; ***************** STOP STOP STOP STOP ***************** ; If you are new and setting up Asterisk for the first ; time, you almost definitely should be using PJSIP ; instead of SIP. SIP has been deprecated for years ; and will be removed soon from Asterisk. PJSIP is ; recommended to future-proof your config. This is ; provided for historical and compatability purposes only. [general] ;bindport=16555 ;set it to a UDP port and never tell anyone what it is! Do not forward the port in your router ; bindport sets all 3 at once. TCP and UDP should be the same, TLS should be a different port. ATAs will need to specify the port tcpbindaddr=0.0.0.0:16555 ; SIP over TCP (default is 5060) udpbindaddr=0.0.0.0:16555 ; SIP over UDP (default is 5060) tlsbindaddr=0.0.0.0:16556 ; SIP over TLS (default is 5061) ;do not use port 5600 for external SIP connections; change your port to something non-standard i.e. bindport=39145 pick a port between 16383 and 65535 and never tell anyone what port you are using! Do not forward that UDP port in your router and ensure that UDP port 5600 is not forwarded in your router either. Indeed you should not need RTP UDP ports (usually 10000-20000) forwarded either. allowguest=no ;keep intruders out alwaysauthreject=yes ;make life difficult for scanners trying to find a way into your dialplan match_auth_username = yes ; match on usernames, not IPs!!! nat=force_rport,comedia ;should make nat more secure tos_sip=cs3 ; Sets TOS for SIP packets. tos_audio=ef ; Sets TOS for RTP audio packets. threewaycalling = yes transfer = yes disallowed_methods=UPDATE srvlookup=yes ;tlscertfile=/etc/letsencrypt/live/example.com/fullchain.pem ; if you set up TLS (which you should if your users are remote from Asterisk and not on the same LAN), configure these ;tlsprivatekey=/etc/letsencrypt/live/example.com/privkey.pem ;tlsdontverifyserver=yes ;tlscipher=ALL [lines](!) ; template for all user logins (e.g. ATAs) type = peer host = dynamic disallow=all allow=ulaw allow=alaw qualify = yes insecure = port,invite canreinvite = no ; don't allow RTP voice traffic to bypass Asterisk relaxdtmf = yes ; or no... play around with this progressinband = yes directmedia=no ; direct media is generally undesired, and can cause one-way audio issues call-limit=2 transport=udp,tcp,tls ; list of protocols allowed callcounter=yes busylevel=1 trust_id_outbound = no subscribecontext=phreaknet-hints ; for Busy Lamp Field (BLF) allowsubscribe=yes ; BLF. Keep in mind this allows all users using this template to subscribe to BLF state for all lines with hints in the specified context. This could be changed, of course, if not desired. [DeskPhone1](lines) ; SIP login for user DeskPhone1 defaultuser = DeskPhone1 authid = DeskPhone1 ; generally same as username secret = thisisaninsecurepasswordushouldchange callerid = "John Smith" <5552368> ; change the CNAM and caller ID of your line here context = from-internal ; context in the dialplan in which this user originates a call ;dtmfmethod = rfc2833 ; you can allow the user to choose a DTMF mode or set one here ;transport=tls ; for TLS encryption (signaling) ;encryption=yes ; for SRTP encryption (voice path) ;mailbox=2368@vmcontext ; for voicemail MWI