xmpp: Add new authentication settings

bridge/xmpp/xmpp.go

@@ -165,6 +165,11 @@ func (b *Bxmpp) postSlackCompatibleWebhook(msg config.Message) error {
 }
 
 func (b *Bxmpp) createXMPP() error {
+	// TODO: remove in release after first community fork release (N+2)
+	if b.GetBool("NoTLS") {
+		b.Log.Fatalf("NoTLS setting has been deprecated. If you'd like to disable StartTLS and start a plaintext connection, use NoStartTLS instead.")
+	}
+
 	var serverName string
 	switch {
 	case !b.GetBool("Anonymous"):
@@ -187,16 +192,18 @@ func (b *Bxmpp) createXMPP() error {
 		Host:                         b.GetString("Server"),
 		User:                         b.GetString("Jid"),
 		Password:                     b.GetString("Password"),
-		NoTLS:                        true,
-		StartTLS:                     !b.GetBool("NoTLS"),
+		NoTLS:                        !b.GetBool("UseDirectTLS"),
+		StartTLS:                     !b.GetBool("NoStartTLS"),
 		TLSConfig:                    tc,
 		Debug:                        b.GetBool("debug"),
 		Session:                      true,
 		Status:                       "",
 		StatusMessage:                "",
 		Resource:                     "",
-		InsecureAllowUnencryptedAuth: b.GetBool("NoTLS"),
+		InsecureAllowUnencryptedAuth: !b.GetBool("UseDirectTLS") && b.GetBool("NoStartTLS"),
 		DebugWriter:                  b.Log.Writer(),
+		Mechanism:                    b.GetString("Mechanism"),
+		NoPLAIN:                      b.GetBool("NoPLAIN"),
 	}
 	var err error
 	b.xc, err = options.NewClient()

changelog.md

@@ -13,6 +13,7 @@
     [issue #9](https://github.com/matterbridge-org/matterbridge/issues/9)
   - whatsapp backend has been deprecated in favor of whatsappmulti. See [issue #32](https://github.com/matterbridge-org/matterbridge/issues/32)
 - xmpp: Initial replies/edits support has been removed, because it was incorrect ([#12](https://github.com/matterbridge-org/matterbridge/pull/12))
+- xmpp: `NoTls` setting has been deprecated; to disable `StartTls` and start a plaintext connection, use `NoStartTls`
 - Go required version is now v1.24
 
 ## New Features
@@ -25,6 +26,8 @@
   - Add new Mastodon bridge ([#14](https://github.com/matterbridge-org/matterbridge/pull/14)/[#16](https://github.com/matterbridge-org/matterbridge/pull/16), thanks @lil5)
   - Supports public messages and private messages
   - Supports attachments
+- xmpp
+  - New and revised advanced authentication settings `UseDirectTLS`, `NoStartTls`, `NoPlain`, and `Mechanism` ([#77](https://github.com/matterbridge-org/matterbridge/pull/77))
 
 ## Bugfixes
 

docs/protocols/xmpp/settings.md

@@ -48,10 +48,11 @@ Your nick in the rooms
   Nick="xmppbot"
   ```
 
-## NoTLS
+## NoTLS (DEPRECATED)
 
-Enable this to make an insecure plaintext connection to your xmpp server.
-This is usually not permitted by XMPP servers even on localhost.
+> [!WARNING]
+> This setting has been deprecated. matterbridge will refuse to start if you are using it.
+> You should use the new `UseDirectTls` and `NoStartTls` settings instead.
 
 - Setting: **OPTIONAL**
 - Format: *boolean*
@@ -60,6 +61,33 @@ This is usually not permitted by XMPP servers even on localhost.
   NoTLS=true
   ```
 
+## UseDirectTLS
+
+Enables direct TLS connection to your server. Most servers by default only support StartTLS,
+so this option should only be enabled if you know what you are doing. When `UseDirectTLS` is
+not set, and `NoStartTls` is enabled, a plaintext connection is established, which
+should only be used in a local testing environment.
+
+- Setting: **OPTIONAL**
+- Format: *boolean*
+- Example:
+  ```toml
+  UseDirectTLS=true
+  ```
+
+## NoStartTLS
+
+Disable StartTLS connection to your server. If you'd like to use direct TLS, enable
+the `UseDirectTLS` setting. Otherwise, a plaintext connection is established, which
+should only be used in a local testing environment.
+
+- Setting: **OPTIONAL**
+- Format: *boolean*
+- Example:
+  ```toml
+  NoStartTLS=true
+  ```
+
 ## Password
 
 Password for the Jid's account.
@@ -81,3 +109,30 @@ XMPP server to connect to.
   ```toml
   Server="jabber.example.com:5222"
   ```
+
+## Mechanism
+
+Force an explicit SASL mechanism for authentication. This is a very advanced setting
+when debugging authentication problems and potential upstream go-xmpp authentication
+bugs. If you don't understand it, you don't need it.
+
+- Setting: **OPTIONAL**
+- Format: *string*
+- Example:
+  ```toml
+  Mechanism="PLAIN"
+  ```
+
+## NoPLAIN
+
+Prevent using `PLAIN` SASL authentication to the server. This is an advanced setting
+which is incompatible with many servers (eg. those using LDAP auth). When enabled,
+this setting will make sure your configured password is *never* sent to the server,
+only establishing a secure handshake such as [SCRAM](https://en.wikipedia.org/wiki/Salted_Challenge_Response_Authentication_Mechanism).
+
+- Setting: **OPTIONAL**
+- Format: *boolean*
+- Example:
+  ```toml
+  NoPLAIN=true
+  ```