docker-ejabberd icon indicating copy to clipboard operation
docker-ejabberd copied to clipboard

Published 20 hours ago verified publisher icon rroemhild

Open relay

Open hasufell opened this issue 5 years ago • 5 comments

Is this docker image by default an open relay in such that it allows in-band registration?

https://github.com/rroemhild/docker-ejabberd/blob/40f2b5b1d4a40f24a690e98722d983d27f0c0096/conf/ejabberd.yml.tpl#L291-L298

hasufell avatar Jan 08 '19 17:01 hasufell

It seems so... I just had the pleasure to remove almost 4000 unwanted users from my server. :wink:

The EJABBERD_REGISTER_ADMIN_ONLY option is missing in the README.md, so I wasn't aware of it. Maybe its logic should also be reversed, so in-band registration is disabled by default, and only enabled if an env is explicitly set to true.

shred avatar Jan 28 '19 10:01 shred

Awful. I wonder how many more users of this image are affected.

hasufell avatar Jan 28 '19 13:01 hasufell

Also, EJABBERD_REGISTER_TRUSTED_NETWORK_ONLY is supposed to be true by default, according to the README. However this default value does not seem to be set anywhere.

shred avatar Jan 28 '19 17:01 shred

I just had the pleasure to remove almost 4000 unwanted users from my server.

@shred I guess that those users were registered by a spammer. Setting EJABBERD_CAPTCHA env var to true can help save you from such situations.

youmad avatar Jan 30 '19 07:01 youmad

A default configuration should never be an open relay.

hasufell avatar Jan 30 '19 08:01 hasufell