ejabberd

ejabberd 25.07

We are pleased to announce a new ejabberd release: ejabberd 25.07, with three months of work and more than 110 commits to bring new modules, new features, improvements and bugfixes.

Jérôme Sautret
· 9 min read
Send by email

Release Highlights:

This release focus on integration in a wider federated network, with support for spam fighting features, better compliance with Matrix network and native support for PubSub Server Information to have your server count as part of the wider XMPP network (for example, you can register your server on XMPP Network Graph).

If you are upgrading from a previous version, there are no changes in SQL schemas, configuration, API commands or hooks.

List of Contents:

Below is a detailed breakdown of the improvements and enhancements:

Workaround for zip module in unpatched Erlang

A vulnerability was published three weeks ago that affects the zip library included in Erlang/OTP: CVE-2025-4748: Absolute path in zip module.

The ejabberd installers and the ejabberd container image already use a patched version Erlang/OTP 27.3.4.1, but the ecs container image uses Erlang/OTP 26.2.

ejabberd 25.07 includes a specific protection that workarounds that vulnerability regardless of what Erlang/OTP version you are using.

Erlang/OTP 28 supported

Updating ejabberd to support Erlang/OTP 28 has required quite some work due to the replacement of ancient ASN.1 modules from Erlang/OTP public_key library.

Improvements were done on ejabberd, fast_xml, p1_acme, xmpp libraries, and also rebar/rebar3 binaries were recompiled.

However, there is still one last problem not yet solved which implies that ACME support is broken when using Erlang/OTP 28.0.1. The fix will probably be included in the next Erlang/OTP 28 release.

Erlang/OTP 25 required

The minimum Erlang/OTP version supported since now is 25.0.

However, we are aware there are still a few specific cases where older Erlang/OTP versions are being used. For that reason, the source code support for those versions is still available, and static source code analysis tools like xref and dialyzer are still run with Erlang/OTP 20 in runtime.yml.

If you really need to use ejabberd with Erlang/OTP 20 - 24, you can bypass the version check during compilation with this ./configure option: ./configure --with-min-erlang=9.0.5

New mod_antispam with RTBL support

mod_antispam is a new module that filters spam messages and subscription requests received from remote servers based on Real-Time Block Lists (RTBL), text lists of known spammer JIDs and/or URLs mentioned in spam messages.

This module is based in mod_spam_filter which was originally published in ejabberd-contrib. If you were using that module, you can update your configuration and start using mod_antispam instead.

New mod_pubsub_serverinfo

mod_pubsub_serverinfo adds support for XEP-0485: PubSub Server Information to expose S2S information over the Pub/Sub service.

This module was originally published in ejabberd-contrib. If you were using that module, you can remove it, as now it's included in ejabberd.

Improvements in Matrix gateway

While we are preparing another big update for the Matrix gateway. The most important change is that we added support to a larger number of room versions. It allows users to let them join a lot of rooms that were already created a while back and running an older version of the room protocol.

Here is the main list of changes to the matrix gateway:

  • mod_matrix_gw: Support older Matrix rooms versions starting from version 4
  • mod_matrix_gw: Don't send empty messages in Matrix rooms (#4385)
  • mod_matrix_gw: Fix key validation in mod_matrix_gw_s2s:check_signature
  • mod_matrix_gw: When encoding JSON, handle term that is key-value list (#4379)

XEP-0431: Full Text Search in MAM

Support for XEP-0431: Full Text Search in MAM has been added. For now, it only works if mod_mam is using the MySQL storage backend.

New rest_proxy options

With those new options you can make modules using rest.erl module (like ejabberd_oauth_rest) use HTTP proxy when performing HTTP requests.

The related new top level options are:

  • rest_proxy: Address of a HTTP Connect proxy
  • rest_proxy_port: Port of a HTTP Connect proxy
  • rest_proxy_username: Username used to authenticate to HTTP Connect proxy (optional)
  • rest_proxy_password: Password used to authenticate to HTTP Connect proxy (optional)

New auth_password_types_hidden_in_scram1 option

This option was added to help with adding new password types in auth_stored_password_types option to existing installations. Adding new password type made server advertise it to clients, but that caused problems for users that didn't have new password type stored, and which clients used SASL1 authentication, if client tried to authenticate with it, authentications would fail.

With this new option, server admin can choose which password types should not be presented to SASL1 clients (they still will be offered to SASL2 clients for users that have password compatible with this type), to later after users update password to have new type, being able to enable them.

This option takes list of password types from auth_stored_password_types that should be disabled

auth_password_types_hidden_in_scram1:
  - scram_sha512
  - scram_sha256

New hosts_alias option

The new hosts_alias toplevel option is used by the ejabberd_http listener to resolve domain names into vhosts served by ejabberd.

For example, ejabberd is serving the vhost redacted.lan, but you configured DNS so xmpp.redacted.lan resolves to that host. If you configure in ejabberd:

hosts:
  - redacted.lan

hosts_alias:
  xmpp.redacted.lan: redacted.lan

listen:
  -
    port: 443
    ip: "::"
    tls: true
    module: ejabberd_http
    request_handlers:
      "/bosh": mod_bosh
      "/ws": ejabberd_http_ws
      "/conversejs": mod_conversejs

modules:
  mod_bosh:
  mod_conversejs:
    bosh_service_url: "https://xmpp.redacted.lan/bosh"
    websocket_url: "wss://xmpp.redacted.lan/ws"

then ejabberd_http will accept https://xmpp.redacted.lan/conversejs and deliver it to vhost redacted.lan

In previous ejabberd releases, an option called default_host was documented for the ejabberd_http listener, but it didn't work at all correctly.

New predefined keywords

A few months ago, ejabberd 25.03 introduced new predefined keywords like HOST, HOME, VERSION and SEMVER.

And now two more predefined keywords are added:

  • CONFIG_PATH: Path to the configuration directory, for example "/home/ejabberd/opt/ejabberd/conf"
  • LOG_PATH: Path to the log directory, for example "/home/ejabberd/opt/ejabberd/logs"

Those keywords are specially useful when configuring mod_antispam: you can copy text files to the configuration directory where the module will read them, and also configure the module to write the dump file on the log directory.

mod_conversejs has a new tiny improvement: it adds a link in the WebAdmin menu to the local Converse instance.

Additionally, when HTTPS with encryption is enabled, that link logins directly with the account used in WebAdmin.

Updates in source code formatting

A year ago, ejabberd 24.06 introduced make format and make indent.

Now that script uses Perl to work correctly in Mac OS too.

And there's a new section in the documentation, see Format that describes how to use that feature, and tips for Git hooks and Git alias.

New target test-group

ejabberd includes a Common Test suite with 1456 test cases, which typically takes around 10 minutes to run.

When developing new source code, you may want to run only tests from a specific group and a specific storage backend, as documented in the ejabberd testing documentation:

CT_BACKENDS=mnesia rebar3 ct --suite=test/ejabberd_SUITE --group=antispam_single

To facilitate this usage, a new target is available:

CT_BACKENDS=mnesia make test-antispam_single

Acknowledgments

We would like to thank the contributions to the source code, documentation, and translation provided for this release by:

And also to all the people contributing in the ejabberd chatroom, issue tracker...

Improvements in ejabberd Business Edition

Customers of the ejabberd Business Edition, in addition to all those improvements and bugfixes, also get the following changes.

Monitoring

The following new metrics has been added to mod_mon:

  • message_receive_packet: number of message stanzas of any type received by the server on c2s connections
  • message_send_packet: number of message stanzas of any type send by the server on c2s connections
  • iq_receive_packet: number of IQ stanzas received by the server on c2s connections
  • iq_send_packet: number of IQ stanzas send by the server on c2s connections
  • iq_get_receive_packet: number of IQ stanzas of type get received by the server on c2s connections
  • iq_set_receive_packet: number of IQ stanzas of type set received by the server on c2s connections
  • iq_result_receive_packet: number of IQ stanzas of type result received by the server on c2s connections
  • iq_error_receive_packet: number of IQ stanzas of type error received by the server on c2s connections
  • iq_get_send_packet: number of IQ stanzas of type get send by the server on c2s connections
  • iq_set_send_packet: number of IQ stanzas of type set send by the server on c2s connections
  • iq_result_send_packet: number of IQ stanzas of type result send by the server on c2s connections
  • iq_error_send_packet: number of IQ stanzas of type error send by the server on c2s connections

The metrics c2s_receive & c2s_send now count all stanzas on c2s connections.

The cpu_usage probe now gives more reliable values.

Prometheus support has been improved.

A new mod_mon_dump command has been added to dump probe values to help debug the monitoring setup.r

Mobile push

It is now possible to use rest_proxy* options to use a HTTP proxy for mod_applepush & mod_gcm outgoing calls.

ChangeLog

This is a more complete list of changes in this ejabberd release:

Security fix

  • ext_mod: Add temporary workaround for zip including absolute path

Compilation

  • Raise the minimum Elixir tested version to 1.14.0 (#4281)
  • Raise Erlang/OTP minimum requirement to 25.0 (#4281)
  • configure.ac: Allow to specify minimal erlang version using --with-min-erlang
  • Makefile.in: Add target test-<group>
  • rebar3-format.sh: Replace csplit with perl
  • Container: Bump Erlang/OTP 27.3.4.1, Elixir 1.18.4
  • Installers: Bump Erlang/OTP 27.3.4.1, Elixir 1.18.4, libexpat 2.7.1, OpenSSL 3.5.1

Configuration and Tests

  • Add rest_proxy* options to configure proxy used by rest module
  • ejabberd_c2s: Add auth_password_types_hidden_in_scram1 option
  • ejabberd_http: Remove unused default_host option and state element
  • ejabberd_http: New option hosts_alias and function resolve_host_alias/1 (#4400)
  • New predefined keywords: CONFIG_PATH and LOG_PATH
  • Fix macro used in string options when defined in env var
  • Use auxiliary function to get $HOME, use Mnesia directory when not set (#4402)
  • ejabberd_config: Better lists:uniq substitute
  • Tests: update readme and compose to work with current sw versions
  • Update Elvis to 4.1.1, fix some warnings and enable their tests

Erlang/OTP 28 support

  • Add workaround in p1_acme for Jose 1.11.10 not supporting OTP 28 ecPrivkeyVer1 (#4393)
  • Bump fast_xml and xmpp for improved Erlang/OTP 28 support
  • Bump xmpp and p1_acme patched with Erlang/OTP 28 support
  • Fix make options in Erlang/OTP 28 (#4352)
  • Fix crash in rebar3 cover with Erlang/OTP 28 (#4353)
  • Rebar/Rebar3: Update binaries to work with Erlang/OTP 25-28 (#4354)
  • CI and Runtime: Add Erlang/OTP 28 to the versions matrix

SQL

  • Fix mnesia to sql exporter after changes to auth tables
  • Update code for switching to new schema type to users table changes
  • Add mssql specific implementation of delete_old_mam_messages
  • Make delete_old_mam_messages_batch work with sqlite
  • ejabberd_sm_sql: Use misc:encode_pid/1
  • mysql.sql: Fix typo in commit 7862c6a when creating users table
  • pg.sql: Fix missing comma in postgres schema (#4409)

Core and Modules

  • ejabberd_s2s_in: Allow S2S connections to accept client certificates that have only server purpose (#4392)
  • ext_mod: Recommend to write README.md instead txt (processone/ejabberd-contrib#363)
  • ext_mod: Support library path installed from Debian (processone/ejabberd-contrib#363)
  • ext_mod: When upgrading module, clean also the compiled directories
  • gen_mod: Add support to prepare module stopping before actually stopping any module
  • mod_antispam: Imported from ejabberd-contrib and improved (#4373)
  • mod_auth_fast: Clear tokens on kick, change pass and unregister (#4397)(#4398)(#4399)
  • mod_conversejs: Add link in WebAdmin to local Converse if configured
  • mod_mam: Present mam full text search in xep-431 compatible way
  • mod_mam_mnesia: Handle objects that don't need conversion in transform/0
  • mod_matrix_gw: Don't send empty messages in Matrix rooms (#4385)
  • mod_matrix_gw: Support older Matrix rooms versions starting from version 4
  • mod_matrix_gw: When encoding JSON, handle term that is key-value list (#4379)
  • mod_matrix_gw_s2s: Fix key validation in check_signature
  • mod_mix and mod_muc_rtbl: Support list of IDs in pubsub-items-retract (processone/xmpp#100)
  • mod_pubsub_serverinfo: Imported module from ejabberd-contrib (#4408)
  • mod_register: Normalize username when determining if user want to change pass
  • mod_register: Strip query data when returning errors
  • WebAdmin: New hooks webadmin_menu_system to add items to system menu

Full Changelog

https://github.com/processone/ejabberd/compare/25.04...25.07

ejabberd 25.07 download & feedback

As usual, the release is tagged in the Git source code repository on GitHub.

The source package and installers are available in ejabberd Downloads page. To check the *.asc signature files, see How to verify ProcessOne downloads integrity.

For convenience, there are alternative download locations like the ejabberd DEB/RPM Packages Repository and the GitHub Release / Tags.

The ecs container image is available in docker.io/ejabberd/ecs and ghcr.io/processone/ecs. The alternative ejabberd container image is available in ghcr.io/processone/ejabberd.

If you consider that you've found a bug, please search or fill a bug report on GitHub Issues.

Written by Jérôme Sautret

Keep reading