1NNRPD(8) InterNetNews Documentation NNRPD(8)
2
6 nnrpd - NNTP server for reader clients
7
9 nnrpd [-BDfnoSt] [-4 address] [-6 address] [-b address] [-c configfile]
10 [-i initial] [-I instance] [-p port] [-P prefork] [-r reason] [-s
11 padding]
12
14 nnrpd is an NNTP server for newsreaders. It accepts commands on its
15 standard input and responds on its standard output. It is normally
16 invoked by innd(8) with those descriptors attached to a remote client
17 connection. nnrpd also supports running as a standalone daemon.
18 Unlike innd(8), nnrpd supports all NNTP commands for user-oriented
20 reading and posting. nnrpd uses the readers.conf file to control who
21 is authorized to access the Usenet database.
22 On exit, nnrpd will report usage statistics through syslog(3).
24 nnrpd is run from innd (the default) or from inetd(8), xinetd(8), or
26 some equivalent. As often as not, it is also run as a daemon, with the
27 -D option, to provide TLS support on a dedicated port.
28 nnrpd only reads config files (readers.conf, inn.conf and
30 inn-secrets.conf) when it is spawned. You can therefore never change
31 the behaviour of a client that's already connected. As a new nnrpd
32 process is spawned for every connection, any changes to these
33 configuration files will be immediately effective for all new
34 connections. There's only one exception: when nnrpd is run as a daemon
35 with the -D option, any configuration changes in inn.conf won't take
36 effect until nnrpd is restarted.
37 The inn.conf setting nnrpdflags can be used to pass any of the options
39 below to instances of nnrpd that are spawned directly from innd. Many
40 options only make sense when -D is used, so these options should not be
41 used with nnrpdflags. See also the discussion of nnrpdflags in
42 inn.conf(5).
43 When nnrpdloadlimit in inn.conf is not 0, it will also reject
45 connections if the load average is greater than that value (typically
46 16). nnrpd can also prevent high-volume posters from abusing your
47 resources. See the discussion of exponential backoff in inn.conf(5).
48 nnrpd injects articles into the local server running innd through a
50 UNIX domain socket, or an INET domain socket if not supported. If
51 another server should be used for injection, you can set it with the
52 nnrpdposthost parameter in inn.conf. In case authentication
53 credentials are requested during the injection, nnrpd will use the
54 passwd.nntp file in pathetc.
55
57 -4 address
58 The -4 parameter instructs nnrpd to bind to the specified IPv4
59 address when started as a standalone daemon using the -D flag.
60 This has to be a valid IPv4 address belonging to an interface of
61 the local host. It can also be 0.0.0.0, saying to bind to all
62 addresses (this is the default).
63 -6 address
65 The -6 parameter instructs nnrpd to bind to the specified IPv6
66 address when started as a standalone daemon using the -D flag.
67 This has to be a valid IPv6 address belonging to an interface of
68 the local host. It can also be "::0", saying to bind to all IPv6
69 addresses.
70 By default, nnrpd in daemon mode listens to both IPv4 and IPv6
72 addresses. With this option, it will listen only to the specified
73 IPv6 addresses. On some systems however, a value of "::0" will
74 cause it to listen to all IPv4 addresses as well.
75 -b address
77 Similar to the -4 flag. -b is kept for backwards compatibility.
78 -B If specified, nnrpd will report login attempts to blacklistd(8) for
80 automatic blocking after a number of failed attempts. To use this
81 flag, the blacklist library must have been found at configure time,
82 or --with-blacklist specified at configure time. For more
83 information, see "BLACKLISTD SUPPORT" below.
84 -c configfile
86 By default, nnrpd reads the readers.conf configuration file to
87 determine how to authenticate connections. The -c flag specifies
88 an alternate file for this purpose. If the file name isn't fully
89 qualified, it is taken to be relative to pathetc in inn.conf.
90 (This is useful to have several instances of nnrpd running on
91 different ports or IP addresses with different settings.)
92 -D If specified, this parameter causes nnrpd to operate as a daemon.
94 That is, it detaches itself and runs in the background, forking a
95 process for every connection. By default, nnrpd listens on the
96 NNTP port (119), so either innd(8) has to be started on another
97 port or the -p parameter used. Note that with this parameter,
98 nnrpd continues running until killed. This means that it reads
99 inn.conf once on startup and never again until restarted. nnrpd
100 should therefore be restarted if inn.conf is changed.
101 When started in daemon mode, nnrpd will write its PID into a file
103 in the pathrun directory. The file will be named nnrpd.pid if
104 nnrpd listens on port 119 (default), or nnrpd-%d.pid, where %d is
105 replaced with the port that nnrpd is configured to listen on (-p
106 option is given and its argument is not 119).
107 You may also want to use -s when running nnrpd as a daemon.
109 -f If specified, nnrpd does not detach itself and runs in the
111 foreground when started as a standalone daemon using the -D flag.
112 -i initial
114 Specify an initial command to nnrpd. When used, initial is taken
115 as if it were the first command received by nnrpd. After having
116 responded, nnrpd will close the connection.
117 -I instance
119 If specified, instance is used as an additional static portion
120 within Message-IDs generated by nnrpd, when virtualhost is set in
121 access groups in readers.conf; typically this option would be used
122 where a cluster of machines exist with the same virtual hostname
123 and must be disambiguated during posts.
124 -n The -n flag turns off resolution of IP addresses to names. If you
126 only use IP-based restrictions in readers.conf and can handle IP
127 addresses in your logs, using this flag may result in some
128 additional speed.
129 -o The -o flag causes all articles to be spooled instead of sending
131 them to innd(8). rnews with the -U flag should be invoked from
132 cron on a regular basis to take care of these articles. This flag
133 is useful if innd is accepting articles and nnrpd is started
134 standalone or using inetd(8).
135 -p port
137 The -p parameter instructs nnrpd to listen on port when started as
138 a standalone daemon using the -D flag.
139 -P prefork
141 The -P parameter instructs nnrpd to prefork prefork children
142 awaiting connections when started as a standalone daemon using the
143 -D flag.
144 -r reason
146 If the -r flag is used, then nnrpd will reject the incoming
147 connection giving reason as the text. This flag is used by innd(8)
148 when it is paused or throttled. reason should be encoded in UTF-8.
149 -s padding
151 As each command is received from a client, nnrpd tries to change
152 its "argv" array containing the process title so that commands like
153 ps(1) will print out the hostname of the connected client and the
154 command being executed. To get a full display, the -s flag may be
155 used with a long string as its argument, which will be overwritten
156 when nnrpd changes its title.
157 When innd spawns nnrpd, this flag is used with an argument made of
159 48 spaces.
160 -S If specified, nnrpd will start a negotiation for a TLS session as
162 soon as connected. To use this flag, the OpenSSL SSL and crypto
163 libraries must have been found at configure time, or --with-openssl
164 specified at configure time. For more information on running nnrpd
165 with TLS support, see "TLS SUPPORT".
166 -t If the -t flag is used, then all client commands and initial
168 responses will be traced by reporting them in syslog. This flag is
169 set by innd(8) under the control of the ctlinnd(8) "trace" command,
170 and is toggled upon receipt of a SIGHUP; see signal(2).
171
173 If INN is built with --with-openssl or if the OpenSSL SSL and crypto
174 libraries are found at configure time, nnrpd will support news reading
175 over TLS (also known as SSL). For clients that use the STARTTLS
176 command, no special configuration is needed beyond creating a TLS/SSL
177 certificate for the server. You should do this in exactly the same way
178 that you would generate a certificate for a web server.
179 If you're happy with a self-signed certificate (which will generate
181 warnings with some news reader clients), you can create and install one
182 in the default path by running "make cert" after "make install" when
183 installing INN, or by running the following commands:
184 umask 077
186 openssl req -new -x509 -nodes -out <pathetc>/cert.pem \
187 -days 366 -keyout <pathetc>/key.pem
188 chown news:news <pathetc>/cert.pem
189 chmod 640 <pathetc>/cert.pem
190 chown news:news <pathetc>/key.pem
191 chmod 600 <pathetc>/key.pem
192 Replace the paths with something appropriate to your INN installation.
194 This will create a self-signed certificate that will expire in a year.
195 The openssl program will ask you a variety of questions about your
196 organization. Enter the fully qualified domain name of your news
197 service (either the server canonical name or a dedicated alias for the
198 news service) as the name the certificate is for.
199 You then have to set these inn.conf parameters with the right paths:
201 tlscapath: <pathetc>
203 tlscertfile: <pathetc>/cert.pem
204 tlskeyfile: <pathetc>/key.pem
205 If you want to use a complete certificate chain, you can directly put
207 it in tlscertfile (like Apache's SSLCertificateFile directive).
208 Alternately, you can put a single certificate in tlscertfile and use
209 tlscafile for additional certificates needed to complete the chain,
210 like a separate authority root certificate.
211 More concretely, when using Let's Encrypt certificates, Certbot's files
213 can be installed as follows:
214 tlscapath: /etc/letsencrypt/live/news.server.com
216 tlscertfile: /etc/letsencrypt/live/news.server.com/fullchain.pem
217 tlskeyfile: /etc/letsencrypt/live/news.server.com/privkey.pem
218 or:
220 tlscapath: /etc/letsencrypt/live/news.server.com
222 tlscafile: /etc/letsencrypt/live/news.server.com/chain.pem
223 tlscertfile: /etc/letsencrypt/live/news.server.com/cert.pem
224 tlskeyfile: /etc/letsencrypt/live/news.server.com/privkey.pem
225 Make sure that the permission rights are properly set so that the news
227 user or the news group can read these directories and files (typically,
228 he should access /etc/letsencrypt/live/news.server.com and
229 /etc/letsencrypt/archive/news.server.com where the real keys are
230 located, and the private key should not be world-readable).
231 There are two common ways for a news client to negotiate a TLS
233 connection: either via the use of a dedicated port (usually 563) on
234 which TLS is immediately negotiated upon connection, or via the now
235 discouraged way (per RFC 8143) to use the STARTTLS command on the usual
236 NNTP port (119) to dynamically upgrade from unencrypted to TLS-
237 protected traffic during an NNTP session. innd does not, however, know
238 how to listen for connections to that separate port (563). You will
239 therefore need to arrange for nnrpd to listen on that port through some
240 other means. This can be done with the -D flag along with "-p 563" and
241 put into your init scripts:
242 su news -s /bin/sh -c '<pathbin>/nnrpd -D -p 563 -S'
244 but the easiest way is probably to add a line like:
246 nntps stream tcp nowait news <pathbin>/nnrpd nnrpd -S
248 to /etc/inetd.conf or the equivalent on your system and let inetd run
250 nnrpd. (Change the path to nnrpd to match your installation.) You may
251 need to replace "nntps" with 563 if "nntps" isn't defined in
252 /etc/services on your system. You may also want to use the lowercase
253 -s flag with a long string as its argument to see more information
254 about incoming connections in ps(1) output.
255 Optionally, you may set the tlsciphers, tlsciphers13, tlscompression,
257 tlseccurve, tlspreferserverciphers, and tlsprotocols parameters in
258 inn.conf to fine-tune the behaviour of the TLS/SSL negotiation whenever
259 a new attack on the TLS protocol or some supported cipher suite is
260 discovered.
261
263 blacklistd(8) is a FreeBSD/NetBSD daemon for preventing brute force
264 attacks by blocking attackers after a number of failed login attempts.
265 When nnrpd is built with blacklistd support, it will report login
266 attempts to the blacklistd daemon for potential blocking.
267 Adding the configuration below to /etc/blacklistd.conf under the
269 "[local]" section, assuming nnrpd is listening on port 563, would lead
270 to attackers being blocked for 10 minutes after 5 failed login
271 attempts.
272 # adr/mask:port type proto owner name nfail disable
274 563 stream * * * 5 10m
275 See the blacklistd(8) documentation for more information.
277
279 nnrpd implements the NNTP commands defined in RFC 3977 (NNTP), RFC 4642
280 updated by RFC 8143 (TLS/NNTP), RFC 4643 (NNTP authentication),
281 RFC 6048 (NNTP LIST additions) and RFC 8054 (NNTP compression) with the
282 following differences:
283 1. The XGTITLE [wildmat] command is provided. This extension is used
285 by ANU-News and documented in RFC 2980. It returns a 282 reply
286 code, followed by a one-line description of all newsgroups that
287 match the pattern. The default is the current group.
288 Note that LIST NEWSGROUPS should be used instead of XGTITLE.
290 2. The XHDR header [message-ID|range] command is implemented. It
292 returns a 221 reply code, followed by specific header fields for
293 the specified range; the default is to return the data for the
294 current article. See RFC 2980.
295 Note that HDR should be used instead of XHDR.
297 3. The XOVER [range] command is provided. It returns a 224 reply
299 code, followed by the overview data for the specified range; the
300 default is to return the data for the current article. See
301 RFC 2980.
302 Note that OVER should be used instead of XOVER.
304 4. A new command, XPAT header message-ID|range pattern [pattern ...],
306 is provided. The first argument is the case-insensitive name of
307 the header field to be searched. The second argument is either an
308 article range or a single message-ID, as specified in RFC 2980.
309 The third argument is a uwildmat-style pattern; if there are
310 additional arguments, they are joined together separated by a
311 single space to form the complete pattern. This command is similar
312 to the XHDR command. It returns a 221 response code, followed by
313 the text response of all article numbers that match the pattern.
314 5. A newsgroup name is case-sensitive for nnrpd.
316 6. If IHAVE has been advertised, it will not necessarily be advertised
318 for the entire session (contrary to section 3.4.1 of RFC 3977).
319 nnrpd only advertises the IHAVE capability when it is really
320 available.
321 7. nnrpd allows a wider syntax for wildmats and ranges (especially "-"
323 and "-article-number").
324 8. When keyword generation is used, an experimental feature enabled
326 with the keywords parameter in inn.conf, "Keywords:full" is
327 advertised in LIST OVERVIEW.FMT even though overview information is
328 computed and does not necessarily come from Keywords header fields.
329
331 Written by Rich $alz <rsalz@uunet.uu.net> for InterNetNews. Overview
332 support added by Rob Robertston <rob@violet.berkeley.edu> and Rich in
333 January, 1993. Exponential backoff (for posting) added by Dave Hayes
334 in Febuary 1998.
335
337 blacklistd(8), ctlinnd(8), innd(8), inn.conf(5), inn-secrets.conf(5),
338 libinn_uwildmat(3), nnrpd.track(5), passwd.nntp(5), readers.conf(5),
339 signal(2).
340INN 2.7.1 2023-04-16 NNRPD(8)