Ubuntu Manpage: nnrpd - NNTP server for reader clients

NAME

       nnrpd - NNTP server for reader clients

SYNOPSIS

       nnrpd [-BDfnoSt] [-4 address] [-6 address] [-b address] [-c configfile] [-i initial] [-I instance] [-p
       port] [-P prefork] [-r reason] [-s padding]

DESCRIPTION

nnrpd is an NNTP server for newsreaders. It accepts commands on its standard input and responds on its
standard output. It is normally invoked by innd(8) with those descriptors attached to a remote client
connection. nnrpd also supports running as a standalone daemon.

Unlike innd(8), nnrpd supports all NNTP commands for user-oriented reading and posting. nnrpd uses the
readers.conf file to control who is authorized to access the Usenet database.

On exit, nnrpd will report usage statistics through syslog(3).

nnrpd is run from innd (the default) or from inetd(8), xinetd(8), or some equivalent. As often as not,
it is also run as a daemon, with the -D option, to provide TLS support on a dedicated port.

nnrpd only reads config files (readers.conf, inn.conf and inn-secrets.conf) when it is spawned. You can
therefore never change the behaviour of a client that's already connected. As a new nnrpd process is
spawned for every connection, any changes to these configuration files will be immediately effective for
all new connections. There's only one exception: when nnrpd is run as a daemon with the -D option, any
configuration changes in inn.conf won't take effect until nnrpd is restarted.

The inn.conf setting nnrpdflags can be used to pass any of the options below to instances of nnrpd that
are spawned directly from innd. Many options only make sense when -D is used, so these options should
not be used with nnrpdflags. See also the discussion of nnrpdflags in inn.conf(5).

When nnrpdloadlimit in inn.conf is not "0", it will also reject connections if the load average is
greater than that value (typically "16"). nnrpd can also prevent high-volume posters from abusing your
resources. See the discussion of exponential backoff in inn.conf(5).

nnrpd injects articles into the local server running innd through a UNIX domain socket, or an INET domain
socket if not supported. If another server should be used for injection, you can set it with the
nnrpdposthost parameter in inn.conf. In case authentication credentials are requested during the
injection, nnrpd will use the passwd.nntp file in pathetc.

OPTIONS

-4 address
The -4 parameter instructs nnrpd to bind to the specified IPv4 address when started as a standalone
daemon using the -D flag. This has to be a valid IPv4 address belonging to an interface of the local
host. It can also be "0.0.0.0", saying to bind to all addresses (this is the default).

-6 address
The -6 parameter instructs nnrpd to bind to the specified IPv6 address when started as a standalone
daemon using the -D flag. This has to be a valid IPv6 address belonging to an interface of the local
host. It can also be "::0", saying to bind to all IPv6 addresses.

By default, nnrpd in daemon mode listens to both IPv4 and IPv6 addresses. With this option, it will
listen only to the specified IPv6 addresses. On some systems however, a value of "::0" will cause it
to listen to all IPv4 addresses as well.

-b address
Similar to the -4 flag. -b is kept for backwards compatibility.

-B If specified, nnrpd will report login attempts to blacklistd(8) for automatic blocking after a number
of failed attempts. To use this flag, the blacklist library must have been found at configure time,
or --with-blacklist specified at configure time. For more information, see "BLACKLISTD SUPPORT"
below.

-c configfile
By default, nnrpd reads the readers.conf configuration file to determine how to authenticate
connections. The -c flag specifies an alternate file for this purpose. If the file name isn't fully
qualified, it is taken to be relative to pathetc in inn.conf. (This is useful to have several
instances of nnrpd running on different ports or IP addresses with different settings.)

-D If specified, this parameter causes nnrpd to operate as a daemon. That is, it detaches itself and
runs in the background, forking a process for every connection. By default, nnrpd listens on the
NNTP port (119), so either innd(8) has to be started on another port or the -p parameter used. Note
that with this parameter, nnrpd continues running until killed. This means that it reads inn.conf
once on startup and never again until restarted. nnrpd should therefore be restarted if inn.conf is
changed.

When started in daemon mode, nnrpd will write its PID into a file in the pathrun directory. The file
will be named nnrpd.pid if nnrpd listens on port 119 (default), or nnrpd-%d.pid, where "%d" is
replaced with the port that nnrpd is configured to listen on (-p option is given and its argument is
not "119").

You may also want to use -s when running nnrpd as a daemon.

-f If specified, nnrpd does not detach itself and runs in the foreground when started as a standalone
daemon using the -D flag.

-i initial
Specify an initial command to nnrpd. When used, initial is taken as if it were the first command
received by nnrpd. After having responded, nnrpd will close the connection.

-I instance
If specified, instance is used as an additional static portion within Message-IDs generated by nnrpd,
when virtualhost is set in access groups in readers.conf; typically this option would be used where a
cluster of machines exist with the same virtual hostname and must be disambiguated during posts.

-n The -n flag turns off resolution of IP addresses to names. If you only use IP-based restrictions in
readers.conf and can handle IP addresses in your logs, using this flag may result in some additional
speed.

-o The -o flag causes all articles to be spooled instead of sending them to innd(8). rnews with the -U
flag should be invoked from cron on a regular basis to take care of these articles. This flag is
useful if innd is accepting articles and nnrpd is started standalone or using inetd(8).

-p port
The -p parameter instructs nnrpd to listen on port when started as a standalone daemon using the -D
flag.

-P prefork
The -P parameter instructs nnrpd to prefork prefork children awaiting connections when started as a
standalone daemon using the -D flag.

-r reason
If the -r flag is used, then nnrpd will reject the incoming connection giving reason as the text.
This flag is used by innd(8) when it is paused or throttled. reason should be encoded in UTF-8.

-s padding
As each command is received from a client, nnrpd tries to change its "argv" array containing the
process title so that commands like ps(1) will print out the hostname of the connected client and the
command being executed. To get a full display, the -s flag may be used with a long string as its
argument, which will be overwritten when nnrpd changes its title.

When innd spawns nnrpd, this flag is used with an argument made of 48 spaces.

-S If specified, nnrpd will start a negotiation for a TLS session as soon as connected. To use this
flag, the OpenSSL SSL and crypto libraries must have been found at configure time, or --with-openssl
specified at configure time. For more information on running nnrpd with TLS support, see "TLS
SUPPORT".

-t If the -t flag is used, then all client commands and initial responses will be traced by reporting
them in syslog. This flag is set by innd(8) under the control of the ctlinnd(8) "trace" command, and
is toggled upon receipt of a SIGHUP; see signal(2).

TLS SUPPORT

       If INN is built with --with-openssl or if the OpenSSL SSL and crypto libraries  are  found  at  configure
       time,  nnrpd  will  support news reading over TLS (also known as SSL).  For clients that use the STARTTLS
       command, no special configuration is needed beyond creating a TLS/SSL certificate for  the  server.   You
       should do this in exactly the same way that you would generate a certificate for a web server.

       If  you're  happy  with  a  self-signed  certificate  (which will generate warnings with some news reader
       clients), you can create and install one in the default path by running "make cert" after "make  install"
       when installing INN, or by running the following commands:

           umask 077
           openssl req -new -x509 -nodes -out <pathetc>/cert.pem \
               -days 366 -keyout <pathetc>/key.pem
           chown news:news <pathetc>/cert.pem
           chmod 640 <pathetc>/cert.pem
           chown news:news <pathetc>/key.pem
           chmod 600 <pathetc>/key.pem

       Replace  the  paths  with something appropriate to your INN installation.  This will create a self-signed
       certificate that will expire in a year.  The openssl program will ask you a variety  of  questions  about
       your  organization.   Enter  the  fully  qualified  domain  name  of your news service (either the server
       canonical name or a dedicated alias for the news service) as the name the certificate is for.

       You then have to set these inn.conf parameters with the right paths:

           tlscapath:      <pathetc>
           tlscertfile:    <pathetc>/cert.pem
           tlskeyfile:     <pathetc>/key.pem

       If you want to use a complete certificate chain, you can directly put it in  tlscertfile  (like  Apache's
       SSLCertificateFile  directive).   Alternately,  you  can  put a single certificate in tlscertfile and use
       tlscafile for additional certificates needed to complete  the  chain,  like  a  separate  authority  root
       certificate.

       More concretely, when using Let's Encrypt certificates, Certbot's files can be installed as follows:

           tlscapath:      /etc/letsencrypt/live/news.server.com
           tlscertfile:    /etc/letsencrypt/live/news.server.com/fullchain.pem
           tlskeyfile:     /etc/letsencrypt/live/news.server.com/privkey.pem

       or:

           tlscapath:      /etc/letsencrypt/live/news.server.com
           tlscafile:      /etc/letsencrypt/live/news.server.com/chain.pem
           tlscertfile:    /etc/letsencrypt/live/news.server.com/cert.pem
           tlskeyfile:     /etc/letsencrypt/live/news.server.com/privkey.pem

       Make  sure  that  the permission rights are properly set so that the news user or the news group can read
       these directories and  files  (typically,  he  should  access  /etc/letsencrypt/live/news.server.com  and
       /etc/letsencrypt/archive/news.server.com  where the real keys are located, and the private key should not
       be world-readable).

       If you prefer to point to files outside the directory of Let's Encrypt, you may add a  post-renewal  hook
       for Let's Encrypt to copy the generated files to another location, and give them the expected rights.

       There  are  two  common  ways  for  a  news client to negotiate a TLS connection: either via the use of a
       dedicated port (usually 563) on which TLS is immediately negotiated  upon  connection,  or  via  the  now
       discouraged  way  (per  RFC 8143) to use the STARTTLS command on the usual NNTP port (119) to dynamically
       upgrade from unencrypted to TLS-protected traffic during an NNTP session.  innd does not,  however,  know
       how  to listen for connections to that separate port (563).  You will therefore need to arrange for nnrpd
       to listen on that port through some other means.  This can be done with the -D flag along with  "-p  563"
       and put into your init scripts:

           su news -s /bin/sh -c '<pathbin>/nnrpd -D -p 563 -S'

       but the easiest way is probably to add a line like:

           nntps stream tcp nowait news <pathbin>/nnrpd nnrpd -S

       to  /etc/inetd.conf  or the equivalent on your system and let inetd run nnrpd.  (Change the path to nnrpd
       to match your installation.)  You may need to replace "nntps" with "563"  if  "nntps"  isn't  defined  in
       /etc/services  on  your system.  You may also want to use the lowercase -s flag with a long string as its
       argument to see more information about incoming connections in ps(1) output.

       Optionally, you may set the tlsciphers, tlsciphers13, tlscompression, tlseccurve, tlspreferserverciphers,
       and tlsprotocols parameters in inn.conf to fine-tune the behaviour of the TLS/SSL negotiation whenever  a
       new attack on the TLS protocol or some supported cipher suite is discovered.

BLACKLISTD SUPPORT

       blacklistd(8) is a FreeBSD/NetBSD daemon for preventing brute force attacks by blocking attackers after a
       number  of  failed  login  attempts.   When  nnrpd is built with blacklistd support, it will report login
       attempts to the blacklistd daemon for potential blocking.

       Adding the configuration below to /etc/blacklistd.conf under the "[local]"  section,  assuming  nnrpd  is
       listening  on  port  563,  would  lead  to  attackers  being  blocked for 10 minutes after 5 failed login
       attempts.

           # adr/mask:port type    proto owner name nfail disable
           563             stream  *     *     *    5     10m

       See the blacklistd(8) documentation for more information.

PROTOCOL DIFFERENCES

nnrpd implements the NNTP commands defined in RFC 3977 (NNTP), RFC 4642 updated by RFC 8143 (TLS/NNTP),
RFC 4643 (NNTP authentication), RFC 6048 (NNTP LIST additions) and RFC 8054 (NNTP compression) with the
following differences:

1. The XGTITLE [wildmat] command is provided. This extension is used by ANU-News and documented in
RFC 2980. It returns a "282" reply code, followed by a one-line description of all newsgroups that
match the pattern. The default is the current group.

Note that LIST NEWSGROUPS should be used instead of XGTITLE.

2. The XHDR header [message-ID|range] command is implemented. It returns a "221" reply code, followed
by specific header fields for the specified range; the default is to return the data for the current
article. See RFC 2980.

Note that HDR should be used instead of XHDR.

3. The XOVER [range] command is provided. It returns a "224" reply code, followed by the overview data
for the specified range; the default is to return the data for the current article. See RFC 2980.

Note that OVER should be used instead of XOVER.

4. A new command, XPAT header message-ID|range pattern [pattern ...], is provided. The first argument
is the case-insensitive name of the header field to be searched. The second argument is either an
article range or a single message-ID, as specified in RFC 2980. The third argument is a
uwildmat-style pattern; if there are additional arguments, they are joined together separated by a
single space to form the complete pattern. This command is similar to the XHDR command. It returns
a "221" response code, followed by the text response of all article numbers that match the pattern.

5. A newsgroup name is case-sensitive for nnrpd.

6. If IHAVE has been advertised, it will not necessarily be advertised for the entire session (contrary
to section 3.4.1 of RFC 3977). nnrpd only advertises the IHAVE capability when it is really
available.

7. nnrpd allows a wider syntax for wildmats and ranges (especially "-" and "-article-number").

8. When keyword generation is used, an experimental feature enabled with the keywords parameter in
inn.conf, "Keywords:full" is advertised in LIST OVERVIEW.FMT even though overview information is
computed and does not necessarily come from Keywords header fields.

HISTORY

       Written by Rich $alz <rsalz@uunet.uu.net> for InterNetNews.  Overview support  added  by  Rob  Robertston
       <rob@violet.berkeley.edu>  and  Rich  in  January, 1993.  Exponential backoff (for posting) added by Dave
       Hayes in Febuary 1998.