We are proud to introduce our new ejabberd release, ejabberd 16.06. As usual it includes many bug fixes, but also several improvements.
The big improvement in this release is a new Access Control List (ACL) infrastructure. ACL rules are used in ejabberd config file to define fine-grained access to ejabberd features.
In ejabberd 16.06, the ACL configuration has been much improved to make it both simpler to use and easier to read. Moreover, ACL and access rules are not mandatory anymore when configuring access restrictions for a feature or a module: You can just inline the user, for example, making small configuration much easier to setup properly.
To make you even more comfortable, our new code is still supporting the old syntax and you can mix old and new syntax. It means that you can still use your existing configuration file and that you can migrate incrementally, as needed.
The new ACL syntax
New access rule will look like this:
access_rules: my_access: - allow: admins - deny: blocked - allow: - user: "email@example.com" - ip: "184.108.40.206/32" - allow: moderators
This is an example definition for
my_access rule. It is composed of four groups. They are evaluated from top to bottom order. the first with all listed acl rules evaluated as true is used as result. If none of them matches, evaluation fallback to default value
deny. Above definition can be parsed as: if user belongs to ACL definition
allow, if not, and user belongs to ACL definition
deny. otherwise for user “firstname.lastname@example.org” when connected from ip: “220.127.116.11” return
allow, and for users in ACL definition
allow as well, in all other cases return
We can see in this example two new additions that were introduced in this rewrite:
- you can now directly specify ACL definitions inside access rules (you no longer will be required to define ACL rules for each case)
- you now have the ability to require a match on several ACL rules types at this same time (in the example: ip and user).
You can use any rule that is allowed inside acl: sections (like user, server, resource, user_glob, etc.) and one additional rule that is allowed only inside access_rules: section,
acl: NameOfACL that will look for definition of NameOfAcl inside
acl: section and use it for matching. If you have only one ACL rule name to use you can use short form
- allow: acl_rule, additionally
- allow: all or
- deny: all can be shorted still to
- allow and ‘- deny`.
Shapers can also be specified using new syntax, but they now go into
shaper_rules: section and they look like that:
shaper_rules: my_shaper: - 100: admin - 10: all
Rules defined in
access: section will use old syntax, and work as before, so you don’t need to update your old config, to adapt it to that change.
At last, one can define module specific access rules directly in modules configuration section, this is simpler to understand when reading configuration.
Let’s get a simple example of the changes. With previous ACL implementation, one could have this:
acl: bad_servers: ip: - "XXX.XXX.XXX.XXX/32" admin: user: - "aleksey": "localhost" access: muc_admin: admin: allow muc_create: local: allow muc: all: allow s2s: bad_servers: deny all: allow c2s_shaper: admin: none all: normal modules: mod_muc: access: muc access_create: muc_create access_persistent: muc_create access_admin: muc_admin
Which can be translated to this since ejabberd 16.06 with new ACL implementation:
acl: admin: user: "aleksey@localhost" access_rules: s2s: - deny: - ip: "XXX.XXX.XXX.XXX/32" - allow c2s_shaper: - none: admin - normal modules: mod_muc: access: - allow access_create: - allow: local access_persistent: - allow: local access_admin: - allow: admin
Shorter and clearer. Please also note that you can use the JID literally as a string. The previous awkward
username: domain syntax can go away.
This is a selection of the most relevant changes:
- New ACL infrastructure
- Add shorter version of some common access rules definitions
@inside acl rules
user_regexpto pass both user and server
in single string
- Add acl rule
shaper_rules_validatorfor use in
- Allow using shapers defined by name like in s2s_shaper: fast
- Allow mod_opt_type and opt_type to transform values passed to it, and support
better error reporting
- Do not call
transform_termsmultiple times in configuration processing when merging them
- Don’t halt program when
include_config_fileis missing/can’t be read
- Allow again multiple fqdn values in configuration
- Allow passing username and ip to
ejabberd_commands, and use it in
- Fix path to epmd in ejabberdctl
- push_roster: must convert read strings to binaries
set_presence: Fix command API
- Fix for
- Add ejabberdctl commands to manage oauth tokens.
- Bounce messages sent to server JID
- Fix C2S session leak in rare cases
- Fix handling of queued stanzas on session timeout
- Give more time to stop and kill epmd
- When stopping ejabberd, stop modules after broadcasting c2s shutdown
- XEP-0198: Use different error message for bounces
- XEP-0198: Add ‘h’ attribute to element
- XEP-0198: Also count stanzas when socket is closed
- Fix pgsql compatibility on
- Handle Redis connection in a separate module
- Report in SQL when scram is enabled but the stored password isn’t
- Update SQL escaping
- Use MEDIUMTEXT type for muc_room.opts in MySQL schema
- Send unique stanza id and archived tag also in the message carbons
- Fix “assume_mam_usage: if_enabled”
- Fix typo in
- Updated support of XEP-0313 from version 0.4 to 0.5.1
- Mnesia: Avoid cleanup on bag when disc_only, switch in memory
- Mnesia: Don’t exceed table size limit
- Mnesia: Use transactions when writing
Client State Indication
- Fix handling of chat states
- Simplify check for carbon-copied chat states
- Simplify handling of PEP stanzas
- Pass chat states of other resources
- Unwrap carbon copies when checking for chat states
- Queue chat state notifications
- Move CSI queue handling code from
- When stopping, delete only the configured hooks
- ext_mod: Set HTTP/1.0 so Github accepts the request
- gen_mod: Compile early to remove undefined behaviour warning
- mod_http_upload: Let client retry HTTP upload on file size mismatch
- mod_last: Produce mod_last entry on account creation
- mod_muc_room: Notify on affiliation changes
- mod_register: Check password with jid:resourceprep when registering account
- mod_roster: respect roster item changes introduced with
roster_process_itemhooks upon pushing
- PubSub: Fix PubSub RSM on
- PubSub: Add support for PubSub publishing options
- PEP: Fix sender in case of explicit pep subscriptions
- ejabberd_xmlrpc: Report error when conversion of argument type fails
As usual, the release is tagged in the Git source code repository on Github.
The source package and binary installers are available at ProcessOne.
If you suspect that you’ve found a bug, please search or fill a bug report on Github.