1NNRPD(8) InterNetNews Documentation NNRPD(8)
2
3
4
6 nnrpd - NNTP server for reader clients
7
9 nnrpd [-DfnoSt] [-4 address] [-6 address] [-b address] [-c configfile]
10 [-i initial] [-I instance] [-p port] [-P prefork] [-r reason] [-s
11 padding]
12
14 nnrpd is an NNTP server for newsreaders. It accepts commands on its
15 standard input and responds on its standard output. It is normally
16 invoked by innd(8) with those descriptors attached to a remote client
17 connection. nnrpd also supports running as a standalone daemon.
18
19 Unlike innd(8), nnrpd supports all NNTP commands for user-oriented
20 reading and posting. nnrpd uses the readers.conf file to control who
21 is authorized to access the Usenet database.
22
23 On exit, nnrpd will report usage statistics through syslog(3).
24
25 nnrpd only reads config files (both readers.conf and inn.conf) when it
26 is spawned. You can therefore never change the behavior of a client
27 that's already connected. If nnrpd is run from innd (the default) or
28 from inetd(8), xinetd(8), or some equivalent, a new nnrpd process is
29 spawned for every connection and therefore any changes to configuration
30 files will be immediately effective for all new connections. If you
31 are instead running nnrpd with the -D option, any configuration changes
32 won't take effect until nnrpd is restarted.
33
34 The inn.conf setting nnrpdflags can be used to pass any of the options
35 below to instances of nnrpd that are spawned directly from innd. Many
36 options only make sense when -D is used, so these options should not be
37 used with nnrpdflags. See also the discussion of nnrpdflags in
38 inn.conf(5).
39
40 When nnrpdloadlimit in inn.conf is not 0, it will also reject
41 connections if the load average is greater than that value (typically
42 16). nnrpd can also prevent high-volume posters from abusing your
43 resources. See the discussion of exponential backoff in inn.conf(5).
44
46 -4 address
47 The -4 parameter instructs nnrpd to bind to the specified IPv4
48 address when started as a standalone daemon using the -D flag.
49 This has to be a valid IPv4 address belonging to an interface of
50 the local host. It can also be 0.0.0.0, saying to bind to all
51 addresses (this is the default).
52
53 -6 address
54 The -6 parameter instructs nnrpd to bind to the specified IPv6
55 address when started as a standalone daemon using the -D flag.
56 This has to be a valid IPv6 address belonging to an interface of
57 the local host. It can also be "::0", saying to bind to all IPv6
58 addresses.
59
60 By default, nnrpd in daemon mode listens to both IPv4 and IPv6
61 addresses. With this option, it will listen only to the specified
62 IPv6 addresses. On some systems however, a value of "::0" will
63 cause it to listen to all IPv4 addresses as well.
64
65 -b address
66 Similar to the -4 flag. -b is kept for backwards compatibility.
67
68 -c configfile
69 By default, nnrpd reads the readers.conf to determine how to
70 authenticate connections. The -c flag specifies an alternate file
71 for this purpose. If the file name isn't fully qualified, it is
72 taken to be relative to pathetc in inn.conf. (This is useful to
73 have several instances of nnrpd running on different ports or IP
74 addresses with different settings.)
75
76 -D If specified, this parameter causes nnrpd to operate as a daemon.
77 That is, it detaches itself and runs in the background, forking a
78 process for every connection. By default, nnrpd listens on the
79 NNTP port (119), so either innd(8) has to be started on another
80 port or the -p parameter used. Note that with this parameter,
81 nnrpd continues running until killed. This means that it reads
82 inn.conf once on startup and never again until restarted. nnrpd
83 should therefore be restarted if inn.conf is changed.
84
85 When started in daemon mode, nnrpd will write its PID into a file
86 in the pathrun directory. The file will be named nnrpd.pid if
87 nnrpd listens on port 119 (default), or nnrpd-%d.pid, where %d is
88 replaced with the port that nnrpd is configured to listen on (-p
89 option is given and its argument is not 119).
90
91 -f If specified, nnrpd does not detach itself and runs in the
92 foreground when started as a standalone daemon using the -D flag.
93
94 -i initial
95 Specify an initial command to nnrpd. When used, initial is taken
96 as if it were the first command received by nnrpd. After having
97 responded, nnrpd will close the connection.
98
99 -I instance
100 If specified, instance is used as an additional static portion
101 within message-IDs generated by nnrpd; typically this option would
102 be used where a cluster of machines exist with the same virtual
103 hostname and must be disambiguated during posts.
104
105 -n The -n flag turns off resolution of IP addresses to names. If you
106 only use IP-based restrictions in readers.conf and can handle IP
107 addresses in your logs, using this flag may result in some
108 additional speed.
109
110 -o The -o flag causes all articles to be spooled instead of sending
111 them to innd(8). rnews with the -U flag should be invoked from
112 cron on a regular basis to take care of these articles. This flag
113 is useful if innd(8) is accepting articles and nnrpd is started
114 standalone or using inetd(8).
115
116 -p port
117 The -p parameter instructs nnrpd to listen on port when started as
118 a standalone daemon using the -D flag.
119
120 -P prefork
121 The -P parameter instructs nnrpd to prefork prefork children
122 awaiting connections when started as a standalone daemon using the
123 -D flag.
124
125 -r reason
126 If the -r flag is used, then nnrpd will reject the incoming
127 connection giving reason as the text. This flag is used by innd(8)
128 when it is paused or throttled. reason should be encoded in UTF-8.
129
130 -s padding
131 As each command is received, nnrpd tries to change its "argv" array
132 so that ps(1) will print out the command being executed. To get a
133 full display, the -s flag may be used with a long string as its
134 argument, which will be overwritten when the program changes its
135 title.
136
137 -S If specified, nnrpd will start a negotiation for a TLS session as
138 soon as connected. To use this flag, the OpenSSL SSL and crypto
139 libraries must have been found at configure time, or --with-openssl
140 specified at configure time. For more information on running nnrpd
141 with TLS support, see "TLS SUPPORT".
142
143 -t If the -t flag is used, then all client commands and initial
144 responses will be traced by reporting them in syslog. This flag is
145 set by innd(8) under the control of the ctlinnd(8) "trace" command,
146 and is toggled upon receipt of a SIGHUP; see signal(2).
147
149 If INN is built with --with-openssl or if the OpenSSL SSL and crypto
150 libraries are found at configure time, nnrpd will support news reading
151 over TLS (also known as SSL). For clients that use the STARTTLS
152 command, no special configuration is needed beyond creating a TLS/SSL
153 certificate for the server. You should do this in exactly the same way
154 that you would generate a certificate for a web server.
155
156 If you're happy with a self-signed certificate (which will generate
157 warnings with some news reader clients), you can create and install one
158 in the default path by running "make cert" after "make install" when
159 installing INN, or by running the following commands:
160
161 umask 077
162 openssl req -new -x509 -nodes -out <pathetc>/cert.pem \
163 -days 366 -keyout <pathetc>/key.pem
164 chown news:news <pathetc>/cert.pem
165 chmod 640 <pathetc>/cert.pem
166 chown news:news <pathetc>/key.pem
167 chmod 600 <pathetc>/key.pem
168
169 Replace the paths with something appropriate to your INN installation.
170 This will create a self-signed certificate that will expire in a year.
171 The openssl program will ask you a variety of questions about your
172 organization. Enter the fully qualified domain name of your news
173 service (either the server canonical name or a dedicated alias for the
174 news service) as the name the certificate is for.
175
176 You then have to set these inn.conf parameters with the right paths:
177
178 tlscapath: <pathetc>
179 tlscertfile: <pathetc>/cert.pem
180 tlskeyfile: <pathetc>/key.pem
181
182 Note that unlike Apache's SSLCertificateFile directive, tlscertfile
183 should not contain a concatenation of certificates. Instead, if you
184 have a certificate authority root certificate, set tlscafile to its
185 path.
186
187 There are two common ways for a news client to negotiate a TLS
188 connection: either via the use of a dedicated port (usually 563) on
189 which TLS is immediately negotiated upon connection, or via the now
190 discouraged way (per RFC 8143) to use the STARTTLS command on the usual
191 NNTP port (119) to dynamically upgrade from unencrypted to TLS-
192 protected traffic during an NNTP session. innd does not, however, know
193 how to listen for connections to that separate port (563). You will
194 therefore need to arrange for nnrpd to listen on that port through some
195 other means. This can be done with the -D flag along with "-p 563" and
196 put into your init scripts:
197
198 su news -s /bin/sh -c '<pathbin>/nnrpd -D -p 563 -S'
199
200 but the easiest way is probably to add a line like:
201
202 nntps stream tcp nowait news <pathbin>/nnrpd nnrpd -S
203
204 to /etc/inetd.conf or the equivalent on your system and let inetd run
205 nnrpd. (Change the path to nnrpd to match your installation.) You may
206 need to replace "nntps" with 563 if "nntps" isn't defined in
207 /etc/services on your system.
208
209 Optionally, you may set the tlsciphers, tlsciphers13, tlscompression,
210 tlseccurve, tlspreferserverciphers, and tlsprotocols parameters in
211 inn.conf to fine-tune the behaviour of the TLS/SSL negotiation whenever
212 a new attack on the TLS protocol or some supported cipher suite is
213 discovered.
214
216 nnrpd implements the NNTP commands defined in RFC 3977 (NNTP), RFC 4642
217 updated by RFC 8143 (TLS/NNTP), RFC 4643 (NNTP authentication),
218 RFC 6048 (NNTP LIST additions) and RFC 8054 (NNTP compression) with the
219 following differences:
220
221 1. The XGTITLE [wildmat] command is provided. This extension is used
222 by ANU-News and documented in RFC 2980. It returns a 282 reply
223 code, followed by a one-line description of all newsgroups that
224 match the pattern. The default is the current group.
225
226 Note that LIST NEWSGROUPS should be used instead of XGTITLE.
227
228 2. The XHDR header [message-ID|range] command is implemented. It
229 returns a 221 reply code, followed by specific headers for the
230 specified range; the default is to return the data for the current
231 article. See RFC 2980.
232
233 Note that HDR should be used instead of XHDR.
234
235 3. The XOVER [range] command is provided. It returns a 224 reply
236 code, followed by the overview data for the specified range; the
237 default is to return the data for the current article. See
238 RFC 2980.
239
240 Note that OVER should be used instead of XOVER.
241
242 4. A new command, XPAT header message-ID|range pattern [pattern ...],
243 is provided. The first argument is the case-insensitive name of
244 the header to be searched. The second argument is either an
245 article range or a single message-ID, as specified in RFC 2980.
246 The third argument is a uwildmat(3)-style pattern; if there are
247 additional arguments, they are joined together separated by a
248 single space to form the complete pattern. This command is similar
249 to the XHDR command. It returns a 221 response code, followed by
250 the text response of all article numbers that match the pattern.
251
252 5. A newsgroup name is case-sensitive for nnrpd.
253
254 6. If IHAVE has been advertised, it will not necessarily be advertised
255 for the entire session (contrary to section 3.4.1 of RFC 3977).
256 nnrpd only advertises the IHAVE capability when it is really
257 available.
258
259 7. nnrpd allows a wider syntax for wildmats and ranges (especially "-"
260 and "-article-number").
261
263 Written by Rich $alz <rsalz@uunet.uu.net> for InterNetNews. Overview
264 support added by Rob Robertston <rob@violet.berkeley.edu> and Rich in
265 January, 1993. Exponential backoff (for posting) added by Dave Hayes
266 in Febuary 1998.
267
268 $Id: nnrpd.pod 10373 2020-05-21 21:00:33Z iulius $
269
271 ctlinnd(8), innd(8), inn.conf(5), readers.conf(5), signal(2),
272 uwildmat(3).
273
274
275
276INN 2.6.4 2020-11-22 NNRPD(8)