Is Yunohost XMPP server fully OMEMO capable?

Hello.

Has anyone ever managed to make Yunohost’s XMPP server work smoothly with OMEMO in every scenario?

For me, it often works ok, but when using multiple devices, problems begin to arise.

Here is a common example:

I made an XMPP room where some friends and I communicate using OMEMO.
I configured my account in several devices to talk in that room (with Conversations and Gajim). My friends did the same.
In one of my devices -using Gajim-, I get the following message from a friend:
I sent you an OMEMO encrypted message but your client doesn’t seem to support that. Find more information on https://conversations.im/omemo
Besides that, on that same device, instead of seeing the contents of the synced messages I sent from another device, I get the following:
You received a message encrypted with OMEMO but your client doesn't support OMEMO.
One friend of mine told me zhe is getting similar errors.

Does anyone know how to fix it?

I wonder if it is possible. I am saying so because according to Conversations/README.md at master - iNPUTmice/Conversations - Codeberg.org
“The server of all participants need to pass the OMEMO Compliance Test. In other words they either need to run ejabberd 18.01+ or Prosody 0.11+.”

Should I forget Yunohost’s Metronome and install Yunohost’s Prosody?

Please find below my server’s compliance report.

Thank you!


Result  Test
PASSED  RFC 6121: Roster Versioning
FAILED  XEP-0215: External Service Discovery (STUN)
FAILED  XEP-0215: External Service Discovery (TURN)
PASSED  XEP-0153: vCard-Based Avatar (MUC)
PASSED  XEP-0045: Multi-User Chat
FAILED  XEP-0065: SOCKS5 Bytestreams (Proxy)
PASSED  XEP-0115: Entity Capabilities
PASSED  XEP-0160: Best Practices for Handling Offline Messages
PASSED  XEP-0163: Personal Eventing Protocol
PASSED  XEP-0191: Blocking Command
PASSED  XEP-0198: Stream Management
PASSED  XEP-0280: Message Carbons
PASSED  XEP-0313: Message Archive Management
PASSED  XEP-0313: Message Archive Management (Multi-User Chat)
PASSED  XEP-0352: Client State Indication
PASSED  XEP-0357: Push Notifications
PASSED  XEP-0363: HTTP File Upload
FAILED  XEP-0368: SRV records for XMPP over TLS
PASSED  XEP-0384: OMEMO Encryption
PASSED  XEP-0398: User Avatar to vCard-Based Avatars Conversion
FAILED  XEP-0157: Contact Addresses for XMPP Services (Abuse)
FAILED  XEP-0077: In-Band Registration
FAILED  XEP-0156: Discovering Alternative XMPP Connection Methods (HTTP)
FAILED  XEP-0280: Message Carbons - Recommended Rules
FAILED  XEP-0313: Message Archive Management (extended usage)
PASSED  XEP-0363: HTTP File Upload (CORS Headers)
FAILED  XEP-0402: PEP Native Bookmarks
1 Like

Somebody earlier was mentionning in Feature request: Documentation on configuring Metronome (XMPP server) · Issue #2323 · YunoHost/issues · GitHub

Upstream Metronome has at least one serious XEP missing regarding OMEMO implementation: maranda/metronome#549

1 Like

I am able to use OMEMO, voice, and video chat.

Install coturn.

Then use my config below, replace with your server address and key when indicated.

This should do it.

The only problem is that, following a reboot, coturn does not automatically work, needs to be restarted manually with ssh. No idea why.

I’m no expert, and this did take a long time with trial and error, so if it works for me, it should work for everyone else.

I would welcome any improvements/suggestions of course, but this is a really great service when configured and working. I get no dropped video or phone calls, working attachments, and the chat response is instantaneous.

Best regards and enjoy.


-- ** Metronome's config file example **
-- 
-- The format is exactly equal to Prosody's:
--
-- Lists are written { "like", "this", "one" } 
-- Lists can also be of { 1, 2, 3 } numbers, etc. 
-- Either commas, or semi-colons; may be used as seperators.
--
-- A table is a list of values, except each value has a name. An 
-- example would be:
--
-- ssl = { key = "keyfile.key", certificate = "certificate.cert" }
--
-- Tip: You can check that the syntax of this file is correct when you have finished
-- by running: luac -p metronome.cfg.lua
-- If there are any errors, it will let you know what and where they are, otherwise it 
-- will keep quiet.

-- Global settings go in this section
 
-- This is the list of modules Metronome will load on startup.
-- It looks for mod_modulename.lua in the plugins folder, so make sure that exists too.

modules_enabled = {
	-- Generally required
		"roster"; -- Allow users to have a roster. Recommended.
		"saslauth"; -- Authentication for clients. Recommended if you want to log in.
		"tls"; -- Add support for secure TLS on c2s/s2s connections
		"disco"; -- Service discovery
 
	-- Not essential, but recommended
		"private"; -- Private XML storage (for room bookmarks, etc.)
		"vcard"; -- Allow users to set vCards
		"pep"; -- Allows setting of mood, tune, etc.
		"pubsub";  -- Publish-subscribe XEP-0060
		"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
		"bidi"; -- Enables Bidirectional Server-to-Server Streams.
 
	-- Nice to have
		"version"; -- Replies to server version requests
		"uptime"; -- Report how long server has been running
		"time"; -- Let others know the time here on this server
		"ping"; -- Replies to XMPP pings with pongs
		"register"; -- Allow users to register on this server using a client and change passwords
		"stream_management"; -- Allows clients and servers to use Stream Management
		"stanza_optimizations"; -- Allows clients to use Client State Indication and SIFT
		"message_carbons"; -- Allows clients to enable carbon copies of messages
		"mam"; -- Enable server-side message archives using Message Archive Management
		"push"; -- Enable Push Notifications via PubSub using XEP-0357
		"lastactivity"; -- Enables clients to know the last presence status of an user
		"adhoc_cm"; -- Allow to set client certificates to login through SASL External via adhoc
		"admin_adhoc"; -- administration adhoc commands
		"bookmarks"; -- XEP-0048 Bookmarks synchronization between PEP and Private Storage
		"sec_labels"; -- Allows to use a simplified version XEP-0258 Security Labels and related ACDFs.
		"privacy"; -- Add privacy lists and simple blocking command support

		-- Other specific functionality
		--"admin_telnet"; -- administration console, telnet to port 5582
		"admin_web"; -- administration web interface
		"bosh"; -- Enable support for BOSH clients, aka "XMPP over Bidirectional Streams over Synchronous HTTP"
		"compression"; -- Allow clients to enable Stream Compression
		--"spim_block"; -- Require authorization via OOB form for messages from non-contacts and block unsollicited messages
		--"gate_guard"; -- Enable config-based blacklisting and hit-based auto-banning features
		--"incidents_handling"; -- Enable Incidents Handling support (can be administered via adhoc commands)
		--"server_presence"; -- Enables Server Buddies extension support
		--"service_directory"; -- Enables Service Directories extension support
		--"public_service"; -- Enables Server vCard support for public services in directories and advertises in features
		"register_api"; -- Provides secure API for both Out-Of-Band and In-Band registration for E-Mail verification
		"websocket"; -- Enable support for WebSocket clients, aka "XMPP over WebSockets"
		"extdisco"; -- XEP 215
		"jingle_nodes";
};

-- Server PID
pidfile = "/var/run/metronome/metronome.pid"

-- HTTP server
http_ports = { 5290 }
http_interfaces = { "127.0.0.1", "::1" }

--https_ports = { 5291 }
--https_interfaces = { "127.0.0.1", "::1" }

-- Enable IPv6
use_ipv6 = true

-- exdisco configuration

external_services = {
    ["YourServer"] = {
        [1] = {
            port = "3478",
            transport = "udp",
            type = "stun"
        },

        [2] = {
            port = "3478",
            transport = "tcp",
            type = "stun"
        },

        [3] = {
            port = "5349",
            transport = "tcp",
            type = "stuns"
        },
        [4] = {
            port = "3478",
            transport = "tcp",
            type = "turn",
            turn_secret = "YourKey",
            turn_ttl = 300
        },

        [5] = {
            port = "3478",
            transport = "udp",
            type = "turn",
            turn_secret = "YourKey",
            turn_ttl = 7200
        },

        [6] = {
            port = "5349",
            transport = "tcp",
            type = "turns",
            turn_secret = "YourKey",
            turn_ttl = 7200
        }
    }
};

-- jingle_nodes configuration

jingle_nodes_turn_credentials = true;
jingle_nodes_turn_secret = "YourKey";
jingle_nodes_turn_credentials_ttl = 86400;
jingle_nodes_restricted = false;

-- BOSH configuration (mod_bosh)
consider_bosh_secure = true
cross_domain_bosh = true

-- WebSocket configuration (mod_websocket)
consider_websocket_secure = true
cross_domain_websocket = true

-- Disable account creation by default, for security
allow_registration = false

-- Use LDAP storage backend for all stores
storage = "ldap"

-- stanza optimization
csi_config_queue_all_muc_messages_but_mentions = false;


-- Logging configuration
log = {
	info = "/var/log/metronome/metronome.log"; -- Change 'info' to 'debug' for verbose logging
	error = "/var/log/metronome/metronome.err";
	-- "*syslog"; -- Uncomment this for logging to syslog
	-- "*console"; -- Log to the console, useful for debugging with daemonize=false
}

------ Components ------
-- You can specify components to add hosts that provide special services,
-- like multi-user conferences, and transports.

---Set up a local BOSH service
Component "localhost" "http"
	modules_enabled = { "bosh" }

----------- Virtual hosts -----------
-- You need to add a VirtualHost entry for each domain you wish Metronome to serve.
-- Settings under each VirtualHost entry apply *only* to that host.

Include "conf.d/*.cfg.lua"
1 Like

What ports should I open for this coturn thing to work?

What do you mean by “server address”?
Do you mean “mydomain.tld”?
What is that “key”?
Where do I get it from? Should I use it somewhere else?

Thank you!

OMEMO basically works with Metronome on Yunohost.
You need to have each of you in the contact list (roster).
With each client, at once, exchange a not-encrypted message, to be sure you get the OMEMO key. On Gajim you may have to trust manually the OMEMO key of your contact; on Conversations it is automatically accepted. For the following message you should be able to enable OMEMO.