DNS record and certificate for a jabber server behind IPFire (was: Can anybody explain me what have to do here?)

I want to host a Jabber server at home, which is located in the DMZ from the IPfire.
I have a domain, this domain has an A record with DynDNS and SRV records for the subdomain, xxmp.domain.com.
The server should have the hostname xxmp.domain.com. Is this correct?
How do I create the certificates? For the domain or for the subdomain? Will the subdomain be reached at all if only the domain has an A record?
I’m on the hose and do not want to test anything. but first theoretically understand what I have to do exactly.
If someone could bring light would be fine.


With an A record, it will always be reachable. The Jabber instance could still be reachable with just the SRV records, provided that the clients and services interacting with it are configured to use SRV records for discovery. SRV records are specifically designed to direct traffic for particular services to a designated hostname and port, even if that hostname doesn’t have a corresponding A or CNAME record. However, lacking an A or CNAME record for the subdomain could limit its general “resolvability” for other services or for direct access, which is why having an A or CNAME record in addition to the SRV record is generally recommended.

Thx for your reply. @cfusco
Ok, But if I want user@domain.com as Jabber accounts then I must configure an A Record only for the domain, or not?

Or will the Jabber account always be user@xmpp.domain.com?

On the Raspy I enabled Alpine’s firewall and opened only the ports of the SRV records for the Internet.
For the green network I opened the admin console and SSH. I was also able to access ssh from the road connected to the VPN of the IPfire.
As soon as I set up a forward for the ports of the SRV records in Ipfire the server is on the net.

And which certificates do I have to create and for which domain? domain.com or xmpp.domain.com and where do they have to be, already on the IPfire or on the Jabber server?
I do not want an error message when clients connect.

If you want Jabber accounts to be in the format of user@domain.com, then you would typically set an A record for the domain itself. However, this would mean that the domain can’t be used for other services that require the same ports as your Jabber server, as it would create a conflict. If you use a subdomain like xmpp.domain.com, you can isolate the Jabber service and still run other services on domain.com.

If the Jabber server is running on a subdomain like xmpp.domain.com, then the SSL certificate should be issued for that subdomain.

Regarding where the certificate should be stored:

  1. If there’s a reverse proxy on IPFire, the certificate should be configured there.
  2. If there’s no reverse proxy, the certificate should be installed directly on the Jabber server, which is generally capable of handling SSL/TLS encryption.

The Domain will be only used for jabber till now, for the VPN on Ipfire I use another Domain, with a second A Record.
But I could use Jabber accounts with subdomain, if I want?

No, it’s absolutely necessary? But I often hear that only when more service is put online.

Yes there is a plugin which can make updates.

it is up to you. You can do it both ways. Just keep in mind that if you go for subdomains each subdomain should have its own keys.

In your case, it would be only necessary if Jabber could not handle encryption. So, no. Not necessary.

ok thx for your information, I will try a new attempt from beginning and hopefully I don’t mess up next time.

My progress is stalling a bit. Since I wanted to pull up everything completely new, I have to change something on the firewall of the Rasby.
But in the meantime I noticed that I no longer reach the VPN server on the ipfire …
I use another domain for it, I thought there it comes to no difficulties, but that is probably not so.
How can I now reach the ipfire under another domain?
Do I have to set SVR records for it ? If so, how do they have to look like for OpenVPN?

Edit: Ok in the logs of OpenVpn I read tls handshake faild and tls-verify failed, but with this configuration it works all the time, even reinstall the openvpn config doesn’t help.
I think an update from the client is the problem. But no clue what it is.