Gajim Messenger

No. As it says. Set to gajim.

Some developments on the DNS leaks in Gajim including patches by Jeremy Rand: Gajim with Tor leaks DNS requests (#8538) · Issues · gajim / gajim · GitLab

Meanwhile I have a suggestion on how Gajim’s traffic can be forced to use stream isolation. What if it is installed under its own user account and then you can use bindp to force all traffic for that user over its own isolated stream? Does that make sense? Can it fix things?

Another idea is to setup a local DNS server to forward requests to the port that we want (for the gajim user specifically). In that case you must be careful to disable caching so requests don’t stand out.

Other ideas in the same area: using lxc containers, namespaces or apparmor profiles to manipulate per application network settings.

1 Like

Thread on TAILS’ plans to use Gajim Using Gajim in Tails (#8796) · Issues · gajim / gajim · GitLab

1 Like

2 posts were split to a new topic: Managing programs without Tor DNS Support

8 posts were merged into an existing topic: Managing programs without Tor DNS Support

The blocker was resolved.

Could you please work on TODO 1, 2 and 5? @HulaHoop

Dev/Gajim - Whonix

Sure. For 1) you want me to lookup how to manually specify a user/password?

Done with 2:

Where do I file the .d config request? I think its an upstream feature more than a Debian thing If so can you please create an account on their bugtracker because I don’t want to be profiled by their Google Captcha

1 Like


Sure. For 1) you want me to lookup how to manually specify a user/password?

It entails asking the gajim developers if gajim automatically sets a
socks user/password if using Tor.

The simple stream isolation implementation is socks support.

Next level is socks with socks user name support.

Best level is a different socks user name per account for not even
application level separation but account level separation.

Btw I don’t think I wrote HulaHoop is investigating the details.. I
guess you did by that time. Dunno.


Not sure what happened. They already fixed it but didn’t have a bug report beforehand perhaps. Not sure they’ll upload to stretch. Probably not. Now that this is sorted in a clean way in a future version, I try make it work in stretch based Whonix by config-package-dev hide /usr/share/gajim/plugins/plugin_installer.

conf.d request, yes, it’s an upstream feature request. On Sign in · GitLab see at the bottom under sign in:

Sign in with

And then you should see a github symbol. Account security is unimportant here imo. [*]

Does that work for you? Otherwise I’ll use the login with github and pass on the feature request once written.

[*] (The remote risk of github being hacked and the account being impersonated on the gajim issue tracker is a risk I am willing to take. Very low impact if an attacker would post nonsense there.)

1 Like

Should we install xmpp support package Debian -- Details of package python-nbxmpp in stretch by default?

Other packages for default installation: gajim gajim-omemo gajim-httpupload

Any other gajim related packages we should install by default?

Debian -- Package Search Results -- gajim

I found another issue which is hopefully just temporary due to me failing to properly configure gajim.

  • forget about automation / scripting the config, we’re not there yet
  • this question is from a users’s perspective

How do I configure gajim to use Tor by default?

Once I think I did that, and then create a new account, you have to click “advanced” first. By default it’s set to None meaning “not using Tor” (for us: no stream isolation). Users would have to manually select Tor for each account they are setting up. I haven#t found out how to delete None from network settings. Can you make head or tail of my description? Could you figure out how to configure using Tor as default network setting?

Ah I see. I didn’t notice I could do that last time. I consider my Github account very low value and GPG signing should negate any trust issues for code commits.

I went ahead and opened tickets for both features:

1 Like

Yes please add it. Its ideal for XMPP GUI client performance:

Other useful addons:

gajim-triggers (let me know what you think about this one because I’m unsure if it means running arbitrary commands)

We should not install image previewing because of security and privacy reasons:

i have more than one problem with gajim:

1- not intended for security/anonymity focused app
2- not for any DE , its specifically for GNOME
3- lack of stream isolation

including it in whonix not really worth the headache as if even the upstream will not help us for e.g if there will be problem of gajim and kde …

Test it with OMEMO and let us know how it works and how encryption is enabled, We could be able to ship a config that forces it by default.

As long as it runs on KDE I don;t see the problem. Who cares if its style doesn’t match? There are plenty of GNOME centric software that is pretty useful to have.

Not as bad as you think. We are working on it and coming up with a solution to deal with this for all future software that is not stream isolation friendly.

1 Like

Gajim with a separate plugininstaller is available from stable backports according to the maintainer.

1 Like

It has. It has socks proxy settings. I am working on enabling socks proxy settings for gajim by default.

So far so good… Current issue… Could you please look into this one? @HulaHoop

socks username and password configured here:


proxies.Tor.bosh_wait_for_restart_response = False
proxies.Tor.useauth = False
proxies.Tor.bosh_useproxy = False
proxies.Tor.bosh_http_pipelining = False
proxies.Tor.bosh_content = text/xml; charset=utf-8
proxies.Tor.bosh_uri =
proxies.Tor.bosh_wait = 30 = localhost
proxies.Tor.user =
proxies.Tor.pass =
proxies.Tor.bosh_hold = 2
proxies.Tor.type = socks5
proxies.Tor.port = 9050

1 Like

Assuming Socksport/HTTP isolation works for Gajim’s DNS, nothing else needs to be done (needs to be tested however).

If you are worried about torrent clients burning down the network then I recommend installing a bittorrent client by default and configuring it to use Tor’s HTTP Connect, then enabling IsolateDestAddr for SOCKS?

Both measures would be a stop gap until we ideally have the namespace solution you suggested.

1 Like