0

A have tested ejabberd 20.03 on my Archlinux box for a few weeks now as a possible WhatsApp replacement within the family. I use a postgresql backend for my user database. All went very well until today: I created a third account for my sister. Login is OK and we can chat with each other. Here comes the problem: she can see the chat history of me and here son, which was/is the first non-admin user! And his chat history is cleartext while mine is not readable.

I did not create a chat room and almost every thing (besides the user authentication thing) is the default. We all use the current Conversations on Android. I have no idea what's going on here...

The modules section:

modules:
  mod_adhoc: {}
  mod_admin_extra: {}
  mod_announce:
    access: announce
  mod_avatar: {}
  mod_blocking: {}
  mod_bosh: {}
  mod_caps: {}
  mod_carboncopy: {}
  mod_client_state: {}
  mod_configure: {}
  mod_disco: {}
  mod_fail2ban: {}
  mod_http_api: {}
  mod_http_upload:
    put_url: https://@HOST@:5443/upload
  mod_last: {}
  mod_mam:
    ## Mnesia is limited to 2GB, better to use an SQL backend
    ## For small servers SQLite is a good fit and is very easy
    ## to configure. Uncomment this when you have SQL configured:
    db_type: sql
    assume_mam_usage: true
    default: always
  mod_mqtt: {}
  mod_muc:
    access:
      - allow
    access_admin:
      - allow: admin
    access_create: muc_create
    access_persistent: muc_create
    access_mam:
      - allow
    default_room_options:
      mam: true
  mod_muc_admin: {}
  mod_offline:
    access_max_user_messages: max_user_offline_messages
  mod_ping: {}
  mod_privacy: {}
  mod_private: {}
  mod_proxy65:
    access: local
    max_connections: 5
  mod_pubsub:
    access_createnode: pubsub_createnode
    plugins:
      - flat
      - pep
    force_node_config:
      ## Avoid buggy clients to make their bookmarks public
      storage:bookmarks:
        access_model: whitelist
  mod_push: {}
  mod_push_keepalive: {}
  mod_register:
    ## Only accept registration requests from the "trusted"
    ## network (see access_rules section above).
    ## Think twice before enabling registration from any
    ## address. See the Jabber SPAM Manifesto for details:
    ## https://github.com/ge0rg/jabber-spam-fighting-manifesto
    ip_access: trusted_network
  mod_roster:
    versioning: true
#  mod_s2s_dialback: {}
  mod_shared_roster: {}
  mod_stream_mgmt:
    resend_on_timeout: if_offline
  mod_vcard: {}
  mod_vcard_xupdate: {}
  mod_version:
    show_os: false
Torsten
  • 3
  • 1

1 Answers1

0

Obviously there's something else going on here that you didn't notice and have not mentioned.

Maybe the fact that mod_mam is enabled, and configured to archive by default all conversations. But there's necessary something else going on, maybe your clients are reusing accounts, so different people have access to the same accounts...

Badlop
  • 580
  • 3
  • 5
  • SOLVED: You are right: My nephew didn't tell me that he created his account (for testing purposes) and the account of his mother on the phone! And he left his account active on the device ;( How was I supposed to know! They are 150km away... ;) – Torsten Apr 30 '20 at 10:12
  • Then mark this as solved – Badlop Apr 30 '20 at 16:01