1NNRPD(8)                  InterNetNews Documentation                  NNRPD(8)
2
3
4

NAME

6       nnrpd - NNTP server for reader clients
7

SYNOPSIS

9       nnrpd [-BDfnoSt] [-4 address] [-6 address] [-b address] [-c configfile]
10       [-i initial] [-I instance] [-p port] [-P prefork] [-r reason] [-s
11       padding]
12

DESCRIPTION

14       nnrpd is an NNTP server for newsreaders.  It accepts commands on its
15       standard input and responds on its standard output.  It is normally
16       invoked by innd(8) with those descriptors attached to a remote client
17       connection.  nnrpd also supports running as a standalone daemon.
18
19       Unlike innd(8), nnrpd supports all NNTP commands for user-oriented
20       reading and posting.  nnrpd uses the readers.conf file to control who
21       is authorized to access the Usenet database.
22
23       On exit, nnrpd will report usage statistics through syslog(3).
24
25       nnrpd only reads config files (both readers.conf and inn.conf) when it
26       is spawned.  You can therefore never change the behavior of a client
27       that's already connected.  If nnrpd is run from innd (the default) or
28       from inetd(8), xinetd(8), or some equivalent, a new nnrpd process is
29       spawned for every connection and therefore any changes to configuration
30       files will be immediately effective for all new connections.  If you
31       are instead running nnrpd with the -D option, any configuration changes
32       won't take effect until nnrpd is restarted.
33
34       The inn.conf setting nnrpdflags can be used to pass any of the options
35       below to instances of nnrpd that are spawned directly from innd.  Many
36       options only make sense when -D is used, so these options should not be
37       used with nnrpdflags.  See also the discussion of nnrpdflags in
38       inn.conf(5).
39
40       When nnrpdloadlimit in inn.conf is not 0, it will also reject
41       connections if the load average is greater than that value (typically
42       16).  nnrpd can also prevent high-volume posters from abusing your
43       resources.  See the discussion of exponential backoff in inn.conf(5).
44
45       nnrpd injects articles into the local server running innd through a
46       UNIX domain socket, or an INET domain socket if not supported.  If
47       another server should be used for injection, you can set it with the
48       nnrpdposthost parameter in inn.conf.  In case authentication
49       credentials are requested during the injection, nnrpd will use the
50       passwd.nntp file in pathetc.
51

OPTIONS

53       -4 address
54           The -4 parameter instructs nnrpd to bind to the specified IPv4
55           address when started as a standalone daemon using the -D flag.
56           This has to be a valid IPv4 address belonging to an interface of
57           the local host.  It can also be 0.0.0.0, saying to bind to all
58           addresses (this is the default).
59
60       -6 address
61           The -6 parameter instructs nnrpd to bind to the specified IPv6
62           address when started as a standalone daemon using the -D flag.
63           This has to be a valid IPv6 address belonging to an interface of
64           the local host.  It can also be "::0", saying to bind to all IPv6
65           addresses.
66
67           By default, nnrpd in daemon mode listens to both IPv4 and IPv6
68           addresses.  With this option, it will listen only to the specified
69           IPv6 addresses.  On some systems however, a value of "::0" will
70           cause it to listen to all IPv4 addresses as well.
71
72       -b address
73           Similar to the -4 flag.  -b is kept for backwards compatibility.
74
75       -B  If specified, nnrpd will report login attempts to blacklistd(8) for
76           automatic blocking after a number of failed attempts.  To use this
77           flag, the blacklist library must have been found at configure time,
78           or --with-blacklist specified at configure time.  For more
79           information, see "BLACKLISTD SUPPORT" below.
80
81       -c configfile
82           By default, nnrpd reads the readers.conf to determine how to
83           authenticate connections.  The -c flag specifies an alternate file
84           for this purpose.  If the file name isn't fully qualified, it is
85           taken to be relative to pathetc in inn.conf.  (This is useful to
86           have several instances of nnrpd running on different ports or IP
87           addresses with different settings.)
88
89       -D  If specified, this parameter causes nnrpd to operate as a daemon.
90           That is, it detaches itself and runs in the background, forking a
91           process for every connection.  By default, nnrpd listens on the
92           NNTP port (119), so either innd(8) has to be started on another
93           port or the -p parameter used.  Note that with this parameter,
94           nnrpd continues running until killed.  This means that it reads
95           inn.conf once on startup and never again until restarted.  nnrpd
96           should therefore be restarted if inn.conf is changed.
97
98           When started in daemon mode, nnrpd will write its PID into a file
99           in the pathrun directory.  The file will be named nnrpd.pid if
100           nnrpd listens on port 119 (default), or nnrpd-%d.pid, where %d is
101           replaced with the port that nnrpd is configured to listen on (-p
102           option is given and its argument is not 119).
103
104       -f  If specified, nnrpd does not detach itself and runs in the
105           foreground when started as a standalone daemon using the -D flag.
106
107       -i initial
108           Specify an initial command to nnrpd.  When used, initial is taken
109           as if it were the first command received by nnrpd.  After having
110           responded, nnrpd will close the connection.
111
112       -I instance
113           If specified, instance is used as an additional static portion
114           within Message-IDs generated by nnrpd, when virtualhost is set in
115           access groups in readers.conf; typically this option would be used
116           where a cluster of machines exist with the same virtual hostname
117           and must be disambiguated during posts.
118
119       -n  The -n flag turns off resolution of IP addresses to names.  If you
120           only use IP-based restrictions in readers.conf and can handle IP
121           addresses in your logs, using this flag may result in some
122           additional speed.
123
124       -o  The -o flag causes all articles to be spooled instead of sending
125           them to innd(8).  rnews with the -U flag should be invoked from
126           cron on a regular basis to take care of these articles.  This flag
127           is useful if innd(8) is accepting articles and nnrpd is started
128           standalone or using inetd(8).
129
130       -p port
131           The -p parameter instructs nnrpd to listen on port when started as
132           a standalone daemon using the -D flag.
133
134       -P prefork
135           The -P parameter instructs nnrpd to prefork prefork children
136           awaiting connections when started as a standalone daemon using the
137           -D flag.
138
139       -r reason
140           If the -r flag is used, then nnrpd will reject the incoming
141           connection giving reason as the text.  This flag is used by innd(8)
142           when it is paused or throttled.  reason should be encoded in UTF-8.
143
144       -s padding
145           As each command is received, nnrpd tries to change its "argv" array
146           so that ps(1) will print out the command being executed.  To get a
147           full display, the -s flag may be used with a long string as its
148           argument, which will be overwritten when the program changes its
149           title.
150
151       -S  If specified, nnrpd will start a negotiation for a TLS session as
152           soon as connected.  To use this flag, the OpenSSL SSL and crypto
153           libraries must have been found at configure time, or --with-openssl
154           specified at configure time.  For more information on running nnrpd
155           with TLS support, see "TLS SUPPORT".
156
157       -t  If the -t flag is used, then all client commands and initial
158           responses will be traced by reporting them in syslog.  This flag is
159           set by innd(8) under the control of the ctlinnd(8) "trace" command,
160           and is toggled upon receipt of a SIGHUP; see signal(2).
161

TLS SUPPORT

163       If INN is built with --with-openssl or if the OpenSSL SSL and crypto
164       libraries are found at configure time, nnrpd will support news reading
165       over TLS (also known as SSL).  For clients that use the STARTTLS
166       command, no special configuration is needed beyond creating a TLS/SSL
167       certificate for the server.  You should do this in exactly the same way
168       that you would generate a certificate for a web server.
169
170       If you're happy with a self-signed certificate (which will generate
171       warnings with some news reader clients), you can create and install one
172       in the default path by running "make cert" after "make install" when
173       installing INN, or by running the following commands:
174
175           umask 077
176           openssl req -new -x509 -nodes -out <pathetc>/cert.pem \
177               -days 366 -keyout <pathetc>/key.pem
178           chown news:news <pathetc>/cert.pem
179           chmod 640 <pathetc>/cert.pem
180           chown news:news <pathetc>/key.pem
181           chmod 600 <pathetc>/key.pem
182
183       Replace the paths with something appropriate to your INN installation.
184       This will create a self-signed certificate that will expire in a year.
185       The openssl program will ask you a variety of questions about your
186       organization.  Enter the fully qualified domain name of your news
187       service (either the server canonical name or a dedicated alias for the
188       news service) as the name the certificate is for.
189
190       You then have to set these inn.conf parameters with the right paths:
191
192           tlscapath:      <pathetc>
193           tlscertfile:    <pathetc>/cert.pem
194           tlskeyfile:     <pathetc>/key.pem
195
196       If you want to use a complete certificate chain, you can directly put
197       it in tlscertfile (like Apache's SSLCertificateFile directive).
198       Alternately, you can put a single certificate in tlscertfile and use
199       tlscafile for additional certificates needed to complete the chain,
200       like a separate authority root certificate.
201
202       More concretly, when using Let's Encrypt certificates, Certbot's files
203       can be installed as follows:
204
205           tlscapath:      /etc/letsencrypt/live/news.server.com
206           tlscertfile:    /etc/letsencrypt/live/news.server.com/fullchain.pem
207           tlskeyfile:     /etc/letsencrypt/live/news.server.com/privkey.pem
208
209       or:
210
211           tlscapath:      /etc/letsencrypt/live/news.server.com
212           tlscafile:      /etc/letsencrypt/live/news.server.com/chain.pem
213           tlscertfile:    /etc/letsencrypt/live/news.server.com/cert.pem
214           tlskeyfile:     /etc/letsencrypt/live/news.server.com/privkey.pem
215
216       Make sure that the permission rights are properly set so that the news
217       user or the news group can read these directories and files (typically,
218       he should access /etc/letsencrypt/live/news.server.com and
219       /etc/letsencrypt/archive/news.server.com where the real keys are
220       located, and the private key should not be world-readable).
221
222       There are two common ways for a news client to negotiate a TLS
223       connection: either via the use of a dedicated port (usually 563) on
224       which TLS is immediately negotiated upon connection, or via the now
225       discouraged way (per RFC 8143) to use the STARTTLS command on the usual
226       NNTP port (119) to dynamically upgrade from unencrypted to TLS-
227       protected traffic during an NNTP session.  innd does not, however, know
228       how to listen for connections to that separate port (563).  You will
229       therefore need to arrange for nnrpd to listen on that port through some
230       other means.  This can be done with the -D flag along with "-p 563" and
231       put into your init scripts:
232
233           su news -s /bin/sh -c '<pathbin>/nnrpd -D -p 563 -S'
234
235       but the easiest way is probably to add a line like:
236
237           nntps stream tcp nowait news <pathbin>/nnrpd nnrpd -S
238
239       to /etc/inetd.conf or the equivalent on your system and let inetd run
240       nnrpd.  (Change the path to nnrpd to match your installation.)  You may
241       need to replace "nntps" with 563 if "nntps" isn't defined in
242       /etc/services on your system.
243
244       Optionally, you may set the tlsciphers, tlsciphers13, tlscompression,
245       tlseccurve, tlspreferserverciphers, and tlsprotocols parameters in
246       inn.conf to fine-tune the behaviour of the TLS/SSL negotiation whenever
247       a new attack on the TLS protocol or some supported cipher suite is
248       discovered.
249

BLACKLISTD SUPPORT

251       blacklistd(8) is a FreeBSD/NetBSD daemon for preventing brute force
252       attacks by blocking attackers after a number of failed login attempts.
253       When nnrpd is built with blacklistd support, it will report login
254       attempts to the blacklistd daemon for potential blocking.
255
256       Adding the configuration below to /etc/blacklistd.conf under the
257       "[local]" section, assuming nnrpd is listening on port 563, would lead
258       to attackers being blocked for 10 minutes after 5 failed login
259       attempts.
260
261           # adr/mask:port type    proto owner name nfail disable
262           563             stream  *     *     *    5     10m
263
264       See the blacklistd(8) documentation for more information.
265

PROTOCOL DIFFERENCES

267       nnrpd implements the NNTP commands defined in RFC 3977 (NNTP), RFC 4642
268       updated by RFC 8143 (TLS/NNTP), RFC 4643 (NNTP authentication),
269       RFC 6048 (NNTP LIST additions) and RFC 8054 (NNTP compression) with the
270       following differences:
271
272       1.  The XGTITLE [wildmat] command is provided.  This extension is used
273           by ANU-News and documented in RFC 2980.  It returns a 282 reply
274           code, followed by a one-line description of all newsgroups that
275           match the pattern.  The default is the current group.
276
277           Note that LIST NEWSGROUPS should be used instead of XGTITLE.
278
279       2.  The XHDR header [message-ID|range] command is implemented.  It
280           returns a 221 reply code, followed by specific header fields for
281           the specified range; the default is to return the data for the
282           current article.  See RFC 2980.
283
284           Note that HDR should be used instead of XHDR.
285
286       3.  The XOVER [range] command is provided.  It returns a 224 reply
287           code, followed by the overview data for the specified range; the
288           default is to return the data for the current article.  See
289           RFC 2980.
290
291           Note that OVER should be used instead of XOVER.
292
293       4.  A new command, XPAT header message-ID|range pattern [pattern ...],
294           is provided.  The first argument is the case-insensitive name of
295           the header field to be searched.  The second argument is either an
296           article range or a single message-ID, as specified in RFC 2980.
297           The third argument is a uwildmat-style pattern; if there are
298           additional arguments, they are joined together separated by a
299           single space to form the complete pattern.  This command is similar
300           to the XHDR command.  It returns a 221 response code, followed by
301           the text response of all article numbers that match the pattern.
302
303       5.  A newsgroup name is case-sensitive for nnrpd.
304
305       6.  If IHAVE has been advertised, it will not necessarily be advertised
306           for the entire session (contrary to section 3.4.1 of RFC 3977).
307           nnrpd only advertises the IHAVE capability when it is really
308           available.
309
310       7.  nnrpd allows a wider syntax for wildmats and ranges (especially "-"
311           and "-article-number").
312

HISTORY

314       Written by Rich $alz <rsalz@uunet.uu.net> for InterNetNews.  Overview
315       support added by Rob Robertston <rob@violet.berkeley.edu> and Rich in
316       January, 1993.  Exponential backoff (for posting) added by Dave Hayes
317       in Febuary 1998.
318

SEE ALSO

320       blacklistd(8), ctlinnd(8), innd(8), inn.conf(5), libinn_uwildmat(3),
321       nnrpd.track(5), passwd.nntp(5), readers.conf(5), signal(2).
322
323
324
325INN 2.7.0                         2022-07-10                          NNRPD(8)
Impressum