<!-- s2s configuration -->
<s2s>
<!-- Our ID on the network (default: s2s) -->
<id>s2s</id>
<!-- The process ID file. Comment this out if you don't need to know
the process ID from outside the process (eg for control scripts) -->
<pidfile>/var/run/jabberd/s2s.pid</pidfile>
<!-- Router connection configuration -->
<router>
<!-- IP/port the router is waiting for connections on -->
<ip>127.0.0.1</ip> <!-- default: 127.0.0.1 -->
<port>5347</port> <!-- default: 5347 -->
<!-- Username/password to authenticate as -->
<user>jabberd</user> <!-- default: jabberd -->
<pass>@ROUTERPASSWORD@</pass> <!-- default: secret -->
<!-- The router will only allow one component to be the default
route (ie the component that receives packets destined for
unknown hosts). If you want to run more than one s2s instance,
you need to uncomment this so that s2s does not try to become
the default route. Note that all outgoing s2s communication
will go to the component that is the default route. -->
<!--
<non-default/>
-->
<!-- File containing an SSL certificate and private key to use when
setting up an encrypted channel with the router. From
SSL_CTX_use_certificate_chain_file(3): "The certificates must be
in PEM format and must be sorted starting with the subject's
certificate (actual client or server certificate), followed
by intermediate CA certificates if applicable, and ending
at the highest level (root) CA" (the latter one being optional).
If this is commented out, or the file can't be read, no attempt
will be made to establish an encrypted channel with the router. -->
<!--<pemfile/>-->
<!-- Password for private key if key in router pemfile is encrypted -->
<!--<private_key_password/>-->
<!-- Router connection retry -->
<retry>
<!-- If the connection to the router can't be established at
startup, we should try again this many times before exiting.
Use -1 to retry indefinitely. [default: 3] -->
<init>3</init>
<!-- If we lost the connection to the router during normal
operation (ie we've successfully connected to the router in
the past), we should try to reconnect this many times before
exiting. Use -1 to retry indefinitely. [default: 3] -->
<lost>3</lost>
<!-- Sleep for this many seconds before trying attempting a
reconnect. [default: 2] -->
<sleep>2</sleep>
</retry>
</router>
<!-- Log configuration - type is "syslog", "file" or "stdout" -->
<log type='syslog'>
<!-- If logging to syslog, this is the log ident -->
<ident>jabberd/s2s</ident>
<!-- If logging to syslog, this is the log facility
(local0 - local7, log_user) [default: local3] -->
<facility>log_user</facility>
<!-- if logging to file, this is the filename of the logfile -->
<!--
<file>/var/jabberd/log/s2s.log</file>
-->
</log>
<!-- Local network configuration -->
<local>
<!-- IP and port to listen for incoming s2s connections on
(default: 0.0.0.0, 5269) -->
<ip>::</ip>
<port>5269</port>
<!-- Helper DNS resolver component - if this component is not
connected, dialback connections will fail
(default: resolver) -->
<resolver>resolver</resolver>
<!-- Secret used to generate dialback keys. If you have more than
one s2s instance configured, make sure that this is the same on
all of them. If this is commented out, a random one will be
generated. -->
<!--
<secret>secret</secret>
-->
<!-- File containing an SSL certificate and private key to use when setting
up encrypted s2s connections with other servers (STARTTLS + Dialback).
From SSL_CTX_use_certificate_chain_file(3): "The certificates must be
in PEM format and must be sorted starting with the subject's
certificate (actual client or server certificate), followed
by intermediate CA certificates if applicable, and ending
at the highest level (root) CA" (the latter one being optional).
If this is commented out, or the file can't be read, no attempt will be
made to establish encrypted connections with other servers. -->
<!--<pemfile/>-->
<!-- Password for private key if key in pemfile is encrypted -->
<!--<private_key_password/>-->
<!-- SSL verify mode - see SSL_CTX_set_verify(3), mode parameter -->
<!--
<verify-mode>7</verify-mode>
-->
<!-- File containing an optional SSL certificate chain file for SSL
connections. -->
<!--
<cachain>/etc/certificates/cachain.pem</cachain>
-->
</local>
<!-- Apple security settings -->
<security>
<!-- If enabled, only TLS-encrypted connections will be accepted (dialback
will not be attempted unless TLS has been established).
0 = disabled, 1 = enabled. -->
<require_tls>0</require_tls>
<!-- If enabled, only allow s2s connections with servers listed in the
whitelist_domain preference. -->
<enable_whitelist>0</enable_whitelist>
<!-- If enable_whitelist is enabled, only s2s connections with the domains listed
will be accepted. Multiple listings are possible (use seperate <whitelist_domain> tags.) -->
<!-- ex. <whitelist_domain>talk.google.com</whitelist_domain>
<whitelist_domain>jabber.org</whitelist_domain> -->
</security>
<!-- input/output settings -->
<io>
<!-- Maximum number of file descriptors. Note that the number of
possible connections will be slightly less than this, because
s2s itself can use some on its own. If the supply of file
descriptors is exhausted, new incoming connections will be
denied (default: 1024) -->
<!-- Apple Only: This max_fds configuration option is ignored because
launchd is responsible for configuring the RLIMIT_NOFILE resource
limit
<max_fds>11000</max_fds>
-->
<!-- Rate limiting -->
<limits>
<!-- Maximum stanza size - if more than given number of bytes
are read in one incoming stanza, the stream is closed
with policy-violation error.
Set to 0 to disable.
Values less than 16384 might not work. -->
<stanzasize>65535</stanzasize>
</limits>
</io>
<!-- Timed checks -->
<check>
<!-- Interval between checks.
Checks will be run every n seconds.
0 disables all checks. (default: 60) -->
<interval>60</interval>
<!-- Queue expiry and connection timeout.
While a connection is being established and dialback is in
progress, packets are queued. If a valid connection has not
been established within this many seconds, the connection
process will be aborted and the queued packets will be
bounced. Timeout checks are made for three phases of
setting up a route authenticated through dialback:
1. Connection establishment to exchange of stream headers
2. Initiating dialback (incoming connections)
3. Completing dialback (incoming and outgoing)
0 disables queue expiry. (default: 60) -->
<queue>60</queue>
<!-- Idle connection checks.
Connections that have not sent data for longer than this many
seconds will be dropped.
0 disables idle timeouts. (default: 86400) -->
<idle>86400</idle>
<!-- Keepalives.
Outgoing connections that have not been used for longer than
this many seconds will have a single whitespace character sent
to them. This will force the TCP connection to be closed if
they have disconnected without us knowing about it.
0 disables keepalives. (default: 0) -->
<keepalive>0</keepalive>
</check>
<!-- Statistics -->
<stats>
<!-- file containing count of packets that went through -->
<!--
<packet>/var/jabberd/log/s2s.packets</packet>
-->
</stats>
</s2s>