New s2s Policy
The Jabber service was moved to a different server a few days ago and I used the opportunity to update the s2s policy a bit. Servers are now not authenticated by the dialback mechanism anymore, but by actually checking the x509 certificates.
I monitored the situation a bit and most connected servers manage to have a valid certificate from a CA that I trusted enough to add. This includes CA Cert, StartCom and Letsencrypt.
There are a few servers that can not connect anymore because of the new policy, most of them have either a self-signed certificate or their certificate is expired.
I would like to have a Trust-On-First-Use policy for self-signed certificates, but currently Prosody doesn’t seem to have such an option.