Open relay

[hasufell]

Is this docker image by default an open relay in such that it allows in-band registration?

docker-ejabberd/conf/ejabberd.yml.tpl

Lines 291 to 298 in 40f2b5b

	## In-band registration allows registration of any possible username.
	register:
	{%- if env['EJABBERD_REGISTER_ADMIN_ONLY'] == "true" %}
	all: deny
	admin: allow
	{% else %}
	all: allow
	{% endif %}

[shred]

It seems so... I just had the pleasure to remove almost 4000 unwanted users from my server. 😉

The EJABBERD_REGISTER_ADMIN_ONLY option is missing in the README.md, so I wasn't aware of it. Maybe its logic should also be reversed, so in-band registration is disabled by default, and only enabled if an env is explicitly set to true.

[hasufell]

Awful. I wonder how many more users of this image are affected.

[shred]

Also, EJABBERD_REGISTER_TRUSTED_NETWORK_ONLY is supposed to be true by default, according to the README. However this default value does not seem to be set anywhere.

[youmad]

I just had the pleasure to remove almost 4000 unwanted users from my server.

@shred I guess that those users were registered by a spammer. Setting EJABBERD_CAPTCHA env var to true can help save you from such situations.

[hasufell]

A default configuration should never be an open relay.