From efec28ada7c798986b8b5e9fe4bf7f4327f5c77b Mon Sep 17 00:00:00 2001
From: Badlop <badlop@process-one.net>
Date: Fri, 21 Mar 2008 16:17:37 +0000
Subject: * doc/guide.tex: Document s2s_default_policy and s2s_host (EJAB-575)
 * doc/guide.html: Likewise

SVN Revision: 1246
---
 doc/guide.html | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'doc/guide.html')

diff --git a/doc/guide.html b/doc/guide.html
index 5acec86be..8a26e710d 100644
--- a/doc/guide.html
+++ b/doc/guide.html
@@ -709,6 +709,13 @@ use STARTTLS for s2s connections.
 file containing a SSL certificate.
 </DD><DT CLASS="dt-description"><B><TT>{domain_certfile, Domain, Path}</TT></B></DT><DD CLASS="dd-description"> 
 Full path to the file containing the SSL certificate for a specific domain.
+</DD><DT CLASS="dt-description"><B><TT>{s2s_default_policy, allow|deny}</TT></B></DT><DD CLASS="dd-description">
+The default policy for incoming and outgoing s2s connections to other Jabber servers.
+The default value is <TT>allow</TT>.
+</DD><DT CLASS="dt-description"><B><TT>{{s2s_host, Host}, allow|deny}</TT></B></DT><DD CLASS="dd-description">
+Defines if incoming and outgoing s2s connections with a specific remote host are allowed or denied.
+This allows to restrict ejabberd to only stablish s2s connections 
+with a small list of trusted servers, or to block some specific servers.
 </DD></DL><P>For example, the following simple configuration defines:
 </P><UL CLASS="itemize"><LI CLASS="li-itemize">
 There are three domains. The default certificate file is <TT>server.pem</TT>.
@@ -757,6 +764,8 @@ c2s connections are listened for on port 5222 and 5223 (SSL) and denied
 for the user called &#X2018;<TT>bad</TT>&#X2019;.
 </LI><LI CLASS="li-itemize">s2s connections are listened for on port 5269 with STARTTLS for secured
 traffic enabled.
+Incoming and outgoing connections of remote Jabber servers are denied,
+only two servers can connect: "jabber.example.org" and "example.com".
 </LI><LI CLASS="li-itemize">Port 5280 is serving the Web Admin and the HTTP Polling service. Note
 that it is also possible to serve them on different ports. The second
 example in section&#XA0;<A HREF="#webinterface">??</A> shows how exactly this can be done.
@@ -815,6 +824,9 @@ connected to port 5237 with password &#X2018;<TT>ggsecret</TT>&#X2019;.
   }.
   {s2s_use_starttls, true}.
   {s2s_certfile, "/path/to/ssl.pem"}.
+  {s2s_default_policy, deny}.
+  {{s2s_host,"jabber.example.org"}, allow}.
+  {{s2s_host,"example.com"}, allow}.
 </PRE><P>Note, that for jabberd 1.4- or WPJabber-based
 services you have to make the transports log and do XDB by themselves:
 </P><PRE CLASS="verbatim">  &lt;!--
-- 
cgit v1.2.3