1INN.CONF(5) InterNetNews Documentation INN.CONF(5)
2
3
4
6 inn.conf - Configuration data for InterNetNews programs
7
9 inn.conf in pathetc is the primary general configuration file for all
10 InterNetNews programs. Settings which control the general operation of
11 various programs, as well as the paths to all portions of the news
12 installation, are found here. The INNCONF environment variable, if
13 set, specifies an alternate path to inn.conf.
14
15 This file is intended to be fairly static. Any changes made to it will
16 generally not affect any running programs until they restart. Unlike
17 nearly every other configuration file, inn.conf cannot be reloaded
18 dynamically using ctlinnd(8); innd(8) must be stopped and restarted for
19 relevant changes to inn.conf to take effect ("ctlinnd xexec innd" is
20 the fastest way to do this.)
21
22 Blank lines and lines starting with a number sign ("#") are ignored.
23 All other lines specify parameters, and should be of the following
24 form:
25
26 <name>: <value>
27
28 (Any amount of whitespace can be put after the colon and is optional.)
29 If the value contains embedded whitespace or any of the characters
30 "[]<>{}"\:;", it must be enclosed in double quotes (""). A backslash
31 ("\") can be used to escape quotes and backslashes inside double
32 quotes. <name> is case-sensitive; "server" is not the same as "Server"
33 or "SERVER". (inn.conf parameters are generally all in lowercase.)
34
35 If <name> occurs more than once in the file, the first value is used.
36 Some parameters specified in the file may be overridden by environment
37 variables. Most parameters have default values if not specified in
38 inn.conf; those defaults are noted in the description of each
39 parameter.
40
41 Many parameters take a boolean value. For all such parameters, the
42 value may be specified as "true", "yes", or "on" to turn it on and may
43 be any of "false", "no", or "off" to turn it off. The case of these
44 values is significant.
45
46 This documentation is extremely long and organized as a reference
47 manual rather than as a tutorial. If this is your first exposure to
48 INN and these parameters, it would be better to start by reading other
49 man pages and referring to this one only when an inn.conf parameter is
50 explicitly mentioned. Those parameters which need to be changed when
51 setting up a new server are discussed in INSTALL.
52
54 General Settings
55 These parameters are used by a wide variety of different components of
56 INN.
57
58 domain
59 This should be the domain name of the local host. It should not
60 have a leading period, and it should not be a full host address.
61 It is used only if the inn_getfqdn() routine in libinn(3) cannot
62 get the fully qualified domain name by using either the
63 gethostname(3) or getaddrinfo(3) calls. The check is very simple;
64 if either routine returns a name with a period in it, then it is
65 assumed to have the full domain name. The default value is unset.
66
67 This parameter is not meant to be used to affect the right-hand
68 side of autogenerated Message-IDs; you have to directly use domain
69 in readers.conf(5) instead, for backwards-compatible reasons. (The
70 name of this parameter in readers.conf will likely be changed in a
71 future major release to disambiguate its use.)
72
73 innflags
74 The flags to pass to innd on startup. See innd(8) for details on
75 the possible flags. The default value is unset.
76
77 Note that these flags are only used when innd is started from
78 rc.news or nntpsend.
79
80 mailcmd
81 The path to the program to be used for mailing reports and errors
82 to the news administrator. The default is pathbin/innmail. This
83 should not normally need to be changed.
84
85 mta The command to use when sending a mail (e.g. mailing postings to
86 moderators, gatewaying news to mail, sending statistics to the
87 TOP1000 project, mailing errors and reports to the news
88 administrator). Some programs use innmail(1) which in turn runs
89 the command in the mta parameter. The message, with its headers,
90 will be piped into this mta program. Depending on the calling
91 program, additional header fields may be added when appropriate,
92 like To, Subject or Auto-Submitted header fields.
93
94 The string %s, if present, will be replaced by the expected
95 recipient(s) like the e-mail address of the moderator or of a
96 remote list. It's strongly recommended for this command to end
97 with %s on the command line rather than, when not present, use the
98 addresses in the To and Cc header fields of the message, since the
99 latter approach allows the news server to be abused as a mechanism
100 to send mail to arbitrary addresses and will result in unexpected
101 behaviour. There is no default value for this parameter; it must
102 be set in inn.conf or a fatal error message will be logged via
103 syslog.
104
105 For most systems, "/usr/lib/sendmail -oi -oem %s" (adjusted for the
106 correct path to sendmail, and between double quotes) is a good
107 choice.
108
109 To improve deliverability of sent mails, especially moderated group
110 submissions, you are encouraged to install a modern and full-
111 featured MTA like Postfix instead of a frugal MTA like Nullmailer.
112 You'll then be able to configure bounces and benefit from DSN
113 (Delivery Status Notifications). Useful flags to add, if your mta
114 program supports them, are "-N failure" (to only return a DSN on
115 failure, not delay), "-F 'Newsmaster'" (to set the full name of the
116 notification), "-fnewsmaster@server.com" (to set the envelope
117 sender address), and "-opnobodyreturn" (a privacy option to only
118 return headers in the DSN). Feel free to add any other options you
119 think appropriate.
120
121 pathhost
122 What to put into the Path header field to represent the local site.
123 This path identity is added to the Path header field body of all
124 articles that pass through the system, including locally posted
125 articles, and is also used when processing some control messages
126 and when naming the server in status reports. There is no default
127 value; this parameter must be set in inn.conf or INN will not
128 start. A good value to use is the fully qualified hostname of the
129 system.
130
131 The main purpose of the path identity is to avoid being proposed by
132 your peers articles that already contain your path identity in
133 their Path header fields.
134
135 In case you are running several internal news servers, you may want
136 to also set pathcluster so as to define the primary path identity
137 to advertise to your peers for their use in correctly identifying
138 your news servers and adding the right path diagnostic (see
139 Section 3.2.1 of RFC 5537 for more details about path diagnostics).
140
141 runasgroup
142 The group under which the news server will run. The default is
143 "news" (or the group specified at configure time) and should not
144 normally need to be changed.
145
146 runasuser
147 The user under which the news server will run. The default is
148 "news" (or the user specified at configure time) and should not
149 normally need to be changed.
150
151 server
152 The name of the default NNTP server. If nnrpdposthost is not set
153 and UNIX domain sockets are not supported, nnrpd tries to hand off
154 locally-posted articles through an INET domain socket to this
155 server.
156
157 actsync, getlist, inews, and nntpget also use this value as the
158 default server to connect to. In the latter cases, the value of
159 the NNTPSERVER environment variable, if it exists, overrides this.
160 The default value is unset.
161
162 rnews uses this value as a fallback when nnrpdposthost is not set,
163 and there's no localhost server.
164
165 syntaxchecks
166 A list of values controlling the level of checks performed by innd
167 and nnrpd. For instance:
168
169 syntaxchecks: [ no-laxmid ]
170
171 The last occurrence of a given value takes precedence, that is to
172 say if "no-laxmid laxmid" is listed, laxmid takes precedence.
173
174 Only one check can currently be enabled/disabled:
175
176 laxmid / no-laxmid
177 When laxmid is set, Message-IDs containing ".." in the left
178 part are accepted, as well as Message-IDs with two "@". Some
179 non-compliant news posters generate such syntactically invalid
180 Message-IDs, especially in binary newsgroups. The default is
181 no-laxmid, that is to say INN strictly follows the standard
182 regarding syntax checks (it will neither accept these articles
183 nor propagate them to remote peers).
184
185 Feed Configuration
186 These parameters govern incoming and outgoing feeds: what size of
187 articles are accepted, what filtering and verification is performed on
188 them, whether articles in groups not carried by the server are still
189 stored and propagated, and other similar settings.
190
191 artcutoff
192 Articles older than this number of days are dropped. The default
193 value is 10, which means that an incoming article will be rejected
194 if its posting date is farther in the past than ten days.
195
196 In order to disable that check on date, you can set this parameter
197 to 0.
198
199 The number on the "/remember/" line in expire.ctl should probably
200 be one more than that number in order to take into account articles
201 whose posting date is one day into the future.
202
203 bindaddress
204 Which IP address innd(8) should bind itself to. This must be in
205 dotted-quad format (nnn.nnn.nnn.nnn). If set to "all" or not set,
206 innd defaults to listening on all interfaces. The value of the
207 INND_BIND_ADDRESS environment variable, if set, overrides this
208 setting. The default value is unset.
209
210 This parameter has no effect when systemd socket activation is
211 used.
212
213 bindaddress6
214 Like bindaddress but for IPv6 sockets. If only one of the
215 bindaddress and bindaddress6 parameters is used, then only the
216 socket for the corresponding address family is created. If both
217 parameters are used then two sockets are created. If neither of
218 them is used, the list of sockets to listen on will be determined
219 by the system library getaddrinfo(3) function. The value of the
220 INND_BIND_ADDRESS6, if set, overrides this setting. The default
221 value is unset.
222
223 Note that you will generally need to put double quotes ("") around
224 this value if you set it, since IPv6 addresses contain colons.
225
226 This parameter has no effect when systemd socket activation is
227 used.
228
229 docancels
230 This parameter is intended for sites concerned about abuse of
231 cancels, or that wish to enforce a mechanism to authenticate
232 cancels. This parameter does not change how NoCeM notices are
233 processed by perl-nocem(8), and only applies to cancel articles
234 (with a Control header field) and supersede requests (with a
235 Supersedes header field).
236
237 Unless rejected by the use of a filter hook, innd always accepts
238 and propagates cancel articles and supersede requests. However,
239 actually processing such articles on the local news server depends
240 on this parameter which can take the following values:
241
242 "require-auth"
243 Only articles originally protected by the Cancel-Lock
244 authentication mechanism can be withdrawn by a valid
245 authenticated cancel article or a valid authenticated supersede
246 request. Withdrawals of articles not originally protected by
247 Cancel-Lock will not be executed.
248
249 This is the default value if innd knows how to authenticate
250 cancels (that is to say if INN was built with Cancel-Lock
251 support). Otherwise, the behaviour will be the same as "none".
252
253 "auth"
254 Withdrawals of articles not originally protected by the Cancel-
255 Lock authentication mechanism will always be executed.
256 However, if the original article is protected, only a valid
257 authenticated cancel article or a valid authenticated supersede
258 request will permit withdrawing it. (If INN was not built with
259 Cancel-Lock support, such protected articles won't be
260 withdrawn.)
261
262 "none"
263 Neither cancel articles nor supersede requests will be
264 processed; no articles will be withdrawn.
265
266 This is the default value if innd does not know how to
267 authenticate cancels (that is to say if INN was not built with
268 Cancel-Lock support) as it has no means to ensure that these
269 withdrawal requests are legitimate.
270
271 "all"
272 innd will process all cancel articles and supersede requests,
273 even if unauthenticated, forged or with bad authentication.
274 You should be sure of what you are doing if you choose that
275 value as any article can be withdrawn (even by someone who is
276 not the author of the article).
277
278 dontrejectfiltered
279 Normally innd(8) rejects incoming articles when directed to do so
280 by any enabled article filters (Perl or Python). However, this
281 parameter causes such articles not to be rejected; instead
282 filtering can be applied on outbound articles. If this parameter
283 is set, all articles will be accepted on the local machine, but
284 articles rejected by the filter will not be fed to any peers
285 specified in newsfeeds with the "Af" flag. The default value is
286 false.
287
288 hiscachesize
289 If set to a value other than 0, a hash of recently received
290 Message-IDs is kept in memory to speed history lookups. The value
291 is the amount of memory to devote to the cache in kilobytes. The
292 cache is only used for incoming feeds and a small cache can hold
293 quite a few Message-IDs, so large values aren't necessarily useful
294 unless you have incoming feeds that are badly delayed. innreport
295 can provide useful statistics regarding the use of the history
296 cache, especially when it misses. A good value for a system with
297 more than one incoming feed is 256; systems with only one incoming
298 feed should probably set this to 0. The default value is 256.
299
300 ignorenewsgroups
301 Whether newsgroup creation control messages (newgroup and rmgroup)
302 should be fed as if they were posted to the newsgroup they are
303 creating or deleting rather than to the newsgroups listed in the
304 Newsgroups header field. If this parameter is set, the newsgroup
305 affected by the control message will be extracted from the Control
306 header field and the article will be fed as if its Newsgroups
307 header field contained solely that newsgroup. This is useful for
308 routing control messages to peers when they are posted to
309 irrelevant newsgroups that shouldn't be matched against the peer's
310 desired newsgroups in newsfeeds. This is a boolean value and the
311 default is false.
312
313 immediatecancel
314 When using the timecaf storage method, article cancels are normally
315 just cached to be cancelled, not cancelled immediately. If this is
316 set to true, they will instead by cancelled as soon as the cancel
317 is processed. This is a boolean value and the default is false.
318
319 This setting is ignored unless the timecaf storage method is used.
320
321 linecountfuzz
322 If set to something other than 0, the line count of the article is
323 checked against the Lines header field body of the article (if
324 present) and the article is rejected if the values differ by more
325 than this amount. A reasonable setting is 5, which is the standard
326 maximum signature length plus one (some injection software
327 calculates the Lines header field before adding the signature).
328 The default value is 0, which tells INN not to check the Lines
329 header field of incoming articles.
330
331 maxartsize
332 The maximum size of article (headers and body) that will be
333 accepted by the server, in bytes. A value of 0 allows any size of
334 article, but note that innd will crash if system memory is
335 exceeded. The default value is 1000000 (approximately 1 MB). This
336 is checked against the article in wire format (CRLF at the end of
337 each line, leading periods protected, and with the trailing
338 "\r\n.\r\n" at the end). See also localmaxartsize.
339
340 maxconnections
341 The maximum number of incoming NNTP connections innd(8) will
342 accept. The default value is 50.
343
344 pathalias
345 If set, this value is prepended as a path identity immediately to
346 the right of pathhost in the Path header field body of accepted
347 articles if it doesn't already appear in the Path header field.
348 The default value is unset.
349
350 The main purpose of this parameter is when there is some other path
351 identity that you want to add to the Path header field of every
352 article passing through your news server(s) for some reason, maybe
353 because you used to have some other path identity and you have
354 peers that are configured to not send you articles that have
355 already passed through that entity, and you can't get them to
356 update to your current path identity for some reason.
357
358 pathcluster
359 If set, this value is appended as a path identity immediately to
360 the left of pathhost in the Path header field body of accepted
361 articles if it isn't already present as the leftmost element of the
362 Path header field body. The default value is unset.
363
364 The main purpose of this parameter is to set the name that you are
365 using to identify yourself to peers (i.e. the path identity they
366 should expect to see from you) in the cases where that doesn't
367 match the main path identity pathhost for this news server. (The
368 most common case where that happens is when you have multiple news
369 servers that you want to present as a "united front" to the outside
370 world and identify as the same virtual server, but you still want
371 distinct path identities so those servers can internally feed each
372 other. Also, even without internal feeds, pathcluster could be set
373 to an organization name if the organization has multiple news
374 servers.)
375
376 pgpverify
377 Whether to enable PGP verification of control messages other than
378 cancel. This is a boolean value and the default in the inn.conf
379 sample file is based on whether configure found pgp, pgpv, pgpgpg,
380 gpgv, gpgv1, gpgv2, gpg, gpg1 or gpg2. Note that if the parameter
381 is not present in the configuration file, it defaults to false.
382
383 port
384 What TCP port innd(8) should listen on. The default value is 119,
385 the standard NNTP port.
386
387 remembertrash
388 By default, innd(8) records rejected articles in history so that,
389 if offered the same article again, it can be refused before it is
390 sent. If you wish to disable this behavior, set this to false.
391 This can cause a substantial increase in the amount of bandwidth
392 consumed by incoming news if you have several peers and reject a
393 lot of articles, so be careful with it. Even if this is set to
394 true, INN won't log some rejected articles to history if there's
395 reason to believe the article might be accepted if offered by a
396 different peer, so there is usually no reason to set this to false
397 (although doing so can decrease the size of the history file).
398 This is a boolean value and the default is true.
399
400 sourceaddress
401 Which local IP address to bind to for outgoing NNTP sockets (used
402 by innxmit(8) among other programs, as well as innfeed(8) as long
403 as not overridden by bindaddress in innfeed.conf(5)). This must be
404 in dotted-quad format (nnn.nnn.nnn.nnn). If set to "all", the
405 operating system will choose the source IP address for outgoing
406 connections. The default value is unset.
407
408 sourceaddress6
409 Like sourceaddress but for IPv6 sockets. Note that you will
410 generally need to put double quotes ("") around this value if you
411 set it, since IPv6 addresses contain colons.
412
413 verifygroups
414 Set this to true to reject incoming articles which contain an
415 unknown newsgroup in the whole list of newsgroups to which they are
416 posted. In case wanttrash is set to true, such articles will still
417 be rejected. This is a boolean value, and the default is false.
418
419 wanttrash
420 Set this to true if you want to file articles posted to unknown
421 newsgroups (newsgroups not in the active file) into the "junk"
422 newsgroup rather than rejecting them. This is sometimes useful for
423 a transit news server that needs to propagate articles (according
424 to the setting of "Aj" in the newsfeeds feed pattern) in all
425 newsgroups regardless if they're carried locally. This is a
426 boolean value and the default is false.
427
428 The logtrash parameter specifies whether such articles should be
429 logged as posted to unwanted newsgroups in the news log file.
430
431 wipcheck
432 If INN is offered an article by a peer on one channel, it will
433 return deferral responses (code 436) to all other offers of that
434 article for this many seconds. (After this long, if the peer that
435 offered the article still hasn't sent it, it will be accepted from
436 other channels.) The default value is 5 and probably doesn't need
437 to be changed.
438
439 wipexpire
440 How long, in seconds, to keep track of message IDs offered on a
441 channel before expiring articles that still haven't been sent. The
442 default value is 10 and probably doesn't need to be changed.
443
444 History Settings
445 The following parameter affect the history database.
446
447 hismethod
448 Which history storage method to use. The only currently supported
449 value is "hisv6". There is no default value; this parameter must
450 be set.
451
452 "hisv6"
453 Stores history data in the INN history v6 format: history(5)
454 text file and a number of dbz database files; this may be in
455 true history v6 format, or tagged hash format, depending on the
456 build options. Separation of these two is a project which has
457 not yet been undertaken.
458
459 Article Storage
460 These parameters affect how articles are stored on disk.
461
462 cnfscheckfudgesize
463 If set to a value other than 0, the claimed size of articles in
464 CNFS cycbuffs is checked against maxartsize plus this value, and if
465 larger, the CNFS cycbuff is considered corrupt. This can be useful
466 as a sanity check after a system crash, but be careful using this
467 parameter if you have changed maxartsize recently. The default
468 value is 0.
469
470 enableoverview
471 Whether to write out overview data for articles. If set to false,
472 INN will run much faster, but reading news from the system will be
473 impossible (the server will be for news transit only). If this
474 option is set to true, ovmethod must also be set. This is a
475 boolean value and the default is true.
476
477 extraoverviewadvertised
478 Besides the seven standard overview fields (which are in order
479 "Subject", "From", "Date", "Message-ID", "References", ":bytes" and
480 ":lines") and the eighth "Xref:full" field required by INN in order
481 to handle crossposts, it is possible to add other fields in the
482 overview database. This parameter expects a list of such header
483 field names. Overview data for these additional header fields will
484 be generated for each new article at the time of arrival. For
485 instance, if you specify:
486
487 extraoverviewadvertised: [ Path Newsgroups ]
488
489 it implies that nnrpd will advertise "Path:full" and
490 "Newsgroups:full" as the ninth and tenth fields in response to LIST
491 OVERVIEW.FMT and that these two header field bodies will be stored
492 in the overview database for each new article. It may be a useful
493 configuration to have as some news readers do article scoring with
494 rules based on these two header fields. Having them in the
495 overview database permits being faster at scoring for these
496 readers, without having to separately request them, but on the
497 other hand these additional fields are also present in overview
498 requests of all the other readers, which slightly slows their
499 reading.
500
501 The default value is an empty list (no additional fields are
502 stored). Owing to optimizations when innd parses the articles it
503 receives, it is possible that all the values in the list are not
504 recognized by innd as standard header field names. In such cases,
505 innd will log an error in news.err at startup and the unrecognized
506 fields will be discarded. Moreover, the deprecated "Bytes" and
507 "Lines" header fields, already present in the standard overview
508 fields as metadata items, cannot be added.
509
510 You should advertise only fields for which the overview database is
511 consistent, that is to say it records the content or absence of
512 these fields for all articles, including those already existing in
513 the news spool. Consequently, if you decide to add or remove a
514 field from your overview database, you should either modify
515 extraoverviewadvertised and rebuild your overview database with
516 makehistory(8) after removing all existing overview files, or
517 implement a transition period by first using extraoverviewhidden as
518 described below.
519
520 Use of a transition period can accommodate most overview
521 reconfigurations, but certain drastic changes may still require a
522 complete overview rebuild.
523
524 If for instance you want to store the content of the Injection-Info
525 header field body in addition to the fields already stored above,
526 you should use:
527
528 extraoverviewadvertised: [ Path Newsgroups ]
529 extraoverviewhidden: [ Injection-Info ]
530
531 This way, "Injection-Info:full" will not be advertised by nnrpd but
532 will be stored for each new article. Once you know that all
533 articles in your overview database record the content or absence of
534 that new field (if expire.ctl(5) is parameterized so that all your
535 articles expire within 30 days, you can assume the database is in
536 such a state after 30 days -- however, note that time to expiration
537 can be unpredictable with CNFS and you then have to use "cnfsstat
538 -a" for checking on when buffers have rolled over), you should put:
539
540 extraoverviewadvertised: [ Path Newsgroups Injection-Info ]
541 extraoverviewhidden: [ ]
542
543 The "Injection-Info" value must be added at the end of the list
544 because order matters and fields mentioned in extraoverviewhidden
545 are generated after those mentioned in extraoverviewadvertised.
546 nnrpd will now advertise "Injection-Info:full" in response to the
547 LIST OVERVIEW.FMT command ("full" indicates that the header field
548 name appears followed by its value).
549
550 Now suppose you want to remove the content of the Newsgroups header
551 field from the overview. As order matters, the overview database
552 will no longer be consistent for the Injection-Info header field.
553 Therefore, you need to specify:
554
555 extraoverviewadvertised: [ Path ]
556 extraoverviewhidden: [ Injection-Info ]
557
558 And once overview data is accurate for all articles, you should
559 use:
560
561 extraoverviewadvertised: [ Path Injection-Info ]
562 extraoverviewhidden: [ ]
563
564 Note that you have to restart nnrpd if it runs as a daemon whenever
565 you change the value of extraoverviewadvertised; a mere "ctlinnd
566 xexec innd" is not enough.
567
568 extraoverviewhidden
569 This parameter should be used in conjunction with
570 extraoverviewadvertised (see above for more details). It expects a
571 list of header field names. Overview data for these header fields
572 will be generated for each new article at the time of arrival but,
573 contrary to the fields mentioned in extraoverviewadvertised, nnrpd
574 will not advertise them in response to the LIST OVERVIEW.FMT
575 command. It also implies that nnrpd will not look in the overview
576 database for fields mentioned in extraoverviewhidden when it
577 handles HDR, XHDR and XPAT requests as the overview database is not
578 considered consistent yet for these fields; nnrpd will have to
579 parse the headers of the requested articles in the news spool,
580 which is slower than directly querying the overview database.
581
582 The default value is an empty list (no additional fields are
583 stored). Owing to optimizations when innd parses the articles it
584 receives, it is possible that all the values in the list are not
585 recognized by innd as standard header field names. In such cases,
586 innd will log an error in news.err at startup and the unrecognized
587 fields will be discarded. Moreover, the deprecated "Bytes" and
588 "Lines" header fields, already present in the standard overview
589 fields as metadata items, cannot be added.
590
591 groupbaseexpiry
592 Whether to enable newsgroup-based expiry. If set to false, article
593 expiry is done based on storage class of storing method. If set to
594 true (and overview information is available), expiry is done by
595 newsgroup name. This affects the format of expire.ctl. This is a
596 boolean value and the default is true.
597
598 mergetogroups
599 Whether to file all postings to "to.*" groups in the
600 pseudonewsgroup "to". If this is set to true, the newsgroup "to"
601 must exist in the active file or INN will not start. (See the
602 discussion of "to." groups in innd(8) under CONTROL MESSAGES.)
603 This is a boolean value and the default is false.
604
605 nfswriter
606 For servers writing articles, determine whether the article spool
607 is on NFS storage. If set, INN attempts to flush articles to the
608 spool in a more timely manner, rather than relying on the operating
609 system to flush things such as the CNFS article bitmaps. You
610 should only set this parameter if you are attempting to use a
611 shared NFS spool on a machine acting as a single writer within a
612 cluster. This is a boolean value and the default is false.
613
614 overcachesize
615 How many cache slots to reserve for open overview files. If INN is
616 writing overview files (see enableoverview), ovmethod is set to
617 "tradindexed", and this is set to a value other than 0, INN will
618 keep around and open that many recently written-to overview files
619 in case more articles come in for those newsgroups. Every overview
620 cache slot consumes two file descriptors, so be careful not to set
621 this value too high. You may be able to use the "limit" command to
622 see how many open file descriptors your operating system allows.
623 innd(8) also uses an open file descriptor for each incoming feed
624 and outgoing channel or batch file, and if it runs out of open file
625 descriptors, it may throttle and stop accepting new news. The
626 default value is 128 (which is probably still too low if you have a
627 large number of file descriptors available).
628
629 This setting is ignored unless ovmethod is set to "tradindexed".
630
631 ovgrouppat
632 If set, restricts the overview data stored by INN to only the
633 newsgroups matching this comma-separated list of uwildmat
634 expressions. Newsgroups not matching this setting may not be
635 readable, and if groupbaseexpiry is set to true and the storage
636 method for these newsgroups does not have self-expire
637 functionality, storing overview data will fail. The default is
638 unset.
639
640 ovmethod
641 Which overview storage method to use. Currently supported values
642 are "buffindexed", "ovdb", "ovsqlite" and "tradindexed". There is
643 no default value; this parameter must be set if enableoverview is
644 true (the default).
645
646 "buffindexed"
647 It stores overview data and index information into
648 preconfigured large files like CNFS. Fast at writing, the
649 "buffindexed" overview storage method can keep up with a large
650 feed more easily and never consumes additional disk space
651 beyond that allocated to these buffers. The downside is that
652 these buffers are hard to recover in case of corruption and
653 somewhat slower for readers and the expiry process. Also,
654 overview data is limited to 8 KB per article, which may lead to
655 the lack of integration of a few articles with headers of
656 unusual length into the overview database. See the
657 buffindexed.conf(5) man page for more details, and notably how
658 to create the buffers.
659
660 "ovdb"
661 It stores overview information into a Berkeley DB database,
662 whose development pace has stalled these last years. This
663 method is fast and very robust, but may require more disk
664 space, unless compression is enabled. Overview data is fetched
665 one article at a time, which makes this method a bit slower
666 than "ovsqlite" for readers. See the ovdb(5) man page for more
667 details.
668
669 "ovsqlite"
670 It stores overview information into an SQLite database, known
671 for its long-term stability and compatibility. Robust and
672 faster than "ovdb" at reading ranges of overview data (since
673 overview data is transferred in 128-kilobyte chunks between
674 ovsqlite-server and nnrpd) but somewhat slower at writing, this
675 method may require more disk space, unless compression is
676 enabled. See the ovsqlite(5) man page for more details.
677
678 "tradindexed"
679 It uses two files per newsgroup, one containing the overview
680 data and one containing the index. Fast for readers, but slow
681 to write to because it has to update two files for each
682 incoming article. Its main advantage is to be the best tested,
683 the most reliable and the method with the best recovery tools.
684
685 storeonxref
686 If set to true, articles will be stored based on the newsgroup
687 names in the Xref header field body rather than in the Newsgroups
688 header field body. This affects what the patterns in storage.conf
689 apply to. The primary interesting effect of setting this to true
690 is to enable filing of all control messages according to what
691 storage class the control pseudogroups are filed in rather than
692 according to the newsgroups the control messages are posted to.
693 This is a boolean value and the default is true.
694
695 If the tradspool article storage method is used, storeonxref must
696 be true.
697
698 useoverchan
699 Whether to innd(8) should create overview data internally through
700 libinnstorage(3). If set to false, innd creates overview data by
701 itself. If set to true, innd does not create; instead overview
702 data must be created by overchan(8) from an appropriate entry in
703 newsfeeds. Setting to true may be useful, if innd cannot keep up
704 with incoming feed and the bottleneck is creation of overview data
705 within innd. This is a boolean value and the default is false.
706
707 wireformat
708 Only used with the tradspool storage method, this says whether to
709 write articles in wire format. Wire format means storing articles
710 with "\r\n" at the end of each line and with periods at the
711 beginning of lines doubled, the article format required by the NNTP
712 protocol. Articles stored in this format are suitable for sending
713 directly to a network connection without requiring conversion, and
714 therefore setting this to true can make the server more efficient.
715 The primary reason not to set this is if you have old existing
716 software that looks around in the spool and doesn't understand how
717 to read wire format. Storage methods other than tradspool always
718 store articles in wire format. This is a boolean value and the
719 default is true.
720
721 xrefslave
722 Whether to act as the slave of another server. If set, INN
723 attempts to duplicate exactly the article numbering of the server
724 feeding it by looking at the Xref header field body of incoming
725 articles and assigning the same article numbers to articles as was
726 noted in the Xref header field body from the upstream server. The
727 result is that clients should be able to point at either server
728 interchangeably (using some load balancing scheme, for example) and
729 see the same internal article numbering. Servers with this
730 parameter set should generally only have one upstream feed, and
731 should always have nnrpdposthost set to hand locally posted
732 articles off to the master server. The upstream should be careful
733 to always feed articles in order (innfeed(8) can have problems with
734 this in the event of a backlog). This is a boolean value and the
735 default is false.
736
737 Reading
738 These parameters affect the behavior of INN for readers. Most of them
739 are used by nnrpd(8). There are some special sets of settings that are
740 broken out separately after the initial alphabetized list.
741
742 allownewnews
743 Whether to allow use of the NEWNEWS command by clients. This
744 command used to put a heavy load on the server in older versions of
745 INN, but is now reasonably efficient, at least if only one
746 newsgroup is specified by the client. This is a boolean value and
747 the default is true. If you use the access parameter in
748 readers.conf, be sure to read about the way it overrides
749 allownewnews.
750
751 articlemmap
752 Whether to attempt to mmap() articles. Setting this to true will
753 give better performance on most systems, but some systems have
754 problems with mmap(). If this is set to false, articles will be
755 read into memory before being sent to readers. This is a boolean
756 value and the default is true.
757
758 clienttimeout
759 How long (in seconds) a client connection can be idle before it
760 exits. When setting this parameter, be aware that some newsreaders
761 use the same connection for reading and posting and don't deal well
762 with the connection timing out while a post is being composed. If
763 the system isn't having a problem with too many long-lived
764 connections, it may be a good idea to increase this value to 3600
765 (an hour). The default value is 1800 (thirty minutes).
766
767 initialtimeout
768 How long (in seconds) nnrpd will wait for the first command from a
769 reader connection before dropping the connection. This is a
770 defensive timeout intended to protect the news server from badly
771 behaved reader clients that open and abandon a multitude of
772 connections without every closing them. The default value is 10
773 (ten seconds), which may need to be increased if many clients
774 connect via slow network links.
775
776 msgidcachesize
777 How many cache slots to reserve for message-IDs to storage token
778 translations. When serving overview data to clients (NEWNEWS,
779 OVER, etc.), nnrpd(8) can cache the storage token associated with a
780 message-ID and save the cost of looking it up in the history file;
781 for some configurations, setting this parameter can save more than
782 90% of the wall clock time for a session. The default value is
783 64000.
784
785 nfsreader
786 For servers reading articles, determine whether the article spool
787 is on NFS storage. If set, INN will attempt to force articles and
788 overviews to be read directly from the NFS spool rather than from
789 cached copies. You should only set this parameter if you are
790 attempting to use a shared NFS spool on a machine acting as a
791 reader within a cluster. This is a boolean value and the default
792 is false.
793
794 nfsreaderdelay
795 If nfsreader is set, INN will use the value of nfsreaderdelay to
796 delay the apparent arrival time of articles to clients by this
797 amount. Note that only answers to GROUP and NEWNEWS commands are
798 affected. This value should be tuned based on the NFS cache
799 timeouts locally. The default is 60, that is to say one minute.
800
801 nnrpdcheckart
802 Whether nnrpd should check the existence of an article before
803 listing it as present in response to an NNTP command (HDR,
804 LISTGROUP, NEWNEWS, OVER, XPAT). The primary use of this setting
805 is to prevent nnrpd from returning information about articles which
806 are no longer present on the server but which still have overview
807 data available. Checking the existence of articles before
808 returning overview information slows down the overview commands,
809 but reduces the number of "article is missing" errors seen by the
810 client. This is a boolean value and the default is true.
811
812 You may also want to see the groupexactcount parameter in
813 readers.conf(5) which controls the computing of the estimated
814 article count returned in NNTP commands (GROUP, LIST COUNTS,
815 LISTGROUP).
816
817 nnrpdflags
818 When nnrpd(8) is spawned from innd(8), these flags are passed as
819 arguments to the nnrpd process. This setting does not affect
820 instances of nnrpd that are started in daemon mode, or instances
821 that are started via another listener process such as inetd(8) or
822 xinetd(8). Shell quoting and metacharacters are not supported.
823 This is a string value and the default is unset.
824
825 nnrpdloadlimit
826 If set to a value other than 0, connections to nnrpd will be
827 refused if the system load average is higher than this value. The
828 default value is 16.
829
830 noreader
831 Normally, innd(8) will fork a copy of nnrpd(8) for all incoming
832 connections from hosts not listed in incoming.conf. If this
833 parameter is set to true, those connections will instead be
834 rejected with a 502 error code. This should be set to true for a
835 transit-only server that doesn't support readers, or if nnrpd is
836 running in daemon mode or being started out of inetd. This is a
837 boolean value and the default is false.
838
839 readerswhenstopped
840 Whether to allow readers to connect even if the server is paused or
841 throttled. This is only applicable if nnrpd(8) is spawned from
842 innd(8) rather than run out of inetd or in daemon mode. This is a
843 boolean value and the default is false.
844
845 readertrack
846 Whether to enable the tracking system for client behavior. Tracked
847 information is recorded to pathlog/tracklogs/log-ID, where ID is
848 determined by nnrpd's PID and launch time. Currently the
849 information recorded includes initial connection and posting; only
850 information about clients listed in nnrpd.track is recorded. In
851 addition, every posted article will be saved in
852 pathlog/trackposts/track.message-id, where message-id is the
853 message ID of the post. This is a boolean value and the default is
854 false.
855
856 tradindexedmmap
857 Whether to attempt to mmap() tradindexed overviews articles.
858 Setting this to true will give better performance on most systems,
859 but some systems have problems with mmap(). If this is set to
860 false, overviews will be read into memory before being sent to
861 readers. This is a boolean value and the default is true.
862
863 INN has optional support for generating keyword information
864 automatically from article body text and putting that information in
865 overview for the use of clients that know to look for it (HDR, OVER and
866 XPAT commands). The following parameters control that feature, which
867 should be considered experimental. Its very simple text tokenization
868 works only on plain-text ASCII articles, and totally lacks of
869 understanding of anything other than English. Articles encoded in
870 Base64 or Quoted-Printable, having a MIME structure, or farther afield
871 from English will have garbage in the generated Keywords header field.
872
873 This feature may be too slow if you're taking a substantial feed, and
874 probably will not be useful for the average news reader; enabling this
875 is not recommended unless you have some specific intention to take
876 advantage of it.
877
878 keywords
879 Whether the keyword generation support should be enabled. This is
880 a boolean value and the default is false.
881
882 If an article already contains a Keywords header field, no keyword
883 generation is done and the original Keywords header field is kept
884 untouched.
885
886 In order to use this feature, the regex library should be available
887 and INN configured with the --enable-keywords flag. Otherwise, no
888 keywords will be generated, even though this boolean value is set
889 to true. You also have to add the Keywords header field into the
890 overview with extraoverviewadvertised or extraoverviewhidden.
891
892 keyartlimit
893 Articles larger than this value in bytes will not have keywords
894 generated for them (since it would take too long to do so). The
895 default value is 100000 (approximately 100 KB).
896
897 keylimit
898 Maximum number of bytes allocated for keyword data. If there are
899 more keywords than will fit into this many bytes when separated by
900 commas, the rest are discarded. The default value is 512.
901
902 keymaxwords
903 Maximum number of keywords that will be generated for an article.
904 (The keyword generation code will attempt to discard "noise" words
905 in English, so the number of keywords actually written into the
906 overview will usually be smaller than this even if the maximum
907 number of keywords is found.) The default value is 250.
908
909 Posting
910 These parameters are only used by nnrpd(8), inews(1), and other
911 programs that accept or generate postings. There are some special sets
912 of settings that are broken out separately after the initial
913 alphabetized list.
914
915 addinjectiondate
916 Whether to add an Injection-Date header field to all local posts.
917 This is a boolean value and the default is true.
918
919 Note that no Injection-Date header fields will be added to local
920 posts already containing both a Message-ID header field and a Date
921 header field. This is done in conformance with standards, to help
922 minimize the possibility of a loop in e-mail gatewaying and ensure
923 that a newly injected article is not treated as a new, separate
924 article in case of multiple injection of the same article to
925 different injecting agents.
926
927 addinjectionpostingaccount
928 Whether to add a posting-account attribute to the Injection-Info
929 header field body to all local posts giving the username assigned
930 to the user at connection time or after authentication. This is a
931 boolean value and the default is false. There is no intrinsic
932 support for obfuscating the value. That has to be done with a
933 user-written Perl filter, if desired.
934
935 addinjectionpostinghost
936 Whether to add a posting-host attribute to the Injection-Info
937 header field body to all local posts giving an FQDN (when known, by
938 reverse lookup of the client IP address) and IP address of the
939 system from which the post was received. This is a boolean value
940 and the default is true. Note that INN either does not add this
941 attribute or adds the name (when known) and IP address of the
942 client. There is no intrinsic support for obfuscating the name of
943 the client. That has to be done with a user-written Perl filter,
944 if desired.
945
946 When this parameter is set to true, an FQDN (obtained by reverse
947 lookup of the client IP address or, if unknown, the IP address
948 itself) of the client is also added to the Path header field body,
949 after the "!.POSTED" diagnostic.
950
951 checkincludedtext
952 Whether to check local postings for the ratio of new to quoted text
953 and reject them if that ratio is under 50%. Included text is
954 recognized by looking for lines beginning with ">", "|", or ":".
955 This is a boolean value and the default is false.
956
957 complaints
958 The value of the mail-complaints-to attribute of the Injection-Info
959 header field added to all local posts. The default is the
960 newsmaster's e-mail address. (If the newsmaster, selected at
961 configure time and defaulting to "usenet", doesn't contain "@", the
962 address will consist of the newsmaster, an "@", and the value of
963 fromhost.)
964
965 fromhost
966 Contains a domain used to construct e-mail addresses. The address
967 of the local news administrator will be given as <user>@fromhost,
968 where <user> is the newsmaster user set at compile time ("usenet"
969 by default). This setting will also be used by mailpost(8) to
970 fully qualify addresses and by inews(1) to generate the Sender
971 header field (and the From header field if missing). The value of
972 the FROMHOST environment variable, if set, overrides this setting.
973 The default is the fully qualified domain name of the local host.
974
975 localmaxartsize
976 The maximum article size (in bytes) for locally posted articles.
977 Articles larger than this will be rejected. A value of 0 allows
978 any size of article, but note that nnrpd and innd will crash if
979 system memory is exceeded. See also maxartsize, which applies to
980 all articles including those posted locally. The default value is
981 1000000 (approximately 1 MB).
982
983 moderatormailer
984 The address to which to send submissions for moderated groups. It
985 is only used if the moderators file doesn't exist, or if the
986 moderated group to which an article is posted is not matched by any
987 entry in that file, and takes the same form as an entry in the
988 moderators file. In most cases, "%s@moderators.isc.org" is a good
989 value for this parameter (%s is expanded into a form of the
990 newsgroup name). See moderators(5) for more details about the
991 syntax. The default is unset. If this parameter isn't set and an
992 article is posted to a moderated group that does not have a
993 matching entry in the moderators file, the posting will be rejected
994 with an error.
995
996 nnrpdauthsender
997 Whether to generate a Sender header field based on reader
998 authentication. If this parameter is set, a Sender header field
999 will be added to local posts containing the identity assigned by
1000 readers.conf. If the assigned identity does not include an "@",
1001 the reader's hostname is used. If this parameter is set but no
1002 identity is assigned, the Sender header field will be removed from
1003 all posts even if the poster includes one. This is a boolean value
1004 and the default is false.
1005
1006 nnrpdposthost
1007 If set, nnrpd(8) and rnews(1) will pass all locally posted articles
1008 to the specified host rather than trying to inject them locally.
1009 See also nnrpdpostport. This should always be set if xrefslave is
1010 true. The default value is unset.
1011
1012 nnrpdpostport
1013 The port on the remote server to connect to to post when
1014 nnrpdposthost is used. The default value is 119.
1015
1016 organization
1017 What to put in the Organization header field body if it is left
1018 blank by the poster. The value of the ORGANIZATION environment
1019 variable, if set, overrides this setting. The default is unset,
1020 which tells INN not to insert an Organization header field.
1021
1022 spoolfirst
1023 If true, nnrpd(8) will spool new articles rather than attempting to
1024 send them to innd(8). If false, nnrpd will spool articles only if
1025 it receives an error trying to send them to innd. Setting this to
1026 true can be useful if nnrpd must respond as fast as possible to the
1027 client; however, when set, articles will not appear to readers
1028 until they are given to innd. nnrpd won't do this; "rnews -U" must
1029 be run periodically to take the spooled articles and post them.
1030 This is a boolean value and the default is false.
1031
1032 strippostcc
1033 Whether to strip To, Cc, and Bcc header fields out of all local
1034 posts via nnrpd(8). The primary purpose of this setting is to
1035 prevent abuse of the news server by posting to a moderated group
1036 and including To or Cc header fields in the post so that the news
1037 server will send the article to arbitrary addresses. INN now
1038 protects against this abuse in other ways provided mta is set to a
1039 command that includes %s and honors it, so this is generally no
1040 longer needed. This is a boolean value and the default is false.
1041
1042 nnrpd(8) has support for controlling high-volume posters via an
1043 exponential backoff algorithm, as configured by the following
1044 parameters.
1045
1046 Exponential posting backoff works as follows: news clients are indexed
1047 by IP address (or username, see backoffauth below). Each time a post
1048 is received from an IP address, the time of posting is stored (along
1049 with the previous sleep time, see below). After a configurable number
1050 of posts in a configurable period of time, nnrpd(8) will begin to sleep
1051 for increasing periods of time before actually posting anything
1052 (posting backoff is therefore activated). Posts will still be
1053 accepted, but at an increasingly reduced rate.
1054
1055 After backoff has been activated, the length of time to sleep is
1056 computed based on the difference in time between the last posting and
1057 the current posting. If this difference is less than backoffpostfast,
1058 the new sleep time will be 1 + (previous sleep time * backoffk). If
1059 this difference is less than backoffpostslow but greater than
1060 backoffpostfast, then the new sleep time will equal the previous sleep
1061 time. If this difference is greater than backoffpostslow, the new
1062 sleep time is zero and posting backoff is deactivated for this poster.
1063 (Note that this does not mean posting backoff cannot be reactivated
1064 later in the session.)
1065
1066 Exponential posting backoff will not be enabled unless backoffdb is set
1067 and backoffpostfast and backoffpostslow are set to something other than
1068 their default values.
1069
1070 Here are the parameters that control exponential posting backoff:
1071
1072 backoffauth
1073 Whether to index posting backoffs by user rather than by source IP
1074 address. You must be using authentication in nnrpd(8) for a value
1075 of true to have any meaning. This is a boolean value and the
1076 default is false.
1077
1078 backoffdb
1079 The path to a directory, writeable by the news user, that will
1080 contain the backoff database. There is no default for this
1081 parameter; you must provide a path to a creatable or writeable
1082 directory to enable exponential backoff.
1083
1084 backoffk
1085 The amount to multiply the previous sleep time by if the user is
1086 still posting too quickly. A value of 2 will double the sleep time
1087 for each excessive post. The default value is 1.
1088
1089 backoffpostfast
1090 Postings from the same identity that arrive in less than this
1091 amount of time (in seconds) will trigger increasing sleep time in
1092 the backoff algorithm. The default value is 0.
1093
1094 backoffpostslow
1095 Postings from the same identity that arrive in greater than this
1096 amount of time (in seconds) will reset the backoff algorithm.
1097 Another way to look at this constant is to realize that posters
1098 will be allowed to generate at most 86400/backoffpostslow posts per
1099 day. The default value is 1.
1100
1101 backofftrigger
1102 This many postings are allowed before the backoff algorithm is
1103 triggered. The default value is 10000.
1104
1105 TLS/SSL Support for Reading and Posting
1106 Here are the parameters used by nnrpd(8) to provide TLS/SSL support.
1107
1108 The parameters related to certificates are:
1109
1110 tlscafile
1111 The path to a file containing certificate authority root
1112 certificates, used to present a trust chain to a TLS client. This
1113 parameter is only used if nnrpd is built with TLS/SSL support. The
1114 default value is an empty string.
1115
1116 tlscapath
1117 The path to a directory containing certificate authority root
1118 certificates. Each file in the directory should contain one CA
1119 certificate, and the name of the file should be the CA subject name
1120 hash value. See the OpenSSL documentation for more information.
1121 This parameter is only used if nnrpd is built with TLS/SSL support.
1122 The default value is pathetc.
1123
1124 tlscertfile
1125 The path to a file containing the server certificate to present to
1126 TLS clients. This parameter is only used if nnrpd is built with
1127 TLS/SSL support. The default value is pathetc/cert.pem.
1128
1129 If you want to use a complete certificate chain, you can directly
1130 put it in tlscertfile (like Apache's SSLCertificateFile directive).
1131 Alternately, you can put a single certificate in tlscertfile and
1132 use tlscafile for additional certificates needed to complete the
1133 chain, like a separate authority root certificate.
1134
1135 More concretely, when using Let's Encrypt certificates, Certbot's
1136 files can be installed as follows:
1137
1138 tlscapath: /etc/letsencrypt/live/news.server.com
1139 tlscertfile: /etc/letsencrypt/live/news.server.com/fullchain.pem
1140 tlskeyfile: /etc/letsencrypt/live/news.server.com/privkey.pem
1141
1142 or:
1143
1144 tlscapath: /etc/letsencrypt/live/news.server.com
1145 tlscafile: /etc/letsencrypt/live/news.server.com/chain.pem
1146 tlscertfile: /etc/letsencrypt/live/news.server.com/cert.pem
1147 tlskeyfile: /etc/letsencrypt/live/news.server.com/privkey.pem
1148
1149 Make sure that the permission rights are properly set so that the
1150 news user or the news group can read these directories and files
1151 (typically, he should access /etc/letsencrypt/live/news.server.com
1152 and /etc/letsencrypt/archive/news.server.com where the real keys
1153 are located, and the private key should not be world-readable).
1154
1155 tlskeyfile
1156 The path to a file containing the encryption key for the server
1157 certificate named in tlscertfile. This may be the same as
1158 tlscertfile if, when you created the certificate, you put the key
1159 in the same file (if, for example, you gave the same file name to
1160 both the -out and -keyout options to "openssl req"). This
1161 parameter is only used if nnrpd is built with TLS/SSL support. The
1162 default value is pathetc/key.pem.
1163
1164 This file must only be readable by the news user or nnrpd will
1165 refuse to use it.
1166
1167 Finally, here are the parameters that can be used to tighten the level
1168 of security provided by TLS/SSL in case new attacks exploitable in NNTP
1169 on the TLS protocol or some supported cipher suite are discovered:
1170
1171 tlsciphers
1172 The string describing the cipher suites OpenSSL will support for
1173 TLS 1.2 and below. See OpenSSL's ciphers(1) command documentation
1174 for details. The default is unset, which uses OpenSSL's default
1175 cipher suite list.
1176
1177 tlsciphers13
1178 The string describing the cipher suites OpenSSL will support for
1179 TLS 1.3. See OpenSSL's ciphers(1) command documentation for
1180 details. The default is unset, which uses OpenSSL's default cipher
1181 suite list.
1182
1183 Note that a separate cipher suite configuration parameter is needed
1184 for TLS 1.3 because TLS 1.3 cipher suites are not compatible with
1185 TLS 1.2, and vice-versa. In order to avoid issues where legacy
1186 TLS 1.2 cipher suite configuration configured in the tlsciphers
1187 parameter would inadvertently disable all TLS 1.3 cipher suites,
1188 the inn.conf configuration has been separated out.
1189
1190 tlscompression
1191 Whether to enable or disable TLS/SSL-level compression support, if
1192 the negotiated protocol supports it (notably, TLS 1.3 no longer
1193 supports it). This is a boolean and the default is false, that is
1194 to say compression is disabled, so as to follow the best current
1195 practices for a secure use of TLS in application protocols (see
1196 RFC 8143 for NNTP).
1197
1198 Note that enabling TLS/SSL-level compression will be possible only
1199 if the OpenSSL library INN has been built with, supports that
1200 feature.
1201
1202 tlseccurve
1203 The name of the elliptic curve to use for ephemeral key exchanges.
1204 To see the list of curves supported by OpenSSL, use "openssl
1205 ecparam -list_curves".
1206
1207 The default is unset, which means an appropriate curve is auto-
1208 selected (if your OpenSSL version is at least 1.0.2 or you are
1209 using LibreSSL) or the NIST P-256 curve is used.
1210
1211 This option is only effective if your OpenSSL version has ECDH
1212 support.
1213
1214 tlspreferserverciphers
1215 Whether to let the client or the server decide the preferred cipher
1216 suite, signature algorithm or elliptic curve to use for an incoming
1217 connection. This is a boolean and the default is true, that is to
1218 say the server will choose following its own preferences.
1219
1220 tlsprotocols
1221 The list of TLS/SSL protocol versions to support. Valid protocols
1222 are SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3. The default
1223 value is to only allow secure TLS protocols:
1224
1225 tlsprotocols: [ TLSv1.2 TLSv1.3 ]
1226
1227 Note that the listed protocols will be enabled only if the OpenSSL
1228 library INN has been built with, supports them. In case OpenSSL
1229 supports protocols more recent than TLSv1.3, they will be
1230 automatically enabled (which anyway is fine regarding security, as
1231 newer protocols are supposed to be more secure).
1232
1233 "SSLv2" was formally deprecated by RFC 6176 in 2011, "SSLv3" by
1234 RFC 7568 in 2015, "TLSv1.0" and "TLSv1.1" by RFC 8996 in 2021.
1235
1236 Monitoring
1237 These parameters control the behavior of innwatch(8), the program that
1238 monitors INN and informs the news administrator if anything goes wrong
1239 with it.
1240
1241 doinnwatch
1242 Whether to start innwatch(8) from rc.news. This is a boolean
1243 value, and the default is true.
1244
1245 innwatchbatchspace
1246 Free space in pathoutgoing, in inndf(8) output units (normally
1247 kilobytes), at which innd(8) will be throttled by innwatch(8),
1248 assuming a default innwatch.ctl. The default value is 4000.
1249
1250 innwatchlibspace
1251 Free space in pathdb, in inndf(8) output units (normally
1252 kilobytes), at which innd(8) will be throttled by innwatch(8),
1253 assuming a default innwatch.ctl. The default value is 25000.
1254
1255 innwatchloload
1256 Load average times 100 at which innd(8) will be restarted by
1257 innwatch(8) (undoing a previous pause or throttle), assuming a
1258 default innwatch.ctl. The default value is 1000 (that is, a load
1259 average of 10.00).
1260
1261 innwatchhiload
1262 Load average times 100 at which innd(8) will be throttled by
1263 innwatch(8), assuming a default innwatch.ctl. The default value is
1264 2000 (that is, a load average of 20.00).
1265
1266 innwatchpauseload
1267 Load average times 100 at which innd(8) will be paused by
1268 innwatch(8), assuming a default innwatch.ctl. The default value is
1269 1500 (that is, a load average of 15.00).
1270
1271 innwatchsleeptime
1272 How long (in seconds) innwatch(8) will sleep between each check of
1273 INN. The default value is 600.
1274
1275 innwatchspoolnodes
1276 Free inodes in patharticles at which innd(8) will be throttled by
1277 innwatch(8), assuming a default innwatch.ctl. The default value is
1278 200.
1279
1280 innwatchspoolspace
1281 Free space in patharticles and pathoverview, in inndf(8) output
1282 units (normally kilobytes), at which innd(8) will be throttled by
1283 innwatch(8), assuming a default innwatch.ctl. The default value is
1284 25000.
1285
1286 Logging
1287 These parameters control what information INN logs.
1288
1289 docnfsstat
1290 Whether to start cnfsstat(8) when innd(8) is started. cnfsstat
1291 will log the status of all CNFS cycbuffs to syslog on a periodic
1292 basis (frequency is the default for "cnfsstat -l", currently 600
1293 seconds). This is a boolean value and the default is false.
1294
1295 htmlstatus
1296 Whether innd should write the status report as HTML file or in
1297 plain text. The HTML status file goes to pathhttp/inn_status.html,
1298 while the plain text status file is written to pathlog/inn.status.
1299 This is a boolean value and the default is true (an HTML status
1300 file is written). Also see the status parameter.
1301
1302 incominglogfrequency
1303 How many articles to process on an incoming channel before logging
1304 the activity. The default value is 200.
1305
1306 logartsize
1307 Whether the size of accepted articles (in bytes) should be written
1308 to the article log file. This is useful for flow rate statistics
1309 and is recommended. This is a boolean value and the default is
1310 true.
1311
1312 logcancelcomm
1313 Set this to true to log "ctlinnd cancel" commands to syslog. This
1314 is a boolean value and the default is false.
1315
1316 logcycles
1317 How many old logs scanlogs(8) keeps. scanlogs(8) is generally run
1318 by news.daily(8) and will archive compressed copies of this many
1319 days worth of old logs. The default value is 3.
1320
1321 logipaddr
1322 Whether the verified name of the remote feeding host should be
1323 logged to the article log for incoming articles rather than the
1324 last entry in the Path header field body. The only reason to ever
1325 set this to false is due to some interactions with newsfeeds flags;
1326 see newsfeeds(5) for more information. This is a boolean value and
1327 the default is true.
1328
1329 logsitename
1330 Whether the names of the sites to which accepted articles will be
1331 sent should be put into the article log file. This is useful for
1332 debugging and statistics. This is a boolean value and the default
1333 is true.
1334
1335 logstatus
1336 Whether innd should write a shortened version of its status report
1337 to syslog every status seconds. This is a boolean value and the
1338 default is true. If set to true, see the status parameter for more
1339 details on how to enable status reporting.
1340
1341 logtrash
1342 Whether innd should add a line in the news log file to report
1343 unwanted newsgroups (that is to say newsgroups not locally carried
1344 by the news server). This is a boolean value and the default is
1345 true. It may be useful to set it to false when wanttrash is set to
1346 true.
1347
1348 nnrpdoverstats
1349 Whether nnrpd overview statistics should be logged via syslog.
1350 This can be useful for measuring overview performance. This is a
1351 boolean value and the default is true.
1352
1353 nntplinklog
1354 Whether to put the storage API token for accepted articles (used by
1355 nntplink) in the article log. This is a boolean value and the
1356 default is false.
1357
1358 stathist
1359 Where to write history statistics for analysis with
1360 contrib/stathist; this can be modified with ctlinnd(8) while innd
1361 is running. Logging does not occur unless a path is given, and
1362 there is no default value.
1363
1364 status
1365 How frequently (in seconds) innd(8) should write out a status
1366 report. The report is written to pathhttp/inn_status.html or
1367 pathlog/inn.status depending on the value of htmlstatus. If this
1368 is set to 0 or "false", status reporting is disabled. The default
1369 value is 600 (that is to say reports are written every 10 minutes).
1370
1371 timer
1372 How frequently (in seconds) innd(8) should report performance
1373 timings to syslog. If this is set to 0, performance timing is
1374 disabled. Enabling this is highly recommended, and innreport(8)
1375 can produce a nice summary of the timings. If set to 0,
1376 performance timings in nnrpd(8) are also disabled, although nnrpd
1377 always reports statistics on exit and therefore any non-zero value
1378 is equivalent for it. The default value is 600 (that is to say
1379 performance timings are reported every 10 minutes).
1380
1381 System Tuning
1382 The following parameters can be modified to tune the low-level
1383 operation of INN. In general, you shouldn't need to modify any of them
1384 except possibly rlimitnofile unless the server is having difficulty.
1385
1386 badiocount
1387 How many read or write failures until a channel is put to sleep or
1388 closed. The default value is 5.
1389
1390 blockbackoff
1391 Each time an attempted write returns EAGAIN or EWOULDBLOCK, innd(8)
1392 will wait for an increasing number of seconds before trying it
1393 again. This is the multiplier for the sleep time. If you're
1394 having trouble with channel feeds not keeping up, it may be good to
1395 change this value to 2 or 3, since then when the channel fills INN
1396 will try again in a couple of seconds rather than waiting two
1397 minutes. The default value is 120.
1398
1399 chaninacttime
1400 The time (in seconds) to wait between noticing inactive channels.
1401 The default value is 600.
1402
1403 chanretrytime
1404 How many seconds to wait before a channel restarts. The default
1405 value is 300.
1406
1407 datamovethreshold
1408 The threshold for deciding whether to move already-read data to the
1409 top of buffer or extend the buffer. The buffer described here is
1410 used for reading NNTP data. Increasing this value may improve
1411 performance, but it should not be increased on Systems with
1412 insufficient memory. Permitted values are between 0 and 1048576
1413 (out of range values are treated as 1048576) and the default value
1414 is 16384.
1415
1416 icdsynccount
1417 How many article writes between updating the active and history
1418 files. The default value is 10.
1419
1420 keepmmappedthreshold
1421 When using buffindexed, retrieving overview data (that is,
1422 responding to OVER or running expireover) causes mmapping of all
1423 overview data blocks which include requested overview data for
1424 newsgroup. But for high volume newsgroups like control.cancel,
1425 this may cause too much mmapping at once leading to system resource
1426 problems. To avoid this, if the amount to be mmapped exceeds
1427 keepmmappedthreshold (in KB), buffindexed mmap's just one overview
1428 block (8 KB). This parameter is specific to buffindexed overview
1429 storage method. The default value is 1024 (1 MB).
1430
1431 maxcmdreadsize
1432 If set to anything other than 0, maximum buffer size (in bytes) for
1433 reading NNTP command will have this value. It should not be large
1434 on systems which are slow to process and store articles, as that
1435 would lead to innd(8) spending a long time on each channel and
1436 keeping other channels waiting. The default value is BUFSIZ
1437 defined in stdio.h (1024 in most environments, see setbuf(3)).
1438
1439 maxforks
1440 How many times to attempt a fork(2) before giving up. The default
1441 value is 10.
1442
1443 maxlisten
1444 How many incoming connections can queue up in the listen backlog
1445 for innd, nnrpd and two overview storage methods ("ovdb" and
1446 "ovsqlite"). The default value is 128 and should be raised in case
1447 you notice that some connection requests get dropped.
1448
1449 nicekids
1450 If set to anything other than 0, all child processes of innd(8)
1451 will have this nice(2) value. This is usually used to give all
1452 child processes of innd(8) a lower priority (higher nice value) so
1453 that innd(8) can get the lion's share of the CPU when it needs it.
1454 The default value is 4.
1455
1456 nicenewnews
1457 If set to anything greater than 0, all nnrpd(8) processes that
1458 receive and process a NEWNEWS command will nice(2) themselves to
1459 this value (giving other nnrpd processes a higher priority). The
1460 default value is 0. Note that this value will be ignored if set to
1461 a lower value than nicennrpd (or nicekids if nnrpd(8) is spawned
1462 from innd(8)).
1463
1464 nicennrpd
1465 If set to anything greater than 0, all nnrpd(8) processes will
1466 nice(2) themselves to this value. This gives other news processes
1467 a higher priority and can help overchan(8) keep up with incoming
1468 news (if that's the object, be sure overchan(8) isn't also set to a
1469 lower priority via nicekids). The default value is 0, which will
1470 cause nnrpd(8) processes spawned from innd(8) to use the value of
1471 nicekids, while nnrpd(8) run as a daemon will use the system
1472 default priority. Note that for nnrpd(8) processes spawned from
1473 innd(8), this value will be ignored if set to a value lower than
1474 nicekids.
1475
1476 pauseretrytime
1477 Wait for this many seconds before noticing inactive channels. Wait
1478 for this many seconds before innd processes articles when it's
1479 paused or the number of channel write failures exceeds badiocount.
1480 The default value is 300.
1481
1482 peertimeout
1483 How long (in seconds) an innd(8) incoming channel may be inactive
1484 before innd closes it. The default value is 3600 (an hour).
1485
1486 rlimitnofile
1487 The maximum number of file descriptors that innd(8) or innfeed(8)
1488 can have open at once. If innd(8) or innfeed(8) attempts to open
1489 more file descriptors than this value, it is possible the program
1490 may throttle or otherwise suffer reduced functionality. The number
1491 of open file descriptors is roughly the maximum number of incoming
1492 feeds and outgoing batches for innd(8) and the number of outgoing
1493 streams for innfeed(8). If this parameter is set to a negative
1494 value, the default limit of the operating system will be used; this
1495 will normally be adequate on systems other than Solaris. Nearly
1496 all operating systems have some hard maximum limit beyond which
1497 this value cannot be raised, usually either 128, 256, or 1024. The
1498 default value of this parameter is "-1". Setting it to 256 on
1499 Solaris systems is highly recommended.
1500
1501 Paths Names
1502 patharchive
1503 Where to store archived news. The default value is
1504 pathspool/archive.
1505
1506 patharticles
1507 The path to where the news articles are stored (for storage methods
1508 other than CNFS). The default value is pathspool/articles.
1509
1510 pathbin
1511 The path to the news binaries. The default value is pathnews/bin.
1512
1513 pathcontrol
1514 The path to the files that handle control messages. The code for
1515 handling each separate type of control message is located here. Be
1516 very careful what you put in this directory with a name ending in
1517 ".pl", as it can potentially be a severe security risk. The
1518 default value is pathbin/control.
1519
1520 pathdb
1521 The path to the database files used and updated by the server
1522 (currently, active, active.times, history and its indices, and
1523 newsgroups). The default value is pathnews/db.
1524
1525 pathetc
1526 The path to the news configuration files. The default value is
1527 pathnews/etc.
1528
1529 pathfilter
1530 The path to the Perl and Python filters. The default value is
1531 pathbin/filter.
1532
1533 pathhttp
1534 Where any HTML files (such as periodic status reports) are placed.
1535 If the news reports should be available in real-time on the web,
1536 the files in this directory should be served by a web server. The
1537 default value is the value of pathnews/http.
1538
1539 pathincoming
1540 Location where incoming batched news is stored. The default value
1541 is pathspool/incoming.
1542
1543 pathlog
1544 Where the news log files are written. The default value is
1545 pathnews/log.
1546
1547 pathnews
1548 The home directory of the news user and usually the root of the
1549 news hierarchy. There is no default; this parameter must be set in
1550 inn.conf or INN will refuse to start.
1551
1552 pathoutgoing
1553 Default location for outgoing feed files. The default value is
1554 pathspool/outgoing.
1555
1556 pathoverview
1557 The path to news overview files. The default value is
1558 pathspool/overview.
1559
1560 pathrun
1561 The path to files required while the server is running and run-time
1562 state information. This includes lock files and the sockets for
1563 communicating with innd(8). This directory and the control sockets
1564 in it should be protected from unprivileged users other than the
1565 news user. The default value is pathnews/run.
1566
1567 pathspool
1568 The root of the news spool hierarchy. This used mostly to set the
1569 defaults for other parameters, and to determine the path to the
1570 backlog directory for innfeed(8). The default value is
1571 pathnews/spool.
1572
1573 pathtmp
1574 Where INN puts temporary files. For security reasons, this is not
1575 the same as the system temporary files directory (INN creates a lot
1576 of temporary files with predictable names and does not go to
1577 particularly great lengths to protect against symlink attacks and
1578 the like; this is safe provided that normal users can't write into
1579 its temporary directory). The default value is set at configure
1580 time and defaults to pathnews/tmp.
1581
1583 Here is a very minimalist example that only sets those parameters that
1584 are required.
1585
1586 mta: "/usr/lib/sendmail -oi -oem %s"
1587 ovmethod: tradindexed
1588 pathhost: news.example.com
1589 pathnews: /usr/local/news
1590 hismethod: hisv6
1591
1592 For a more comprehensive example, see the sample inn.conf distributed
1593 with INN and installed as a starting point; it contains all of the
1594 default values for reference.
1595
1597 Written by Rich $alz <rsalz@uunet.uu.net> for InterNetNews and since
1598 modified, updated, and reorganized by innumerable other people.
1599
1601 inews(1), innd(8), innwatch(8), libinn_dbz(3), libinn_uwildmat(3),
1602 makehistory(8), nnrpd(8), rnews(1).
1603
1604 Nearly every program in INN uses this file to one degree or another.
1605 The above are just the major and most frequently mentioned ones.
1606
1607
1608
1609INN 2.7.1 2023-04-16 INN.CONF(5)