host in ipairs { "", "" } do
   VirtualHost (host)
      option1 = "foo"
      option2 = "bar"

=== Create users (single)=== Creating user accounts is done with the command « prosodyctl »

prosodyctl adduser

Other authentication methods (Advanced)

Cyrus SASL avec LDAP

The advantage of this method is to be able to configure the user accounts reported/managed independently of prosody, L'avantage de cette méthode est de permettre l'utilisation de comptes utilisateurs déclarés/gérés indépendamment de prosody, namely via LDAP. The official documentation officielle is to be found at disponible of the prosody site.

First install the packages required for authentication with sasl prosody.

aptitude install sasl2-bin liblua5.1-cyrussasl0 libsasl2-modules-ldap

Declare the use of Cyrus SASL as authentication method in « /etc/prosody/prosody.cfg.lua »:

sasl_backend = "cyrus" -- 0.7 (different in 0.8)
cyrus_application_name = "xmpp"

In « /etc/default/saslautd » change START=no to START=yes and control it by MECHANISMS="ldap". Also MECH_OPTIONS must point to a file, probably « /etc/default/saslautd ».

Then it is necessary to configure options for the mechanisms of authentication. This is done in the file indicated by MECH_OPTIONS (generally in « /etc/default/saslautd »). To do this edit the file and insert the following:

ldap_servers: ldap://
ldap_search_base: ou=user,dc=example,dc=org

Restart the service:

invoke-rc.d saslauthd restart

Test if it works correct:

$ testsaslauthd -u utilisateur -p mot_de_passe
0: OK "Success."

Then declare a service used sasl xmpp used by prosody in the file « /usr/lib/sasl2/xmpp.conf ». The name of the file depends on the file you entered for the "cyrus_application_name" in the configuration of prosody.

pwcheck_method: saslauthd
mech_list: PLAIN


invoke-rc.d prosody restart

And check the log files « /var/log/prosody/prosody.err » and « /var/log/prosody/prosody.log ».



The extension munin is available at munin exchange.

The use of this extension requires the prosody module console. So, remove the comment in front of console in the list of modules_enabled in the file « /etc/prosody/prosody.cfg.lua » .

DNS records

The XMPP protocol manages the records of type SRV , for example for the domain, you might want to make the following records: SRV  10 100 5222 SRV  10 100 5269            A

In this example is the IP of the public server.


A tutorial from 2017:



Work Space





Live Help

Where To Start








To Do





Use cases





HELP & DISCUSSIONS: Mailing List - #freedombox | CONTACT Foundation | JOIN Alioth Projects, GitHub

Next call: Hack call: Saturday, February 11th at 14:00 UTC

Last news: Plinth v0.13.0 released - 2017-01-18

This page is copyright its contributors and is licensed under the Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.