1NNRPD(8)                  InterNetNews Documentation                  NNRPD(8)
2
3
4

NAME

6       nnrpd - NNTP server for reader clients
7

SYNOPSIS

9       nnrpd [-DfnoSt] [-4 address] [-6 address] [-b address] [-c configfile]
10       [-i initial] [-I instance] [-p port] [-P prefork] [-r reason] [-s
11       padding]
12

DESCRIPTION

14       nnrpd is an NNTP server for newsreaders.  It accepts commands on its
15       standard input and responds on its standard output.  It is normally
16       invoked by innd(8) with those descriptors attached to a remote client
17       connection.  nnrpd also supports running as a standalone daemon.
18
19       Unlike innd(8), nnrpd supports all NNTP commands for user-oriented
20       reading and posting.  nnrpd uses the readers.conf file to control who
21       is authorized to access the Usenet database.
22
23       On exit, nnrpd will report usage statistics through syslog(3).
24
25       nnrpd only reads config files (both readers.conf and inn.conf) when it
26       is spawned.  You can therefore never change the behavior of a client
27       that's already connected.  If nnrpd is run from innd (the default) or
28       from inetd(8), xinetd(8), or some equivalent, a new nnrpd process is
29       spawned for every connection and therefore any changes to configuration
30       files will be immediately effective for all new connections.  If you
31       are instead running nnrpd with the -D option, any configuration changes
32       won't take effect until nnrpd is restarted.
33
34       The inn.conf setting nnrpdflags can be used to pass any of the options
35       below to instances of nnrpd that are spawned directly from innd.  Many
36       options only make sense when -D is used, so these options should not be
37       used with nnrpdflags.  See also the discussion of nnrpdflags in
38       inn.conf(5).
39
40       When nnrpdloadlimit in inn.conf is not 0, it will also reject
41       connections if the load average is greater than that value (typically
42       16).  nnrpd can also prevent high-volume posters from abusing your
43       resources.  See the discussion of exponential backoff in inn.conf(5).
44
45       nnrpd injects articles into the local server running innd through a
46       UNIX domain socket, or an INET domain socket if not supported.  If
47       another server should be used for injection, you can set it with the
48       nnrpdposthost parameter in inn.conf.  In case authentication
49       credentials are requested during the injection, nnrpd will use the
50       passwd.nntp file in pathetc.
51

OPTIONS

53       -4 address
54           The -4 parameter instructs nnrpd to bind to the specified IPv4
55           address when started as a standalone daemon using the -D flag.
56           This has to be a valid IPv4 address belonging to an interface of
57           the local host.  It can also be 0.0.0.0, saying to bind to all
58           addresses (this is the default).
59
60       -6 address
61           The -6 parameter instructs nnrpd to bind to the specified IPv6
62           address when started as a standalone daemon using the -D flag.
63           This has to be a valid IPv6 address belonging to an interface of
64           the local host.  It can also be "::0", saying to bind to all IPv6
65           addresses.
66
67           By default, nnrpd in daemon mode listens to both IPv4 and IPv6
68           addresses.  With this option, it will listen only to the specified
69           IPv6 addresses.  On some systems however, a value of "::0" will
70           cause it to listen to all IPv4 addresses as well.
71
72       -b address
73           Similar to the -4 flag.  -b is kept for backwards compatibility.
74
75       -c configfile
76           By default, nnrpd reads the readers.conf to determine how to
77           authenticate connections.  The -c flag specifies an alternate file
78           for this purpose.  If the file name isn't fully qualified, it is
79           taken to be relative to pathetc in inn.conf.  (This is useful to
80           have several instances of nnrpd running on different ports or IP
81           addresses with different settings.)
82
83       -D  If specified, this parameter causes nnrpd to operate as a daemon.
84           That is, it detaches itself and runs in the background, forking a
85           process for every connection.  By default, nnrpd listens on the
86           NNTP port (119), so either innd(8) has to be started on another
87           port or the -p parameter used.  Note that with this parameter,
88           nnrpd continues running until killed.  This means that it reads
89           inn.conf once on startup and never again until restarted.  nnrpd
90           should therefore be restarted if inn.conf is changed.
91
92           When started in daemon mode, nnrpd will write its PID into a file
93           in the pathrun directory.  The file will be named nnrpd.pid if
94           nnrpd listens on port 119 (default), or nnrpd-%d.pid, where %d is
95           replaced with the port that nnrpd is configured to listen on (-p
96           option is given and its argument is not 119).
97
98       -f  If specified, nnrpd does not detach itself and runs in the
99           foreground when started as a standalone daemon using the -D flag.
100
101       -i initial
102           Specify an initial command to nnrpd.  When used, initial is taken
103           as if it were the first command received by nnrpd.  After having
104           responded, nnrpd will close the connection.
105
106       -I instance
107           If specified, instance is used as an additional static portion
108           within message-IDs generated by nnrpd; typically this option would
109           be used where a cluster of machines exist with the same virtual
110           hostname and must be disambiguated during posts.
111
112       -n  The -n flag turns off resolution of IP addresses to names.  If you
113           only use IP-based restrictions in readers.conf and can handle IP
114           addresses in your logs, using this flag may result in some
115           additional speed.
116
117       -o  The -o flag causes all articles to be spooled instead of sending
118           them to innd(8).  rnews with the -U flag should be invoked from
119           cron on a regular basis to take care of these articles.  This flag
120           is useful if innd(8) is accepting articles and nnrpd is started
121           standalone or using inetd(8).
122
123       -p port
124           The -p parameter instructs nnrpd to listen on port when started as
125           a standalone daemon using the -D flag.
126
127       -P prefork
128           The -P parameter instructs nnrpd to prefork prefork children
129           awaiting connections when started as a standalone daemon using the
130           -D flag.
131
132       -r reason
133           If the -r flag is used, then nnrpd will reject the incoming
134           connection giving reason as the text.  This flag is used by innd(8)
135           when it is paused or throttled.  reason should be encoded in UTF-8.
136
137       -s padding
138           As each command is received, nnrpd tries to change its "argv" array
139           so that ps(1) will print out the command being executed.  To get a
140           full display, the -s flag may be used with a long string as its
141           argument, which will be overwritten when the program changes its
142           title.
143
144       -S  If specified, nnrpd will start a negotiation for a TLS session as
145           soon as connected.  To use this flag, the OpenSSL SSL and crypto
146           libraries must have been found at configure time, or --with-openssl
147           specified at configure time.  For more information on running nnrpd
148           with TLS support, see "TLS SUPPORT".
149
150       -t  If the -t flag is used, then all client commands and initial
151           responses will be traced by reporting them in syslog.  This flag is
152           set by innd(8) under the control of the ctlinnd(8) "trace" command,
153           and is toggled upon receipt of a SIGHUP; see signal(2).
154

TLS SUPPORT

156       If INN is built with --with-openssl or if the OpenSSL SSL and crypto
157       libraries are found at configure time, nnrpd will support news reading
158       over TLS (also known as SSL).  For clients that use the STARTTLS
159       command, no special configuration is needed beyond creating a TLS/SSL
160       certificate for the server.  You should do this in exactly the same way
161       that you would generate a certificate for a web server.
162
163       If you're happy with a self-signed certificate (which will generate
164       warnings with some news reader clients), you can create and install one
165       in the default path by running "make cert" after "make install" when
166       installing INN, or by running the following commands:
167
168           umask 077
169           openssl req -new -x509 -nodes -out <pathetc>/cert.pem \
170               -days 366 -keyout <pathetc>/key.pem
171           chown news:news <pathetc>/cert.pem
172           chmod 640 <pathetc>/cert.pem
173           chown news:news <pathetc>/key.pem
174           chmod 600 <pathetc>/key.pem
175
176       Replace the paths with something appropriate to your INN installation.
177       This will create a self-signed certificate that will expire in a year.
178       The openssl program will ask you a variety of questions about your
179       organization.  Enter the fully qualified domain name of your news
180       service (either the server canonical name or a dedicated alias for the
181       news service) as the name the certificate is for.
182
183       You then have to set these inn.conf parameters with the right paths:
184
185           tlscapath:      <pathetc>
186           tlscertfile:    <pathetc>/cert.pem
187           tlskeyfile:     <pathetc>/key.pem
188
189       If you want to use a complete certificate chain, you can directly put
190       it in tlscertfile (like Apache's SSLCertificateFile directive).
191       Alternately, you can put a single certificate in tlscertfile and use
192       tlscafile for additional certificates needed to complete the chain,
193       like a separate authority root certificate.
194
195       More concretly, when using Let's Encrypt certificates, Certbot's files
196       can be installed as follows:
197
198           tlscapath:      /etc/letsencrypt/live/news.server.com
199           tlscertfile:    /etc/letsencrypt/live/news.server.com/fullchain.pem
200           tlskeyfile:     /etc/letsencrypt/live/news.server.com/privkey.pem
201
202       or:
203
204           tlscapath:      /etc/letsencrypt/live/news.server.com
205           tlscafile:      /etc/letsencrypt/live/news.server.com/chain.pem
206           tlscertfile:    /etc/letsencrypt/live/news.server.com/cert.pem
207           tlskeyfile:     /etc/letsencrypt/live/news.server.com/privkey.pem
208
209       Make sure that the permission rights are properly set so that the news
210       user or the news group can read these directories and files (typically,
211       he should access /etc/letsencrypt/live/news.server.com and
212       /etc/letsencrypt/archive/news.server.com where the real keys are
213       located, and the private key should not be world-readable).
214
215       There are two common ways for a news client to negotiate a TLS
216       connection:  either via the use of a dedicated port (usually 563) on
217       which TLS is immediately negotiated upon connection, or via the now
218       discouraged way (per RFC 8143) to use the STARTTLS command on the usual
219       NNTP port (119) to dynamically upgrade from unencrypted to TLS-
220       protected traffic during an NNTP session.  innd does not, however, know
221       how to listen for connections to that separate port (563).  You will
222       therefore need to arrange for nnrpd to listen on that port through some
223       other means.  This can be done with the -D flag along with "-p 563" and
224       put into your init scripts:
225
226           su news -s /bin/sh -c '<pathbin>/nnrpd -D -p 563 -S'
227
228       but the easiest way is probably to add a line like:
229
230           nntps stream tcp nowait news <pathbin>/nnrpd nnrpd -S
231
232       to /etc/inetd.conf or the equivalent on your system and let inetd run
233       nnrpd.  (Change the path to nnrpd to match your installation.)  You may
234       need to replace "nntps" with 563 if "nntps" isn't defined in
235       /etc/services on your system.
236
237       Optionally, you may set the tlsciphers, tlsciphers13, tlscompression,
238       tlseccurve, tlspreferserverciphers, and tlsprotocols parameters in
239       inn.conf to fine-tune the behaviour of the TLS/SSL negotiation whenever
240       a new attack on the TLS protocol or some supported cipher suite is
241       discovered.
242

PROTOCOL DIFFERENCES

244       nnrpd implements the NNTP commands defined in RFC 3977 (NNTP), RFC 4642
245       updated by RFC 8143 (TLS/NNTP), RFC 4643 (NNTP authentication),
246       RFC 6048 (NNTP LIST additions) and RFC 8054 (NNTP compression) with the
247       following differences:
248
249       1.  The XGTITLE [wildmat] command is provided.  This extension is used
250           by ANU-News and documented in RFC 2980.  It returns a 282 reply
251           code, followed by a one-line description of all newsgroups that
252           match the pattern.  The default is the current group.
253
254           Note that LIST NEWSGROUPS should be used instead of XGTITLE.
255
256       2.  The XHDR header [message-ID|range] command is implemented.  It
257           returns a 221 reply code, followed by specific headers for the
258           specified range; the default is to return the data for the current
259           article.  See RFC 2980.
260
261           Note that HDR should be used instead of XHDR.
262
263       3.  The XOVER [range] command is provided.  It returns a 224 reply
264           code, followed by the overview data for the specified range; the
265           default is to return the data for the current article.  See
266           RFC 2980.
267
268           Note that OVER should be used instead of XOVER.
269
270       4.  A new command, XPAT header message-ID|range pattern [pattern ...],
271           is provided.  The first argument is the case-insensitive name of
272           the header field to be searched.  The second argument is either an
273           article range or a single message-ID, as specified in RFC 2980.
274           The third argument is a uwildmat-style pattern; if there are
275           additional arguments, they are joined together separated by a
276           single space to form the complete pattern.  This command is similar
277           to the XHDR command.  It returns a 221 response code, followed by
278           the text response of all article numbers that match the pattern.
279
280       5.  A newsgroup name is case-sensitive for nnrpd.
281
282       6.  If IHAVE has been advertised, it will not necessarily be advertised
283           for the entire session (contrary to section 3.4.1 of RFC 3977).
284           nnrpd only advertises the IHAVE capability when it is really
285           available.
286
287       7.  nnrpd allows a wider syntax for wildmats and ranges (especially "-"
288           and "-article-number").
289

HISTORY

291       Written by Rich $alz <rsalz@uunet.uu.net> for InterNetNews.  Overview
292       support added by Rob Robertston <rob@violet.berkeley.edu> and Rich in
293       January, 1993.  Exponential backoff (for posting) added by Dave Hayes
294       in Febuary 1998.
295

SEE ALSO

297       ctlinnd(8), innd(8), inn.conf(5), libinn_uwildmat(3), nnrpd.track(5),
298       passwd.nntp(5), readers.conf(5), signal(2).
299
300
301
302INN 2.6.5                         2022-02-18                          NNRPD(8)
Impressum