1 files changed, 38 insertions, 3 deletions
diff --git a/src/mod_s2s_dialback.erl b/src/mod_s2s_dialback.erl
index dd941a3d2..bf241bf52 100644
--- a/src/mod_s2s_dialback.erl
+++ b/src/mod_s2s_dialback.erl
@@ -2,7 +2,7 @@
 %%% Created : 16 Dec 2016 by Evgeny Khramtsov <ekhramtsov@process-one.net>
 %%%
 %%%
-%%% ejabberd, Copyright (C) 2002-2019   ProcessOne
+%%% ejabberd, Copyright (C) 2002-2020   ProcessOne
 %%%
 %%% This program is free software; you can redistribute it and/or
 %%% modify it under the terms of the GNU General Public License as
@@ -26,6 +26,7 @@
 
 %% gen_mod API
 -export([start/2, stop/1, reload/3, depends/2, mod_opt_type/1, mod_options/1]).
+-export([mod_doc/0]).
 %% Hooks
 -export([s2s_out_auth_result/2, s2s_out_downgraded/2,
 	 s2s_in_packet/2, s2s_out_packet/2, s2s_in_recv/3,
@@ -95,6 +96,40 @@ mod_opt_type(access) ->
 mod_options(_Host) ->
     [{access, all}].
 
+mod_doc() ->
+    #{desc =>
+          [?T("The module adds support for "
+              "https://xmpp.org/extensions/xep-0220.html"
+              "[XEP-0220: Server Dialback] to provide server identity "
+              "verification based on DNS."), "",
+           ?T("WARNING: DNS-based verification is vulnerable to "
+              "https://en.wikipedia.org/wiki/DNS_spoofing"
+              "[DNS cache poisoning], so modern servers rely on "
+              "verification based on PKIX certificates. Thus this module "
+              "is only recommended for backward compatibility "
+              "with servers running outdated software or non-TLS servers, "
+              "or those with invalid certificates (as long as you accept "
+              "the risks, e.g. you assume that the remote server has "
+              "an invalid certificate due to poor administration and "
+              "not because it's compromised).")],
+      opts =>
+          [{access,
+            #{value => ?T("AccessName"),
+              desc =>
+                  ?T("An access rule that can be used to restrict "
+                     "dialback for some servers. The default value "
+                     "is 'all'.")}}],
+      example =>
+          ["modules:",
+           "  ...",
+           "  mod_s2s_dialback:",
+           "    access:",
+           "      allow:",
+           "        server: legacy.domain.tld",
+           "        server: invalid-cert.example.org",
+           "      deny: all",
+           "  ..."]}.
+
 s2s_in_features(Acc, _) ->
     [#db_feature{errors = true}|Acc].
 
@@ -242,7 +277,7 @@ s2s_out_packet(#{server := LServer, remote_server := RServer} = State,
 	    State2 = ejabberd_s2s_out:handle_auth_success(<<"dialback">>, State1),
 	    ejabberd_s2s_out:establish(State2);
 	_ ->
-	    Reason = str:format("Peer responded with error: ~ts",
+	    Reason = str:format("Peer responded with error: ~s",
 				[format_error(Result)]),
 	    ejabberd_s2s_out:handle_auth_failure(
 	      <<"dialback">>, {auth, Reason}, State1)
@@ -302,7 +337,7 @@ send_db_result(State, #db_verify{from = From, to = To,
 		       From, <<"dialback">>, undefined, State1),
 	    ejabberd_s2s_in:establish(State2);
 	_ ->
-	    Reason = str:format("Verification failed: ~ts",
+	    Reason = str:format("Verification failed: ~s",
 				[format_error(Response)]),
 	    ejabberd_s2s_in:handle_auth_failure(
 	      From, <<"dialback">>, Reason, State1)