From b983afba24f6be37af2ee05f91f092961975451c Mon Sep 17 00:00:00 2001
From: Stefan Strigler <stefan@strigler.de>
Date: Tue, 17 Mar 2026 09:13:15 +0100
Subject: [PATCH 1/8] remove MQTT listener

---
 ejabberd.yml.example | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/ejabberd.yml.example b/ejabberd.yml.example
index 8de134f9af7..bfe40cfd60d 100644
--- a/ejabberd.yml.example
+++ b/ejabberd.yml.example
@@ -76,11 +76,6 @@ listen:
     # turn_ipv4_address: "203.0.113.3"
     ## The server's public IPv6 address:
     # turn_ipv6_address: "2001:db8::3"
-  -
-    port: 1883
-    ip: "::"
-    module: mod_mqtt
-    backlog: 1000
 
 s2s_use_starttls: optional
 
@@ -192,7 +187,6 @@ modules:
     ## db_type: sql
     assume_mam_usage: true
     default: always
-  mod_mqtt: {}
   mod_muc:
     access:
       - allow

From 11a9fcd9dced03d51ce7ffcfca635a0f55c9c736 Mon Sep 17 00:00:00 2001
From: Stefan Strigler <stefan@strigler.de>
Date: Tue, 17 Mar 2026 09:15:42 +0100
Subject: [PATCH 2/8] enable mod_invites by default

This allows "user invites", i.e. XEP-0379, not account creation
---
 ejabberd.yml.example | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ejabberd.yml.example b/ejabberd.yml.example
index bfe40cfd60d..26047aeb24b 100644
--- a/ejabberd.yml.example
+++ b/ejabberd.yml.example
@@ -57,6 +57,7 @@ listen:
       /api: mod_http_api
       /bosh: mod_bosh
       /captcha: ejabberd_captcha
+      /invites: mod_invites
       /upload: mod_http_upload
       /ws: ejabberd_http_ws
   -
@@ -179,6 +180,8 @@ modules:
       "Access-Control-Allow-Origin": "https://@HOST@"
       "Access-Control-Allow-Methods": "GET,HEAD,PUT,OPTIONS"
       "Access-Control-Allow-Headers": "Content-Type"
+  mod_invites:
+      landing_page: auto
   mod_last: {}
   mod_mam:
     ## Mnesia is limited to 2GB, better to use an SQL backend

From b8344ff2cf7b74614e2e3efe66b37e18c2b6c40b Mon Sep 17 00:00:00 2001
From: Stefan Strigler <stefan@strigler.de>
Date: Tue, 17 Mar 2026 09:18:22 +0100
Subject: [PATCH 3/8] set trusted proxies

---
 ejabberd.yml.example | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ejabberd.yml.example b/ejabberd.yml.example
index 26047aeb24b..7413449205a 100644
--- a/ejabberd.yml.example
+++ b/ejabberd.yml.example
@@ -158,6 +158,10 @@ shaper_rules:
     normal: all
   s2s_shaper: fast
 
+trusted_proxies:
+  - 127.0.0.1
+  - 2a01:4f9:c010:c62b::1
+
 modules:
   mod_adhoc: {}
   mod_adhoc_api: {}

From 109cd826257a51c7e6d29089780962e42af03c70 Mon Sep 17 00:00:00 2001
From: Stefan Strigler <stefan@strigler.de>
Date: Tue, 17 Mar 2026 09:21:42 +0100
Subject: [PATCH 4/8] default to scram for password storage

---
 ejabberd.yml.example | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/ejabberd.yml.example b/ejabberd.yml.example
index 7413449205a..8667b8785db 100644
--- a/ejabberd.yml.example
+++ b/ejabberd.yml.example
@@ -24,6 +24,15 @@ loglevel: info
 #  - /etc/letsencrypt/live/domain.tld/fullchain.pem
 #  - /etc/letsencrypt/live/domain.tld/privkey.pem
 
+auth_stored_password_types:
+    - scram_sha1
+    - scram_sha256
+    - scram_sha512
+
+disable_sasl_mechanisms:
+  - "DIGEST-MD5"
+  - "X-OAUTH2"
+
 listen:
   -
     port: 5222

From fd6a5bead38e8c91412adae8c99ae10e15663b3c Mon Sep 17 00:00:00 2001
From: Stefan Strigler <stefan@strigler.de>
Date: Tue, 17 Mar 2026 09:28:27 +0100
Subject: [PATCH 5/8] set registration_timeout

---
 ejabberd.yml.example | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ejabberd.yml.example b/ejabberd.yml.example
index 8667b8785db..13266719fec 100644
--- a/ejabberd.yml.example
+++ b/ejabberd.yml.example
@@ -33,6 +33,8 @@ disable_sasl_mechanisms:
   - "DIGEST-MD5"
   - "X-OAUTH2"
 
+registration_timeout: 3600
+
 listen:
   -
     port: 5222

From 12b54c00615ae6d0e0bf5f36b77da2f19ff46c3a Mon Sep 17 00:00:00 2001
From: Stefan Strigler <stefan@strigler.de>
Date: Tue, 17 Mar 2026 09:32:56 +0100
Subject: [PATCH 6/8] add example for 'admin' ACL

---
 ejabberd.yml.example | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ejabberd.yml.example b/ejabberd.yml.example
index 13266719fec..fc63d2738c2 100644
--- a/ejabberd.yml.example
+++ b/ejabberd.yml.example
@@ -98,6 +98,10 @@ acl:
     ip:
       - 127.0.0.0/8
       - ::1/128
+  ## Uncomment below to set an admin user. Be sure to edit the value of that
+  ## user to the account you want to use.
+#  admin:
+#    user: admin
 
 access_rules:
   local:

From a6ba48df20ac4dae68d19eaac2240ea62d453aba Mon Sep 17 00:00:00 2001
From: Stefan Strigler <stefan@strigler.de>
Date: Thu, 19 Mar 2026 12:21:05 +0100
Subject: [PATCH 7/8] set s2s_use_starttls to 'required'

---
 ejabberd.yml.example | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ejabberd.yml.example b/ejabberd.yml.example
index fc63d2738c2..1fb4cfa8948 100644
--- a/ejabberd.yml.example
+++ b/ejabberd.yml.example
@@ -89,7 +89,7 @@ listen:
     ## The server's public IPv6 address:
     # turn_ipv6_address: "2001:db8::3"
 
-s2s_use_starttls: optional
+s2s_use_starttls: required
 
 acl:
   local:

From 7c9d7ec78911fbb4c50ee82ea2946cd7abcf439e Mon Sep 17 00:00:00 2001
From: Stefan Strigler <stefan@strigler.de>
Date: Thu, 19 Mar 2026 13:53:54 +0100
Subject: [PATCH 8/8] set hide_sensitive_log_data to true

---
 ejabberd.yml.example | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ejabberd.yml.example b/ejabberd.yml.example
index 1fb4cfa8948..f9454ab6aae 100644
--- a/ejabberd.yml.example
+++ b/ejabberd.yml.example
@@ -33,6 +33,8 @@ disable_sasl_mechanisms:
   - "DIGEST-MD5"
   - "X-OAUTH2"
 
+hide_sensitive_log_data: true
+
 registration_timeout: 3600
 
 listen: