Server-to-server XMPP

XMPP allows for servers communicating seamlessly with each other, forming a global 'federated' IM network. This architecture is very similar email, where someone on can send an email to someone with an account on, for example.

Prosody supports server-to-server (s2s) connections out of the box. All you need for it to work is:

  • A public domain name (such as '').
  • That domain name pointed to a public IP address.
  • Port 5269 open in your firewall.

If your XMPP server is accessed via a different domain name than your XMPP host (e.g. your address are ``, but your server is ``) then you need to set up SRV DNS records. This also applies if you want to run s2s over a custom port.


If you do not want to allow server-to-server communication on your server, or on particular hosts, you can simply disable mod_s2s. Either in the global section of your config, or in a specific host section, add:

⚠️ mod_s2s did not exist prior to Prosody 0.9. For earlier versions set disallow_s2s = true.

Note: if anonymous authentication is enabled then anonymous users are automatically blocked from making outgoing s2s connections. You can control this behaviour with:

Due to the potential for abuse it is recommended to leave allow_anonymous_s2s at its default (disabled).

⚠️ Again, Prosody versions prior to 0.9 do not support allow_anonymous_s2s - use disallow_s2s (as above) instead.


It is possible to control how Prosody authenticates s2s connections. By default it will try to use TLS if the other side supports it, and fall back to dialback if it does not or if the certificate is incorrect or not trusted.

As of Prosody 0.9 it is possible to have fine-grained control over server-to-server security.

⚠️ Note that certificate verification requires LuaSec 0.5 or higher to be installed.

To require encryption and certificate authentication, simply set s2s_secure_auth:

This will disable dialback (a DNS-based authentication mechanism), and require that all remote servers present trusted certificates valid for their domain. Note that you can configure which certificate authorities Prosody trusts certificates from, see our documentation on certificates for more info.

Beware that many servers on the XMPP network use self-signed or invalid certificates, or even don't support TLS at all (such as and all Google-hosted domains). It is possible to make exceptions like this:

Finally, if you don't want to require certificate authentication in general, but care strongly that certain domains are always securely authenticated, you can leave the default policy open, but provide a list of secure domains: