Prosodical Thoughts on Prosodical Thoughts

Prosody 0.12.6 released

2026-05-01T13:24:14+0100

We are pleased to announce a new minor release from our stable branch.

This is a security release for the Prosody 0.12.x old stable series. It addresses multiple security issues, some memory leaks and some smaller bugs which have been fixed since the previous release.

Full details about the security vulnerabilities can be found in our security advisory. We encourage all Prosody operators on 0.12.5 or earlier to upgrade to 0.12.6 or 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

Note: Support for the 0.12.x series ends in June 2026. This means it will no longer receive any fixes or updates, even for security issues. It is likely that 0.12.6 will be the last release from this series. Check our guide on upgrading Prosody and the release notes for 13.0.0 before you upgrade to the 13.0.x series.

A summary of changes in this release:

Security

mod_proxy65: Consistently apply authorization checks
mod_proxy65: Don’t proxy data until after bytestream activation
mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
Add limit for stanza max child elements
mod_c2s: Remove timers immediately on disconnection
net.server_epoll: Clean up timers after disconnection

Fixes and improvements

Fix memory leak in module API

Minor changes

util.prosodyctl.check: Improve error handling of UDP socket setup (for #1803)

Download

As usual, download instructions for many platforms can be found on our download page

If you have any questions, comments or other issues with this release, let us know!

Prosody 13.0.5 released

2026-04-29T19:32:24+0100

We are pleased to announce a new minor release from our stable branch.

This is a security release for the Prosody 13.0.x stable series. It fixes multiple security issues, some memory leaks and some smaller bugs and changes which have been implemented since the previous release.

Full details about the security vulnerabilities can be found in our security advisory. We encourage all Prosody operators on 13.0.4 or earlier to upgrade to 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

A summary of changes in this release:

Security

mod_proxy65: Consistently apply authorization checks
mod_proxy65: Don’t proxy data until after bytestream activation
mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
Add limit for stanza max child elements
mod_c2s: Remove timers immediately on disconnection
net.server_epoll: Clean up timers after disconnection

Fixes and improvements

net.http.parser: Fix handling of chunked request
MUC: Advertise hats feature on room JID (thanks Daniel)
moduleapi: Use multitable add/remove instead of set (fixes memory leak)
mod_cloud_notify: Fix leaking iq response handlers by using send_iq()
Improve federation with servers using only IP addresses
prosody: Prevent loading local code when installed system-wide
mod_http_file_share: Improve handling of Range requests
mod_carbons: Fix some carbons decision-making bugs (fixes #1861: mod_carbons does not forward “sent” MUC PMs to other clients)

Minor changes

net.resolvers: Fix to avoid SRV lookups for IP addresses
prosody: Abort earlier on incompatible Lua version
mod_turn_external: hand out credentials for type == turns too
mod_s2s: Fully validate stream addressing
prosodyctl check features: Warn if http file sharing enabled on both host and component
util.prosodyctl: Don’t check for mod_posix being disabled, it’s deprecated
util.startup: Improve error message when failing to load config file
util.x509: Add support for iPAddress certs
prosodyctl: Trim any trailing newline from password entry
mod_admin_shell: Make cert index search path relative to config file
mod_admin_shell: Improve multi-host command handling
mod_admin_shell: Show help listing when specifying only a section name
mod_admin_shell: Ensure password validity when setting passwords for new/existing users
mod_account_activity: Handle authentication provider returning no user info
config: Use default value when enum option has incorrect value
mod_http: “Handle” streaming requests to avoid invoking redirect handler

Download

As usual, download instructions for many platforms can be found on our download page

If you have any questions, comments or other issues with this release, let us know!

Upcoming changes to Let's Encrypt and how they affect operators

2026-02-06T11:20:00+0000

On 11th February, Let’s Encrypt will be rolling out a change to the certificates they issue to servers by default. Although there is generally nothing that Prosody operators need to do, servers using the new certificates may experience problems connecting to some other XMPP servers on the network.

Certificate basics

First, a tiny bit of background on certificates. Certificate Authorities (CAs) such as Let’s Encrypt work by verifying that you own or control a domain, and then they issue you with a certificate that you can present to others as proof of this verification. Obtaining a certificate can be done using the ‘certbot’ tool or any one of the large number of tools compatible with the ACME protocol.

When an XMPP client connects to a server, it will expect the server to present a certificate which is valid for the domain the client is logging in to.

Likewise, certificates are also used when servers connect to other servers (server-to-server connections are often called “s2s” or generally “federation”). This prevents various attacks, including spoofing - because when your server receives a message claiming to be from “user@example.com”, it can ensure that the server it came from presented a valid certificate for “example.com” and has been verified.

Certificates can specify usage

Most people know that certificates contain the domain name that has been verified. However they contain other data too, including the details of the CA that signed and issued the certificate, validity period, and various metadata.

Another part of the certificate can specify limitations on what the certificate can be used for. For example, a CA’s own certificate will specify that they are allowed to use their certificate to sign other certificates. Similar restrictions can be used to permit whether it can be used for signing and/or encryption.

One such extension, called “Extended Key Usage” can be used to restrict whether the certificate is used for “server authentication” or “client authentication”.

What’s changing?

Let’s Encrypt currently issue certificates which specify they may be used for both “server authentication” and “client authentication”. However they have announced that they will be issuing certificates for only “server authentication” by default from 11th February 2026. In the rest of this post we’ll refer to these as “server-only” certificates.

Traditional interpretation of the relevant specifications would forbid use of those certificates by a client which is connecting to a server. Unfortunately, XMPP makes heavy use of connections between servers, and in the context of such server-to-server connections the TLS specifications actually consider the server that initiated the connection to be a “client” (not an XMPP client, but a TLS client).

Common TLS libraries and APIs such as OpenSSL will automatically verify the certificate’s key usage fields, and fail certificate validation if an incoming connection is received that uses a certificate without the “client authentication” purpose. This has the potential to break server-to-server connection authentication in XMPP (and also other protocols that make connections between servers).

Does this affect Prosody?

Not directly. Let’s Encrypt is not the first CA to issue server-only certificates. Many years ago, we incorporated changes into Prosody which allow server-only certificates to be used for server-to-server connections, regardless of which server started the connection. We believe that this is the correct approach for XMPP.

This means that Prosody will accept connections from servers that are using the new server-only certificates from Let’s Encrypt.

Unfortunately this behaviour is not standardized, partly due to controversy outside the XMPP community about this approach. The current CA ecosystem is heavily driven by web browser vendors (i.e. Google, Apple, Microsoft and Mozilla), and they are increasingly hostile towards non-browser applications using certificates from CAs that they say only provide certificates for consumption by web browsers.

An attempt at updating the specifications to clarify the expected roles of servers and clients failed to gain consensus at the IETF.

Does this affect the XMPP network?

Although Prosody will accept server-only certificates, some other server implementations do not have the alternative certificate usage validation that Prosody has, or they added it only recently.

Compatible servers:

ejabberd (requires 25.08 or later)
Openfire

Operators of incompatible server versions should upgrade to a version that is compatible with server-only certificates as soon as possible to prevent problems with federation.

Server software not listed above has not been tested, and may not accept connections from servers using server-only certificates.

What will happen with other servers?

If a server does not use the alternative validation (because the software doesn’t implement it, or it has not been updated) then it will treat the certificates of all other servers as invalid for initiating s2s connections.

Many servers still have the dialback protocol enabled, which will act as a fallback authentication mechanism (using DNS), and in this case the connections may still succeed.

However if dialback is disabled on either server, or if the target server strictly requires valid certificates, server-to-server connections will always fail entirely.

You may see errors in your Prosody log file such as:

Server-to-server connection failed: Could not authenticate to remote server

In such a case, the remote server operator usually needs to update their software.

How can I test my server?

Send an XMPP ping (XEP-0199) to le-tlsserver.badxmpp.eu - if you get a successful iq response, this means your server accepts server-only certificates. If you don’t get a response, check your server’s log file for any incoming s2s failures.

Prosody at FOSDEM 2026

2026-01-27T00:00:00+0000

We’re looking forward to meeting new and familiar faces at FOSDEM in Brussels this weekend!

Every February, thousands of developers (and users) of open-source and free (as in freedom) software gather in Brussels to discuss and celebrate our communities, and collaborate and share ideas and projects.

If you are attending, come and find us in the AW building, Level 1. We’ll be sharing the stand with other projects in the XMPP ecosystem and adjacent to other communication projects such as Linphone, Delta Chat and Matrix.

You can bring us questions about Prosody or XMPP, receive help with your own Prosody deployment, or just stop by and say hi!

Prosody 13.0.4 released

2026-01-23T15:38:39+0000

We are pleased to announce a new minor release from our stable branch.

Welcome to another minor release from our stable branch!

We encourage any deployments using 13.0.3 to upgrade, partly due to a bug that was introduced into UUID generation in that release. We’re not aware of any direct consequences of this bug, but it may cause compatibility problems with other software.

Although not strictly bug fixes, we sneaked in some configuration-related improvements to this release which help make configuring Prosody a little easier and more reliable. We’re highlighting them because these changes have a chance to impact some rare configurations.

The first change is to prevent mod_pubsub from being loaded on a VirtualHost (easily done if you accidentally add it to your global modules_enabled list). Loading mod_pubsub on a normal user host can lead to unexpected behaviour. Now it will log an error and refuse to load if you do that.

The second change is to simplify configuration of archiving in MUCs. Practically all modern clients now use XEP-0313 to synchronize message history. For VirtualHosts this is implemented in mod_mam, and for MUC components it is implemented in mod_muc_mam. From this release, things get much simpler: loading mod_mam (globally or directly on a MUC component) will automatically load mod_muc_mam on the MUC component. This means most people (e.g. who have mod_mam loaded globally on their server) can now remove “muc_mam” from modules_enabled in their MUC component configuration. It will be loaded automatically.

This last point does mean that if you have mod_mam enabled globally, but do not want it enabled on your MUCs, you now have to state that explicitly by adding “mam” to modules_disabled under the MUC’s Component. Be aware that such a configuration may lead to missing messages in group chats.

A summary of changes in this release:

Fixes and improvements

mod_s2s: Fix traceback when outgoing s2s queue is full
util.uuid: Fix padding of group 2 of UUIDv7 to use zeroes

Minor changes

core.modulemanager: Fix shell commands on components
mod_s2s: Explicitly prevent sending recursive error replies when queue is full
modulemanager: Allow component modules to specify additional inherited modules
prosodyctl check features: Use modulemanager to calculate modules that will actually be loaded
prosodyctl check features: change recommendation from mod_muc_mam to mod_mam
prosodyctl check config: Fix traceback when zero modules are enabled
mod_pubsub: Fail early if loaded outside of a component to prevent misconfiguration
doap: Add XEP-0486
mod_pubsub/commands: Fix listing item numbers along with item names
mod_account_activity: Handle authentication provider returning no user info
mod_mam: Automatically load mod_muc_mam if loaded on a MUC component
mod_muc: Inherit mod_mam if globally loaded

Download

As usual, download instructions for many platforms can be found on our download page

If you have any questions, comments or other issues with this release, let us know!

Prosody 13.0.3 released

2026-01-05T14:02:22+0000

We are pleased to announce a new minor release from our stable branch.

Happy new year! Our first release of 2026 is a minor release for our stable branch, with a range of tweaks, bug fixes and minor improvements for you.

A summary of changes in this release:

Fixes and improvements

mod_storage_sql: Set configurable wait time for locked SQLite3 database
net.server_event: Port TLS 1.3 channel binding method to libevent backend
mod_roster: Add command for cleaning out invalid contact JIDs
migrator: Allow migrating between different configs of the same driver
mod_admin_shell: Allow pinging any JID with xmpp:ping()
mod_invites: Accept –admin flag as shortcut for –role prosody:admin
mod_mam: Add send_legacy_offline_messages_to_mam_clients config option
mod_limits: Allow configuration of general ‘s2s’ limit, and have s2sout inherit from s2sin
mod_storage_internal: Return item-not-found for unknown before/after ids
MUC: Fixes for room avatar caching

Minor changes

core.configmanager: Fix referencing previous config options #1950
MUC: Ensure allow MUC PM setting has valid value (fixes #1933: PM does not work on new MUCs)
mod_storage_sql: Assert that serialization of archive:set() payload succeeds
mod_smacks: Remove extra optional from sm element
mod_s2s_auth_dane_in: Fix caching SHA2-512 hash
MUC: Fix muc_room_default_presence_broadcast option not working
util.sslconfig: Fix error when applying ssl={[port]=…}
net.server_epoll: Restore idle checks after pause (e.g. rate limits)
util.jid: Validate domainparts using IDNA or as IP literals (fixes #1903: Invalid JID in Roster)
util.datamanager: Fix detection of index files created on different architectures
util.startup: Inform process manager about failure to reload config
mod_muc: Revert f4e16e6265e6 and invalidate avatar cache only on vcard change
mod_http_file_share: Improve debug logging around unexpected file sizes
mod_admin_shell: Ensure JIDs are normalized in xmpp:ping()
mod_invites: Return error when generating password reset for non-existent account
util.uuid: Update UUIDv7 to match RFC 9562

Download

As usual, download instructions for many platforms can be found on our download page

If you have any questions, comments or other issues with this release, let us know!

Debian repository key change

2025-07-28T11:30:55+0100

We have been working on some changes to our Debian/Ubuntu package repository. If you use our repository to keep up to date with new Prosody packages, you need to take action before 4th August 2025 to continue receiving updates smoothly.

New repository instructions

The ‘apt’ utility has been moving towards a new format for specifying package repositories. If you are familiar with putting deb lines in a sources.list file, that method is changing.

The new preferred format for package repository configuration, known as “deb822”, has a number of advantages. One of them is simplified configuration of additional package repositories such as ours.

The new configuration format is already supported in Debian 12 (bookworm) and Ubuntu 22.04 LTS (jammy), which means you can use it right now.

If you already have our package repository configured, simply remove it and use the new instructions to add our updated configuration.

Signing key update

The reason existing deployments should do this before the 4th August is because from that day, we will be rolling our repository signing key to a new key. The old key is being retired because it is using older and weaker algorithms which are being phased out.

If you do not update the repository configuration on your system, apt will complain that our repository is not signed by a trusted key (typically a NO_PUBKEY error).

Old key fingerprint:: 107D65A0A148C237FDF00AB47393D7E674D9DBB5 (short version: 7393D7E674D9DBB5)
New key fingerprint:: AD3B912769C5F962DCBA7956F7A37EB33D0B25D7 (short version: F7A37EB33D0B25D7)

To ensure you are ready for the new key, remove the existing configuration for our repository from your system, and follow the new instructions to configure our repository.

Support and questions

If you have any questions about this change, we’re always happy to help answer them in our community chat. Come and join us!

Prosody 13.0.2 released

2025-05-29T22:09:21+0200

We are pleased to announce a new minor release from our stable branch.

This update addresses various issues that have been noticed since the previous release, as well as a few improvements, including some important fixes for invites. Some log messages and prosodyctl commands have been improved as well.

A summary of changes in this release:

Fixes and improvements

mod_storage_internal: Fix queries with only start returning extra items
mod_invites_register: Stricter validation of registration events

Minor changes

MUC: Ensure allow MUC PM setting has valid value (fixes #1933: PM does not work on new MUCs)
mod_storage_sql: Delay showing SQL library error until attempted load
mod_storage_sql: Handle failure to deploy new UNIQUE index
mod_storage_sql: Add shell command to create tables and indices (again)
mod_s2s: Fix log to use formatting instead of concatenation (fixes #1461: Logging issues uncovered by mod_log_json)
modulemanager, util.pluginloader: Improve error message when load fails but some candidates were filtered
prosodyctl check config: add recommendation to switch from admin_telnet to shell
mod_storage_sql: Retrieve all indices to see if the new one exists
prosodyctl check config: List modules which Prosody cannot successfully load
net.http.files: Fix issue with caching
util.jsonschema: Fix handling of false as schema
mod_invites: Consider password reset a distinct type wrt invite page
configmanager: Emit config warning when referencing non-existent value
mod_admin_shell: Add role:list() and role:show() commands
MUC: Fix nickname registration form error handling (#1930)
MUC: Fix Error when join stanza sent without resource (#1934)
MUC: Factor out identification of join stanza
mod_invites_register: Don’t restrict username for roster invites (thanks lissine)
mod_admin_shell: Fix matching logic in s2s:close (Thanks Menel)
mod_authz_internal: Improve error message when invalid role specified
mod_http_file_share: Add media-src ‘self’ to Content-Security-Policy header
mod_admin_shell: Visual tweaks to the output of debug:cert_index()
mod_http: Log problems parsing IP addresses in X-Forwarded-For (Thanks Boris)
mod_http: Fix IP address normalization (Thanks Boris)
util.prosodyctl.check: Improve reporting of DNS lookup problems

Download

As usual, download instructions for many platforms can be found on our download page

If you have any questions, comments or other issues with this release, let us know!

Prosody 13.0.1 released

2025-04-03T20:36:26+0100

We are pleased to announce a new minor release from our stable branch.

As is the tradition with software, here is our first patch release following shortly behind our major 13.0.0 release announced a few weeks ago. It fixes some important bugs that were discovered after the release.

Many thanks to everyone who reported issues and helped with testing the fixes for this release. We appreciate it!

For those of you on 0.12.x who haven’t upgraded yet, skip 13.0.0 and jump straight to 13.0.1 if you can. It will be a smoother upgrade.

A summary of changes in this release:

Fixes and improvements

mod_admin_shell: Add debug:cert_index() command to aid debugging of automatic certificate selection
mod_tls: Enable Prosody’s certificate checking for incoming s2s connections (fixes #1916: Impossible to override certificate verification policy in 13.0)
portmanager: Multiple fixes to use correct certificates for direct TLS ports (fixes #1915)
net.server_epoll: Use correct connection timeout when initiating Direct TLS
mod_roster: Fix shell commands when a component is involved (fixes #1908: error in prosodyctl shell roster attempting to subscribe a component)
mod_http_file_share: Explicitly reject all unsupported ranges
mod_http_file_share: Fix off by one in Range response
mod_admin_shell, prosodyctl shell: Report command failure when no password entered (fixes #1907: prosodyctl adduser: unexpected account creation on password mismatch)

Minor changes

mod_storage_sql: Drop legacy index without confirmation to ease upgrades
util.adminstream: Fix traceback on double-close (fixes #1913: Prosody fails to completely stop while shell watch:log is active)
certmanager: Improve logging for all cases where certs are skipped
mod_tls: Collect full certificate chain validation information
mod_s2s: Fix error detection with newer versions of OpenSSL
portmanager: Add debug log message to state which certificate we end up using
prosodyctl check certs: Use correct hostname in warning message about HTTPS
prosodyctl check: Be more robust against invalid disco_items, and show warning
spec/tls: Add TLS/certificate integration tests
mod_http_file_share: Improve error reporting by using util.error more
core.storagemanager: Fix tests by removing an assert that upset luarocks
core.usermanager: Fix COMPAT layer for legacy is_admin() function
certmanager: Remove obsolete and verbose index log (replaced by shell command)
doap: Add XEP-0333, XEP-0334, XEP-0156 and mod_http_altconnect

Download

As usual, download instructions for many platforms can be found on our download page

If you have any questions, comments or other issues with this release, let us know!

Prosody 13.0.0 released!

2025-03-17T11:30:00+0000

Welcome to a new major release of the Prosody XMPP server! While the 0.12 branch has served us well for a while now, this release brings a bunch of new features we’ve been busy polishing.

If you’re unfamiliar with Prosody, it’s an open-source project that implements XMPP, an open standard protocol for online communication. Prosody is widely used to power everything from small self-hosted messaging servers to worldwide real-time applications such as Jitsi Meet. It’s part of a large ecosystem of compatible software that you can use for realtime online communication.

Before we begin…

The first thing anyone who has been following the project for a while will notice about this release is the version number.

Long adherents of the cult of 0ver, we finally decided it was time to break away. While, as Shakespeare wrote, “That which we call a rose, by any other name would smell as sweet”, such is true of version numbers. Prosody has been stable and used in production deployments for many years, however the ‘0.x’ version number occasionally misled people to believe otherwise. Apart from shifting the middle component leftwards, nothing has changed.

If you’re really curious, you can read full details in our versioning and support policy.

Our version numbers have also been in step with Debian’s for several versions now. Could this become a thing? Maybe!

Overview of changes

This release brings a wide range of improvements that make Prosody more secure, performant, and easier to manage than ever before. Let’s review the most significant changes that administrators and users can look forward to across a range of different topics.

Security and authentication

Security takes centre stage in this release with several notable improvements. Building on DNSSEC, the addition of full DANE support for server-to-server connections strengthens the trust between federating XMPP servers.

We’ve enhanced our support for channel binding, which is now compatible with TLS 1.3, and we’ve added support for XEP-0440 which helps clients know which channel binding methods the server supports. Channel binding protects your connection from certain machine-in-the-middle attacks, even if the server’s TLS certificate is compromised.

Account management

Administrators now have more granular control over user accounts with the ability to disable and enable them as needed. This can be particularly useful for public servers, where disabling an account can act as a reversible alternative to deletion.

In fact, we now have the ability to set a grace period for deleted accounts to allow restoring an account (within the grace period) in case of accidental deletion.

Roles and permissions

A new role and permissions framework provides more flexible access control. Prosody supplies several built-in roles:

prosody:operator - for operators of the whole Prosody instance. By default, accounts with this role have full access, including to operations that affect the whole server.
prosody:admin - the usual role for admins of a specific virtual host (or component). Accounts with this role have permission to manage user accounts and various other aspects of the domain.
prosody:member - this role is for “normal” user accounts, but specifically those ones which are trusted to some extent by the administrators. Typically accounts that are created through an invitation or through manual provisioning by the admin have this role.
prosody:registered - this role is also for general user accounts, but is used by default for accounts which registered themselves, e.g. if the server has in-band registration enabled.
prosody:guest - finally, the “guest” role is used for temporary/anonymous accounts and is also the default for remote JIDs interacting with the server.

For more details about how to use these roles, customize permissions, and more, read our new roles and permissions documentation. You will also find the link there for the development documentation, so module developers can make use of the new system.

Shell commands

Since the earliest releases, the prosodyctl command has been the admin’s primary way of managing and interacting with Prosody. In 0.12 we introduced the prosodyctl shell interface to send administrative commands to Prosody at runtime via a local connection. It has been a big success, and this release significantly extends its capabilities.

prosodyctl adduser/passwd/deluser commands now use the admin connection to create users, which improves compatibility with various storage and authentication plugins. It also ensures Prosody can instantly respond to changes, such as immediately disconnecting users when their account is deleted.
Pubsub management commands have been added, to create/configure/delete nodes and items on pubsub and PEP services without needing an XMPP client.
One of our own favourites as Prosody developers is the new prosodyctl shell watch log command, which lets you stream debug logs in real-time without needing to store them on the filesystem.
Similarly, there is now prosodyctl shell watch stanzas which lets you monitor stanzas to/from arbitrary JIDs, which is incredibly helpful for developers trying to diagnose various client issues.
Server-wide announcements can now be sent via the shell, optionally limiting the recipients by online status or role.
MUC has gained a few new commands for interacting with MUC rooms.

Improved Multi-User Chat (MUC) Management

The MUC system has received a significant overhaul focusing on security and administrative control. By default, room creation is now restricted to local users, providing better control over who can create persistent and public rooms.

Server administrators get new shell commands to inspect room occupants and affiliations, making day-to-day operations more straightforward.

One notable change is that component admins are no longer automatically owners. This can be reverted to the old behaviour with component_admins_as_room_owners = true in the config, but this has known incompatibilities with some clients. Instead, admins can use the shell or ad-hoc commands to gain ownership of rooms when it’s necessary.

Better Network Performance

Network connectivity sees substantial improvements with the implementation of RFC 8305’s “Happy Eyeballs” algorithm, which enhances IPv4/IPv6 dual-stack performance and increases the chance of a successful connection.

Support for TCP Fast Open and deferred accept capabilities (in the server_epoll backend) can potentially reduce connection latency.

The server now also better handles SRV record selection by respecting the ‘weight’ parameter, leading to more efficient connection distribution.

Storage and Performance Improvements

Under the hood, Prosody now offers better query performance with its internal archive stores by generating indexes.

SQLite users now have the option to use LuaSQLite3 instead of LuaDBI, potentially offering better performance and easier deployment.

We’ve also added compatibility with SQLCipher, a fork of SQLite that adds support for encrypted databases.

Configuration Improvements

The configuration system has been modernized to support referencing and appending to previously set options, making complex configurations more manageable.

While direct Lua API usage in the config file is now deprecated, it remains accessible through the new Lua.* namespace for those who need it.

Also new in this release is the ability to reference credentials or other secrets in the configuration file, without storing them in the file itself. It is compatible with the credentials mechanisms supported by systemd, podman and more.

Developer/API changes

The development experience has always been an important part of our project - we set out to make an XMPP server that was very easy to extend and customize. Our developer API has improved with every release. We’ve even had first-time coders write Prosody plugins!

There are too many improvements to list here, but some notable ones:

Storage access from modules has been simplified with a new ‘keyval+’ store type, which combines the old ‘keyval’ (default) and ‘map’ stores into a single interface. Before this change, many modules had to open the store twice to utilize the two APIs.
Any module can now replace custom permission handling with Prosody’s own permission framework via the simple module:may() API call.
Providing new commands for prosodyctl shell is now much easier for module developers.

Backwards compatibility is of course generally preserved, although is_admin() has been deprecated in favour of module:may(). Modules that want to remain compatible with older versions can use mod_compat_roles to enable (limited) permission functionality.

Important Notes for Upgrading

A few breaking changes are worth noting:

Lua 5.1 support has been removed (this also breaks compatibility with LuaJIT, which is based primarily on Lua 5.1).
Some MUC default behaviors have changed regarding room creation and admin permissions (see above).

Conclusion

We’re very excited about this release, which represents a significant step forward for Prosody, and contains improvements for virtually every aspect of the server. From enhanced security to better performance and more flexible administration tools, there has never been a better time to deploy Prosody and take control of your realtime communications.

For full detailed information about the changes in this release, and advice for upgrading, view the Prosody 13.0.0 release notes.

As always, if you have any problems or questions with Prosody or the new release, drop by our community chat!

Prosody 0.12.5 released

2024-12-31T16:54:38+0000

We are pleased to announce a new minor release from our stable branch.

Hope everyone has had a good 2024, and you’re looking forward to a better 2025!

We’re ending this year with a bugfix release for our stable 0.12 branch. This brings some general polish and a collection of fixes for various small issues people have reported in the past months.

A notable behaviour change in this release is that Prosody will no longer send delivery errors to people you have blocked. Instead it will now just silently discard messages from the blocked JID, to avoid informing them that they have been blocked - which tends to be the preference of people we have spoken with, as well as the behaviour of many other online platforms. Obviously there are trade-offs here, so the behaviour is now configurable (see the mod_blocklist documentation).

This will be among the last releases from the 0.12 branch, as we are preparing a new major release with lots of new features. Stay tuned, and happy new year!

A summary of changes in this release:

Fixes and improvements

mod_blocklist: Drop blocked messages without error, option to restore compliant behavior

Minor changes

core.certmanager: Validate that ‘tls_profile’ is one of the valid values
net.http: Throw error if missing TLS context for HTTPS request
net.http.parser: Reject overlarge header section earlier
net.http.files: Validate argument to setup function
MUC: optimizations for broadcast of visitor presence (thanks Jitsi team)
net.server_event: Add ‘wrapserver’ API
scansion: Enable blocklist compat during tests to fix CI
prosodyctl check: Warn about invalid domain names in the config file
util.prosodyctl.check: Correct modern replacement for ‘disallow_s2s’
util.prosodyctl.cert: Ensure old cert is moved out of the way
util.prosodyctl.check: Improve error handling of UDP socket setup (for #1803)
mod_smacks: Destroy timed out session in async context (fixes #1884: ASYNC-01 in mod_smacks hibernation timeout)
mod_invites: Fix traceback when token_info isn’t set
mod_admin_shell: Allow matching on host or bare JID in c2s:show
mod_admin_adhoc: Fix log messages for reloading modules.
core.moduleapi: Default labels to empty list to fix error if omitted
mod_muc_mam: Improve wording of enable setting
mod_bookmarks: Suppress error publishing empty legacy bookmarks w/ no PEP node
mod_bookmarks: Clarify log messages on failure to sync to modern PEP bookmarks
mod_invites_adhoc: Fix result form type (thanks betarays)
mod_disco: Advertise disco#info and #items on bare JIDs to fix #1664: mod_disco on account doesn’t return disco#info feature
util.xtemplate: Fix error on applying each() to zero stanzas

Download

As usual, download instructions for many platforms can be found on our download page

If you have any questions, comments or other issues with this release, let us know!

New server, new sponsor

2024-11-04T10:00:00+0000

It shouldn’t surprise you, but here we have an obsession for self-hosting. We fought off many requests to migrate our hosting to Github (even before it was cool to hate Github - Prosody and Github were both founded in the same year!).

As a result, we self-host our XMPP service (of course), our website, our code repos, our issue tracker, package repository and our CI and build system.

This is not always easy - our project has always been a rather informal collaboration of individuals, meaning it’s not a commercial venture and we don’t have any employees. For better or worse, we’re firmly rooted in the free and open-source software principles that focus on growing communities rather than profits.

As a result, we love working with people who have similar roots and values.

For many years we had a happy home for our servers with Bytemark, who were very supportive of open-source projects, including ours (they used Prosody themselves for communication, and some of their employees contributed to the project). We are grateful to them for sponsoring the hosting of our build server for many years. However, all good things come to an end - and when Bytemark was acquired in recent years by the much larger iomart Group PLC enterprise as part of a string of other acquisitions, we knew our good times with them were likely drawing to a close.

This was recently confirmed, as we and the other remaining Bytemark customers were notified that all services are being moved to another location and another of iomart’s brands. We also received an email to inform us that our sponsorship would no longer be in effect after this transition. The monthly price we were told we would have to pay for the server was many multiples of what an equivalent server would cost by today’s standards, even if we had income to pay for it.

So, we bid a final farewell to Bytemark! But as one chapter ends, another can begin.

At the time of the acquisition, many ex-Bytemark customers recommended various alternatives. However among those, one independent provider, Mythic Beasts, really stood out. You may have stumbled across them already, for their innovative Raspberry Pi hosting and handling Raspberry Pi launch announcements on a stack of Raspberry Pi devices, or you may have come across them on the Fediverse via their (self-hosted, of course) @beasts Mastodon account. As well as Raspberry Pi hosting, of course they also offer conventional (dedicated and virtual) servers, DNS, traditional web space, and more.

Mythic Beasts turned out to be just what we were looking for - a no-nonsense service-driven provider where you’ll find founders answering support tickets and where providing amazing service and having fun while doing so are deemed more important than maximizing growth and shareholder value.

Running services with a hosting provider is a kind of partnership that requires placing a certain amount of trust. Trust that they are competent, that it’s easy to contact someone if things go wrong, and that their values are aligned with yours for the long term. It’s hard to find providers that tick all these boxes.

Having used Mythic Beasts for a few things personally in recent years, I felt increasingly confident they would be a good home for Prosody’s infrastructure too. In fact they’ve been very supportive and understanding from the moment I reached out about Prosody’s situation, and have generously provided us with capacity to migrate all our services across and retire our old servers. You may have noticed a few blips in recent weeks as we did just that. Thanks for bearing with us!

All our services are now running smoothly on VMs provided by Mythic Beasts, and we can’t thank them enough as they enable us to continue our journey. It feels great to be with a provider that not only knows but cares about things like open-source, environmental impact, as well as IPv6, DNSSEC and all the other internet tech we care about too.

For those of you curious, here’s a list (probably not exhaustive) of things we are currently running as part of the project’s infrastructure:

Prosody, of course, for our community and development chats, notifications and alerts, etc.
Email (we use postfix)
Our website
- Our main website is powered by our own Makefile + pandoc static generator
- Our blog uses Hugo
- modules.prosody.im is again a custom generator (triggered automatically by pushes to the repo)
Our code repositories are served using hgkeeper, which helps us sensibly manage repos and access control
Our issue tracker (we wrote this one ourselves, in search of something open-source, flexible and bloat-free)
Continuous Integration, builds and packages are handled by buildbot
Debian package repository, generated using reprepro

If you notice any post-migration issues with our site or services, drop by the chat and let us know! Also, if you’re in need of hosting, now you know where we would suggest looking first :)

Prosody 0.12.4 released

2023-09-06T12:42:15+0200

We are pleased to announce a new minor release from our stable branch.

We’re relieved to announce this overdue maintenance release containing a number of bug fixes and also some improvements from the last few months.

Especially the prosodyctl check tool which gained some new diagnostic checks as well as handling of configuration option types the same way Prosody itself does.

A summary of changes in this release:

Minor changes

core.certmanager: Update Mozilla TLS config to version 5.7
util.error: Fix error on conversion of invalid error stanza #1805
util.array: Fix new() library function
util.array: Expose new() on module table
prosodyctl: Fix output of error messages containing ‘%’
util.prosodyctl.check: Correct suggested replacement for ‘disallow_s2s’
util.prosodyctl.check: Allow same config syntax variants as in Prosody for some options #896
util.prosodyctl.check: Fix error where hostname can’t be turned into A label
util.prosodyctl.check: Hint about the ‘external_addresses’ config option
util.prosodyctl.check: Suggest ‘http_cors_override’ instead of older CORS settings
util.prosodyctl.check: Validate format of module list options
mod_websocket: Add a ‘pre-session-close’ event #1800
mod_smacks: Fix stray watchdog closing sessions
mod_csi_simple: Disable revert-to-inactive timer when going to active mode
mod_csi_simple: Clear delayed active mode timer on disable
mod_admin_shell: Fix display of remote cert status when expired etc
mod_smacks: Replace existing watchdog when starting hibernation
mod_http: Fix error if ‘access_control_allow_origins’ is set
mod_pubsub: Send correct ‘jid’ attribute in disco#items
mod_http: Unhook CORS handlers only if active to fix an error #1801
mod_s2s: Add event where resolver for s2sout can be tweaked

Download

As usual, download instructions for many platforms can be found on our download page

If you have any questions, comments or other issues with this release, let us know!

Prosody 0.12.3 released

2023-02-21T10:46:35+0000

We are pleased to announce a new minor release from our stable branch.

This is a bugfix release for our stable 0.12 series. Most notably, it fixes a regression for SQL users introduced in 0.12.2, and a separate long-standing compatibility issue with archive stores on certain MySQL/MariaDB versions.

It also fixes an issue with websockets discovered by the Jitsi team, some issues with our internal HTTP client API, and we’ve improved the accuracy of ‘prosodyctl check dns’ in certain configurations.

A summary of changes in this release:

Fixes and improvements

mod_storage_sql: Don’t avoid initialization under prosodyctl (fix #1787: mod_storage_sql changes (d580e6a57cbb) breaks prosodyctl)
mod_storage_sql: Fix for breaking change in certain MySQL versions (#1639)
prosodyctl check dns: Check for Direct TLS SRV records even if not configured (#1793)

Minor changes

mod_websocket: Fire pre-session-close event (fixes #1800: mod_websocket: cleanly-closed sessions are hibernated by mod_smacks)
sessionmanager: Mark session as destroyed to prevent reentry (fixes #1781)
mod_admin_socket: Return error on unhandled input to prevent apparent freeze
configure: Fix quoting of $LUA_SUFFIX (thanks shellcheck/Zash)
net.http.parser: Improve handling of responses without content-length
net.http.parser: Fix off-by-one error in chunk parser
net.http.server: Add new API to get HTTP request from a connection
net.http.server: Fix double close of file handle in chunked mode with opportunistic writes (#1789)
util.prosodyctl.shell: Close state on exit to fix saving shell history
mod_invites: Prefer landing page over xmpp URI in shell command
mod_muc_mam: Add mam#extended form fields #1796 (Thanks Rain)
mod_muc_mam: Copy “include total” behavior from mod_mam
util.startup: Close state on exit to ensure GC finalizers are called

Download

As usual, download instructions for many platforms can be found on our download page

If you have any questions, comments or other issues with this release, let us know!

Prosody 0.12.2 released

2022-12-13T21:23:13+0100

We are pleased to announce a new minor release from our stable branch.

This is a regularly delayed release containing a number of fixes for issues that we have come across since the last release of the 0.12 series.

A summary of changes in this release:

Fixes and improvements

util.stanza: Allow U+7F when constructing stazas
net.unbound: Preserve built-in defaults and Prosodys settings for luaunbound (fixes #1763: luaunbound not reading resolv.conf) (thanks rgd)
mod_smacks: Disable not implemented resumption behavior on s2s
mod_http: Allow disabling CORS in the http_cors_override option and by default

Minor changes

util.json: Accept empty arrays with whitespace (fixes #1782: util.json fails to parse empty array with whitespace)
util.stanza: Adjust number of return values to handle change in dependency of test suite (fix test with luassert >=1.9)
util.startup: Ensure import() is available in prosodyctl (thanks keyzer)
mod_storage_sql: Fix initialization when called from prosodyctl
mod_storage_sql: Fix the summary API with Postgres (#1766)
mod_admin_shell: Fixes for showing data related to disconnected sessions (fixes #1777)
core.s2smanager: Don’t remove unrelated session on close of bidi session
mod_smacks: Don’t send redundant requests for acknowledgement (#1761)
mod_admin_shell: Rename commands user:roles() to user:setroles() and user:showroles() to user:roles()
mod_smacks: Bounce unhandled stanzas from local origin (fix #1759)
mod_bookmarks: Reduce log level of message about not having any bookmarks
mod_s2s: Fix firing buffer drain events
mod_http_files: Log warning about legacy modules using mod_http_files
util.startup: Wait for last shutdown steps
util.datamapper: Improve handling of schemas with non-obvious “type”
util.jsonschema: Fix validation to not assume presence of “type” field
util.jsonschema: Use same integer/float logic on Lua 5.2 and 5.3

Download

As usual, download instructions for many platforms can be found on our download page

If you have any questions, comments or other issues with this release, let us know!