checker-xmpp

XMPP server checker for happyDomain.

Probes a domain's XMPP deployment the same way xmpp.net does: SRV discovery, stream negotiation, STARTTLS, SASL mechanisms, federation auth (dialback / SASL EXTERNAL), and XEP-0368 direct-TLS. Produces an actionable HTML report with a remediation panel surfacing the most common real-world failures.

TLS certificate chain / SAN / expiry / cipher posture is out of scope — a dedicated TLS checker handles that. This checker only confirms that STARTTLS completes and records the negotiated TLS version/cipher for context.

When a TLS checker runs against the endpoints we publish via EndpointDiscoverer, its observations are automatically folded into our rule aggregation and HTML report via the SDK's GetRelated / CheckerHTMLReporterCtx composition path — so a bad cert on an XMPP endpoint shows up on the XMPP service page, not only in a separate TLS view. The expected observation key is tls_probes.

What it checks

For each of _xmpp-client._tcp, _xmpp-server._tcp, _xmpps-client._tcp, _xmpps-server._tcp (and legacy _jabber._tcp):

1. SRV and A/AAAA resolution.
2. TCP reachability.
3. <stream:stream> open, stream features parsing.
4. STARTTLS advertised (and <required/>).
5. STARTTLS handshake success.
6. Post-TLS SASL mechanism list (flags PLAIN-only, missing SCRAM).
7. Server-to-server dialback / SASL EXTERNAL availability.
8. XEP-0368 direct TLS (_xmpps-*) when published.
9. IPv4 / IPv6 coverage.
10. Fallback probe on <domain>:5222/:5269 when no SRV is published.

Usage

Standalone HTTP server

make
./checker-xmpp -listen :8080

Docker

make docker
docker run -p 8080:8080 happydomain/checker-xmpp

happyDomain plugin

make plugin

Options

Scope	Id	Description
Run	domain	Domain to test (auto-filled from the service)
Run	mode	c2s, s2s, or both (default)
Run	timeout	Per-endpoint timeout in seconds (default 10)

Applies to services of type abstract.XMPP.

License

MIT (see LICENSE). Third-party attributions in NOTICE.