1NNRPD(8) InterNetNews Documentation NNRPD(8)
2
6 nnrpd - NNTP server for reader clients
7
9 nnrpd [-BDfnoSt] [-4 address] [-6 address] [-b address] [-c configfile]
10 [-i initial] [-I instance] [-p port] [-P prefork] [-r reason] [-s
11 padding]
12
14 nnrpd is an NNTP server for newsreaders. It accepts commands on its
15 standard input and responds on its standard output. It is normally
16 invoked by innd(8) with those descriptors attached to a remote client
17 connection. nnrpd also supports running as a standalone daemon.
18 Unlike innd(8), nnrpd supports all NNTP commands for user-oriented
20 reading and posting. nnrpd uses the readers.conf file to control who
21 is authorized to access the Usenet database.
22 On exit, nnrpd will report usage statistics through syslog(3).
24 nnrpd only reads config files (both readers.conf and inn.conf) when it
26 is spawned. You can therefore never change the behavior of a client
27 that's already connected. If nnrpd is run from innd (the default) or
28 from inetd(8), xinetd(8), or some equivalent, a new nnrpd process is
29 spawned for every connection and therefore any changes to configuration
30 files will be immediately effective for all new connections. If you
31 are instead running nnrpd with the -D option, any configuration changes
32 won't take effect until nnrpd is restarted.
33 The inn.conf setting nnrpdflags can be used to pass any of the options
35 below to instances of nnrpd that are spawned directly from innd. Many
36 options only make sense when -D is used, so these options should not be
37 used with nnrpdflags. See also the discussion of nnrpdflags in
38 inn.conf(5).
39 When nnrpdloadlimit in inn.conf is not 0, it will also reject
41 connections if the load average is greater than that value (typically
42 16). nnrpd can also prevent high-volume posters from abusing your
43 resources. See the discussion of exponential backoff in inn.conf(5).
44 nnrpd injects articles into the local server running innd through a
46 UNIX domain socket, or an INET domain socket if not supported. If
47 another server should be used for injection, you can set it with the
48 nnrpdposthost parameter in inn.conf. In case authentication
49 credentials are requested during the injection, nnrpd will use the
50 passwd.nntp file in pathetc.
51
53 -4 address
54 The -4 parameter instructs nnrpd to bind to the specified IPv4
55 address when started as a standalone daemon using the -D flag.
56 This has to be a valid IPv4 address belonging to an interface of
57 the local host. It can also be 0.0.0.0, saying to bind to all
58 addresses (this is the default).
59 -6 address
61 The -6 parameter instructs nnrpd to bind to the specified IPv6
62 address when started as a standalone daemon using the -D flag.
63 This has to be a valid IPv6 address belonging to an interface of
64 the local host. It can also be "::0", saying to bind to all IPv6
65 addresses.
66 By default, nnrpd in daemon mode listens to both IPv4 and IPv6
68 addresses. With this option, it will listen only to the specified
69 IPv6 addresses. On some systems however, a value of "::0" will
70 cause it to listen to all IPv4 addresses as well.
71 -b address
73 Similar to the -4 flag. -b is kept for backwards compatibility.
74 -B If specified, nnrpd will report login attempts to blacklistd(8) for
76 automatic blocking after a number of failed attempts. To use this
77 flag, the blacklist library must have been found at configure time,
78 or --with-blacklist specified at configure time. For more
79 information, see "BLACKLISTD SUPPORT" below.
80 -c configfile
82 By default, nnrpd reads the readers.conf to determine how to
83 authenticate connections. The -c flag specifies an alternate file
84 for this purpose. If the file name isn't fully qualified, it is
85 taken to be relative to pathetc in inn.conf. (This is useful to
86 have several instances of nnrpd running on different ports or IP
87 addresses with different settings.)
88 -D If specified, this parameter causes nnrpd to operate as a daemon.
90 That is, it detaches itself and runs in the background, forking a
91 process for every connection. By default, nnrpd listens on the
92 NNTP port (119), so either innd(8) has to be started on another
93 port or the -p parameter used. Note that with this parameter,
94 nnrpd continues running until killed. This means that it reads
95 inn.conf once on startup and never again until restarted. nnrpd
96 should therefore be restarted if inn.conf is changed.
97 When started in daemon mode, nnrpd will write its PID into a file
99 in the pathrun directory. The file will be named nnrpd.pid if
100 nnrpd listens on port 119 (default), or nnrpd-%d.pid, where %d is
101 replaced with the port that nnrpd is configured to listen on (-p
102 option is given and its argument is not 119).
103 -f If specified, nnrpd does not detach itself and runs in the
105 foreground when started as a standalone daemon using the -D flag.
106 -i initial
108 Specify an initial command to nnrpd. When used, initial is taken
109 as if it were the first command received by nnrpd. After having
110 responded, nnrpd will close the connection.
111 -I instance
113 If specified, instance is used as an additional static portion
114 within Message-IDs generated by nnrpd, when virtualhost is set in
115 access groups in readers.conf; typically this option would be used
116 where a cluster of machines exist with the same virtual hostname
117 and must be disambiguated during posts.
118 -n The -n flag turns off resolution of IP addresses to names. If you
120 only use IP-based restrictions in readers.conf and can handle IP
121 addresses in your logs, using this flag may result in some
122 additional speed.
123 -o The -o flag causes all articles to be spooled instead of sending
125 them to innd(8). rnews with the -U flag should be invoked from
126 cron on a regular basis to take care of these articles. This flag
127 is useful if innd(8) is accepting articles and nnrpd is started
128 standalone or using inetd(8).
129 -p port
131 The -p parameter instructs nnrpd to listen on port when started as
132 a standalone daemon using the -D flag.
133 -P prefork
135 The -P parameter instructs nnrpd to prefork prefork children
136 awaiting connections when started as a standalone daemon using the
137 -D flag.
138 -r reason
140 If the -r flag is used, then nnrpd will reject the incoming
141 connection giving reason as the text. This flag is used by innd(8)
142 when it is paused or throttled. reason should be encoded in UTF-8.
143 -s padding
145 As each command is received, nnrpd tries to change its "argv" array
146 so that ps(1) will print out the command being executed. To get a
147 full display, the -s flag may be used with a long string as its
148 argument, which will be overwritten when the program changes its
149 title.
150 -S If specified, nnrpd will start a negotiation for a TLS session as
152 soon as connected. To use this flag, the OpenSSL SSL and crypto
153 libraries must have been found at configure time, or --with-openssl
154 specified at configure time. For more information on running nnrpd
155 with TLS support, see "TLS SUPPORT".
156 -t If the -t flag is used, then all client commands and initial
158 responses will be traced by reporting them in syslog. This flag is
159 set by innd(8) under the control of the ctlinnd(8) "trace" command,
160 and is toggled upon receipt of a SIGHUP; see signal(2).
161
163 If INN is built with --with-openssl or if the OpenSSL SSL and crypto
164 libraries are found at configure time, nnrpd will support news reading
165 over TLS (also known as SSL). For clients that use the STARTTLS
166 command, no special configuration is needed beyond creating a TLS/SSL
167 certificate for the server. You should do this in exactly the same way
168 that you would generate a certificate for a web server.
169 If you're happy with a self-signed certificate (which will generate
171 warnings with some news reader clients), you can create and install one
172 in the default path by running "make cert" after "make install" when
173 installing INN, or by running the following commands:
174 umask 077
176 openssl req -new -x509 -nodes -out <pathetc>/cert.pem \
177 -days 366 -keyout <pathetc>/key.pem
178 chown news:news <pathetc>/cert.pem
179 chmod 640 <pathetc>/cert.pem
180 chown news:news <pathetc>/key.pem
181 chmod 600 <pathetc>/key.pem
182 Replace the paths with something appropriate to your INN installation.
184 This will create a self-signed certificate that will expire in a year.
185 The openssl program will ask you a variety of questions about your
186 organization. Enter the fully qualified domain name of your news
187 service (either the server canonical name or a dedicated alias for the
188 news service) as the name the certificate is for.
189 You then have to set these inn.conf parameters with the right paths:
191 tlscapath: <pathetc>
193 tlscertfile: <pathetc>/cert.pem
194 tlskeyfile: <pathetc>/key.pem
195 If you want to use a complete certificate chain, you can directly put
197 it in tlscertfile (like Apache's SSLCertificateFile directive).
198 Alternately, you can put a single certificate in tlscertfile and use
199 tlscafile for additional certificates needed to complete the chain,
200 like a separate authority root certificate.
201 More concretly, when using Let's Encrypt certificates, Certbot's files
203 can be installed as follows:
204 tlscapath: /etc/letsencrypt/live/news.server.com
206 tlscertfile: /etc/letsencrypt/live/news.server.com/fullchain.pem
207 tlskeyfile: /etc/letsencrypt/live/news.server.com/privkey.pem
208 or:
210 tlscapath: /etc/letsencrypt/live/news.server.com
212 tlscafile: /etc/letsencrypt/live/news.server.com/chain.pem
213 tlscertfile: /etc/letsencrypt/live/news.server.com/cert.pem
214 tlskeyfile: /etc/letsencrypt/live/news.server.com/privkey.pem
215 Make sure that the permission rights are properly set so that the news
217 user or the news group can read these directories and files (typically,
218 he should access /etc/letsencrypt/live/news.server.com and
219 /etc/letsencrypt/archive/news.server.com where the real keys are
220 located, and the private key should not be world-readable).
221 There are two common ways for a news client to negotiate a TLS
223 connection: either via the use of a dedicated port (usually 563) on
224 which TLS is immediately negotiated upon connection, or via the now
225 discouraged way (per RFC 8143) to use the STARTTLS command on the usual
226 NNTP port (119) to dynamically upgrade from unencrypted to TLS-
227 protected traffic during an NNTP session. innd does not, however, know
228 how to listen for connections to that separate port (563). You will
229 therefore need to arrange for nnrpd to listen on that port through some
230 other means. This can be done with the -D flag along with "-p 563" and
231 put into your init scripts:
232 su news -s /bin/sh -c '<pathbin>/nnrpd -D -p 563 -S'
234 but the easiest way is probably to add a line like:
236 nntps stream tcp nowait news <pathbin>/nnrpd nnrpd -S
238 to /etc/inetd.conf or the equivalent on your system and let inetd run
240 nnrpd. (Change the path to nnrpd to match your installation.) You may
241 need to replace "nntps" with 563 if "nntps" isn't defined in
242 /etc/services on your system.
243 Optionally, you may set the tlsciphers, tlsciphers13, tlscompression,
245 tlseccurve, tlspreferserverciphers, and tlsprotocols parameters in
246 inn.conf to fine-tune the behaviour of the TLS/SSL negotiation whenever
247 a new attack on the TLS protocol or some supported cipher suite is
248 discovered.
249
251 blacklistd(8) is a FreeBSD/NetBSD daemon for preventing brute force
252 attacks by blocking attackers after a number of failed login attempts.
253 When nnrpd is built with blacklistd support, it will report login
254 attempts to the blacklistd daemon for potential blocking.
255 Adding the configuration below to /etc/blacklistd.conf under the
257 "[local]" section, assuming nnrpd is listening on port 563, would lead
258 to attackers being blocked for 10 minutes after 5 failed login
259 attempts.
260 # adr/mask:port type proto owner name nfail disable
262 563 stream * * * 5 10m
263 See the blacklistd(8) documentation for more information.
265
267 nnrpd implements the NNTP commands defined in RFC 3977 (NNTP), RFC 4642
268 updated by RFC 8143 (TLS/NNTP), RFC 4643 (NNTP authentication),
269 RFC 6048 (NNTP LIST additions) and RFC 8054 (NNTP compression) with the
270 following differences:
271 1. The XGTITLE [wildmat] command is provided. This extension is used
273 by ANU-News and documented in RFC 2980. It returns a 282 reply
274 code, followed by a one-line description of all newsgroups that
275 match the pattern. The default is the current group.
276 Note that LIST NEWSGROUPS should be used instead of XGTITLE.
278 2. The XHDR header [message-ID|range] command is implemented. It
280 returns a 221 reply code, followed by specific header fields for
281 the specified range; the default is to return the data for the
282 current article. See RFC 2980.
283 Note that HDR should be used instead of XHDR.
285 3. The XOVER [range] command is provided. It returns a 224 reply
287 code, followed by the overview data for the specified range; the
288 default is to return the data for the current article. See
289 RFC 2980.
290 Note that OVER should be used instead of XOVER.
292 4. A new command, XPAT header message-ID|range pattern [pattern ...],
294 is provided. The first argument is the case-insensitive name of
295 the header field to be searched. The second argument is either an
296 article range or a single message-ID, as specified in RFC 2980.
297 The third argument is a uwildmat-style pattern; if there are
298 additional arguments, they are joined together separated by a
299 single space to form the complete pattern. This command is similar
300 to the XHDR command. It returns a 221 response code, followed by
301 the text response of all article numbers that match the pattern.
302 5. A newsgroup name is case-sensitive for nnrpd.
304 6. If IHAVE has been advertised, it will not necessarily be advertised
306 for the entire session (contrary to section 3.4.1 of RFC 3977).
307 nnrpd only advertises the IHAVE capability when it is really
308 available.
309 7. nnrpd allows a wider syntax for wildmats and ranges (especially "-"
311 and "-article-number").
312
314 Written by Rich $alz <rsalz@uunet.uu.net> for InterNetNews. Overview
315 support added by Rob Robertston <rob@violet.berkeley.edu> and Rich in
316 January, 1993. Exponential backoff (for posting) added by Dave Hayes
317 in Febuary 1998.
318
320 blacklistd(8), ctlinnd(8), innd(8), inn.conf(5), libinn_uwildmat(3),
321 nnrpd.track(5), passwd.nntp(5), readers.conf(5), signal(2).
322INN 2.7.0 2022-07-10 NNRPD(8)