Prosody 13.0.0 released!

Welcome to a new major release of the Prosody XMPP server! While the 0.12 branch has served us well for a while now, this release brings a bunch of new features we’ve been busy polishing.

If you’re unfamiliar with Prosody, it’s an open-source project that implements XMPP, an open standard protocol for online communication. Prosody is widely used to power everything from small self-hosted messaging servers to worldwide real-time applications such as Jitsi Meet. It’s part of a large ecosystem of compatible software that you can use for realtime online communication.

Before we begin…

The first thing anyone who has been following the project for a while will notice about this release is the version number.

Long adherents of the cult of 0ver, we finally decided it was time to break away. While, as Shakespeare wrote, “That which we call a rose, by any other name would smell as sweet”, such is true of version numbers. Prosody has been stable and used in production deployments for many years, however the ‘0.x’ version number occasionally misled people to believe otherwise. Apart from shifting the middle component leftwards, nothing has changed.

If you’re really curious, you can read full details in our versioning and support policy.

Our version numbers have also been in step with Debian’s for several versions now. Could this become a thing? Maybe!

Overview of changes

This release brings a wide range of improvements that make Prosody more secure, performant, and easier to manage than ever before. Let’s review the most significant changes that administrators and users can look forward to across a range of different topics.

Security and authentication

Security takes centre stage in this release with several notable improvements. Building on DNSSEC, the addition of full DANE support for server-to-server connections strengthens the trust between federating XMPP servers.

We’ve enhanced our support for channel binding, which is now compatible with TLS 1.3, and we’ve added support for XEP-0440 which helps clients know which channel binding methods the server supports. Channel binding protects your connection from certain machine-in-the-middle attacks, even if the server’s TLS certificate is compromised.

Account management

Administrators now have more granular control over user accounts with the ability to disable and enable them as needed. This can be particularly useful for public servers, where disabling an account can act as a reversible alternative to deletion.

In fact, we now have the ability to set a grace period for deleted accounts to allow restoring an account (within the grace period) in case of accidental deletion.

Roles and permissions

A new role and permissions framework provides more flexible access control. Prosody supplies several built-in roles:

• prosody:operator - for operators of the whole Prosody instance. By default, accounts with this role have full access, including to operations that affect the whole server.
• prosody:admin - the usual role for admins of a specific virtual host (or component). Accounts with this role have permission to manage user accounts and various other aspects of the domain.
• prosody:member - this role is for “normal” user accounts, but specifically those ones which are trusted to some extent by the administrators. Typically accounts that are created through an invitation or through manual provisioning by the admin have this role.
• prosody:registered - this role is also for general user accounts, but is used by default for accounts which registered themselves, e.g. if the server has in-band registration enabled.
• prosody:guest - finally, the “guest” role is used for temporary/anonymous accounts and is also the default for remote JIDs interacting with the server.

For more details about how to use these roles, customize permissions, and more, read our new roles and permissions documentation. You will also find the link there for the development documentation, so module developers can make use of the new system.

Shell commands

Since the earliest releases, the prosodyctl command has been the admin’s primary way of managing and interacting with Prosody. In 0.12 we introduced the prosodyctl shell interface to send administrative commands to Prosody at runtime via a local connection. It has been a big success, and this release significantly extends its capabilities.

• prosodyctl adduser/passwd/deluser commands now use the admin connection to create users, which improves compatibility with various storage and authentication plugins. It also ensures Prosody can instantly respond to changes, such as immediately disconnecting users when their account is deleted.
• Pubsub management commands have been added, to create/configure/delete nodes and items on pubsub and PEP services without needing an XMPP client.
• One of our own favourites as Prosody developers is the new prosodyctl shell watch log command, which lets you stream debug logs in real-time without needing to store them on the filesystem.
• Similarly, there is now prosodyctl shell watch stanzas which lets you monitor stanzas to/from arbitrary JIDs, which is incredibly helpful for developers trying to diagnose various client issues.
• Server-wide announcements can now be sent via the shell, optionally limiting the recipients by online status or role.
• MUC has gained a few new commands for interacting with MUC rooms.

Improved Multi-User Chat (MUC) Management

The MUC system has received a significant overhaul focusing on security and administrative control. By default, room creation is now restricted to local users, providing better control over who can create persistent and public rooms.

Server administrators get new shell commands to inspect room occupants and affiliations, making day-to-day operations more straightforward.

One notable change is that component admins are no longer automatically owners. This can be reverted to the old behaviour with component_admins_as_room_owners = true in the config, but this has known incompatibilities with some clients. Instead, admins can use the shell or ad-hoc commands to gain ownership of rooms when it’s necessary.

Better Network Performance

Network connectivity sees substantial improvements with the implementation of RFC 8305’s “Happy Eyeballs” algorithm, which enhances IPv4/IPv6 dual-stack performance and increases the chance of a successful connection.

Support for TCP Fast Open and deferred accept capabilities (in the server_epoll backend) can potentially reduce connection latency.

The server now also better handles SRV record selection by respecting the ‘weight’ parameter, leading to more efficient connection distribution.

Storage and Performance Improvements

Under the hood, Prosody now offers better query performance with its internal archive stores by generating indexes.

SQLite users now have the option to use LuaSQLite3 instead of LuaDBI, potentially offering better performance and easier deployment.

We’ve also added compatibility with SQLCipher, a fork of SQLite that adds support for encrypted databases.

Configuration Improvements

The configuration system has been modernized to support referencing and appending to previously set options, making complex configurations more manageable.

While direct Lua API usage in the config file is now deprecated, it remains accessible through the new Lua.* namespace for those who need it.

Also new in this release is the ability to reference credentials or other secrets in the configuration file, without storing them in the file itself. It is compatible with the credentials mechanisms supported by systemd, podman and more.

Developer/API changes

The development experience has always been an important part of our project - we set out to make an XMPP server that was very easy to extend and customize. Our developer API has improved with every release. We’ve even had first-time coders write Prosody plugins!

There are too many improvements to list here, but some notable ones:

• Storage access from modules has been simplified with a new ‘keyval+’ store type, which combines the old ‘keyval’ (default) and ‘map’ stores into a single interface. Before this change, many modules had to open the store twice to utilize the two APIs.
• Any module can now replace custom permission handling with Prosody’s own permission framework via the simple module:may() API call.
• Providing new commands for prosodyctl shell is now much easier for module developers.

Backwards compatibility is of course generally preserved, although is_admin() has been deprecated in favour of module:may(). Modules that want to remain compatible with older versions can use mod_compat_roles to enable (limited) permission functionality.

Important Notes for Upgrading

A few breaking changes are worth noting:

• Lua 5.1 support has been removed (this also breaks compatibility with LuaJIT, which is based primarily on Lua 5.1).
• Some MUC default behaviors have changed regarding room creation and admin permissions (see above).

Conclusion

We’re very excited about this release, which represents a significant step forward for Prosody, and contains improvements for virtually every aspect of the server. From enhanced security to better performance and more flexible administration tools, there has never been a better time to deploy Prosody and take control of your realtime communications.

For full detailed information about the changes in this release, and advice for upgrading, view the Prosody 13.0.0 release notes.

As always, if you have any problems or questions with Prosody or the new release, drop by our community chat!

---