[IDEALLY] xmpp + omemo

this is the ideal self-hosted option and may require significant effort to deploy.

MOBILE CLIENTS should use remove google apps from their android device and run fdroid conversations[1]. for the purposes of security, google play services should be considered a rootkit. 1:1 conversations should be encrypted with omemo[2]. encrypted group chats are also possible, but are not supported by all clients.

1: fdroid conversations

2: omemo

DESKTOP CLIENTS are not that great. dino[3] and gajim[4] are among the best available options, but both have UX issues.

3: dino

4: gajim

TERMINAL CLIENTS are not too bad. profanity even supports omemo these days.

profanity

ALL CLIENTS should choose a server operator that they trust.

SERVERS should verify compliance[4] to ensure correct operation of encrypted clients. sunshinegardens.org operates an ejabberd[5] server which has shown itself to be a very efficient and easy to admin program. prosody[6] is another option which may not scale as well as ejabberd, but has the plus of working mostly out of the box. for additional privacy, operating an xmpp network within tor is an option.

a properly configured xmpp server should be able to facilitate file sharing and, by extension, a variety of collaborative workflows.

4: xmpp compliance

5: ejabberd

6: prosody

ejabberd hardening

limit retention of messages and uploads

shaper_rules:
  soft_upload_quota:
    1000: all # MiB
  hard_upload_quota:
    1024: all # MiB
  max_user_offline_messages:
    - 1000: admin
    - 100
modules:
  mod_http_upload:
    custom_headers:
      "X-Clacks-Overhead": "GNU @glitter"
      "X-Clacks-Overhead": "GNU Gio Rivera"
      "X-Clacks-Overhead": "GNU Terry Davis"
  mod_http_upload_quota:
    max_days: 30
  mod_offline:
    store_group_chat: false
    access_mass_user_messages: max_user_offline_messages