happyDomain/checker-xmpp
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
No description
9 commits 1 branch 2 tags 83 KiB
  • Go 98.7%
  • Makefile 0.8%
  • Dockerfile 0.5%
Find a file
Exact
Pierre-Olivier Mercier 457ea67f66 Add rules section
2026-04-30 08:36:07 +07:00
checker checker: add domain length validation and refactor rules into per-concern checks 2026-04-26 19:56:48 +07:00
plugin checker: add domain length validation and refactor rules into per-concern checks 2026-04-26 19:56:48 +07:00
.gitignore Initial commit 2026-04-23 17:53:35 +07:00
Dockerfile docker: add HEALTHCHECK probing /health 2026-04-26 16:40:50 +07:00
go.mod checker: add domain length validation and refactor rules into per-concern checks 2026-04-26 19:56:48 +07:00
go.sum checker: add domain length validation and refactor rules into per-concern checks 2026-04-26 19:56:48 +07:00
LICENSE Initial commit 2026-04-23 17:53:35 +07:00
main.go Migrate to checker-sdk-go v1.3.0 with standalone build tag 2026-04-26 16:40:44 +07:00
Makefile Migrate to checker-sdk-go v1.3.0 with standalone build tag 2026-04-26 16:40:44 +07:00
NOTICE Initial commit 2026-04-23 17:53:35 +07:00
README.md Add rules section 2026-04-30 08:36:07 +07:00

README.md

checker-xmpp

XMPP server checker for happyDomain.

Probes a domain's XMPP deployment the same way xmpp.net does: SRV discovery, stream negotiation, STARTTLS, SASL mechanisms, federation auth (dialback / SASL EXTERNAL), and XEP-0368 direct-TLS. Produces an actionable HTML report with a remediation panel surfacing the most common real-world failures.

TLS certificate chain / SAN / expiry / cipher posture is out of scope: a dedicated TLS checker handles that. This checker only confirms that STARTTLS completes and records the negotiated TLS version/cipher for context.

We publish each probed endpoint as a DiscoveryEntry of type tls.endpoint.v1 so that checker-tls (or any other consumer of that contract) can run TLS posture checks against them without redoing the SRV lookup. The entries are produced through git.happydns.org/checker-tls/contract, with SNI set to the bare JID domain; XMPP certificates must be valid for the source domain (RFC 6120 §13.7.2.1), which is typically different from the SRV target hostname. RequireSTARTTLS is carried over from the STARTTLS-required posture we actually observed during probing, so an operator who requires STARTTLS will see a CRIT on the TLS side, not a WARN, if the server later drops it.

The TLS checker's resulting observations (under the tls_probes key) are folded back into our rule aggregation and HTML report via the SDK's ObservationGetter.GetRelated / ReportContext.Related path: a bad certificate on an XMPP endpoint shows up on the XMPP service page, not only in a separate TLS view. The matching between a probe and its XMPP endpoint is done on RelatedObservation.Ref, which carries the same value as DiscoveryEntry.Ref we emitted (computed deterministically by contract.Ref).

What it checks

For each of _xmpp-client._tcp, _xmpp-server._tcp, _xmpps-client._tcp, _xmpps-server._tcp (and legacy _jabber._tcp):

  1. SRV and A/AAAA resolution.
  2. TCP reachability.
  3. <stream:stream> open, stream features parsing.
  4. STARTTLS advertised (and <required/>).
  5. STARTTLS handshake success.
  6. Post-TLS SASL mechanism list (flags PLAIN-only, missing SCRAM).
  7. Server-to-server dialback / SASL EXTERNAL availability.
  8. XEP-0368 direct TLS (_xmpps-*) when published.
  9. IPv4 / IPv6 coverage.
  10. Fallback probe on <domain>:5222/:5269 when no SRV is published.

Usage

Standalone HTTP server

make
./checker-xmpp -listen :8080

Docker

make docker
docker run -p 8080:8080 happydomain/checker-xmpp

happyDomain plugin

make plugin

Options

Scope Id Description
Run domain Domain to test (auto-filled from the service)
Run mode c2s, s2s, or both (default)
Run timeout Per-endpoint timeout in seconds (default 10)

Applies to services of type abstract.XMPP.

Rules

Code Description Severity
xmpp.srv_c2s Verifies that client-to-server SRV records (_xmpp-client / _xmpps-client / _jabber) are published and resolvable. CRITICAL
xmpp.srv_s2s Verifies that server-to-server SRV records (_xmpp-server / _xmpps-server) are published and resolvable. CRITICAL
xmpp.c2s_reachable Verifies that at least one client-to-server endpoint accepts TCP and completes TLS. CRITICAL
xmpp.s2s_reachable Verifies that at least one server-to-server endpoint accepts TCP and completes TLS. CRITICAL
xmpp.starttls_required Verifies that STARTTLS is advertised and required on every reachable c2s/s2s endpoint. CRITICAL
xmpp.sasl_mechanisms Reviews the c2s SASL mechanisms offer (presence of SCRAM, absence of password-equivalent PLAIN-only). CRITICAL
xmpp.s2s_dialback Verifies that s2s endpoints advertise dialback or SASL EXTERNAL after TLS (federation auth). CRITICAL
xmpp.ipv6_reachable Flags deployments that are only reachable over IPv4. INFO
xmpp.direct_tls Flags c2s deployments that do not publish XEP-0368 direct-TLS SRV records. INFO
xmpp.tls_quality Folds the downstream TLS checker findings (certificate chain, hostname match, expiry) onto the XMPP service. CRITICAL

License

MIT (see LICENSE). Third-party attributions in NOTICE.