INN for the Impatient

This article is only meant to give you a quick view of how INN works, and how to set it up on your network. If you want more information, I recommend that you read the excellent Managing Usenet (Henry Spencer & David Lawrence, O'Reilly, ISBN 1-565592-198-4). The example of setting up a newsfeed file is borrowed from an article posted by Ken Hornstein (kenh@leps5.phys.psu.edu), but I don't remember where I found it.

INN: A Quickie

  1. Get and install RPMs cleanfeed and inn

    Important: As I've seen one INN package install files as root:root, do a rpm -ql inn, followed by a find . -user news to check that all INN files are indeed owned by news:news (/etc/cron.hourly/, /etc/cron.daily/, /etc/news/, /var/lib/news/, /var/spool/news/, /var/log/news/). It is especially important that the cron jobs be owned by news:news, or /var/lib/news/history* files will end up being owned by root:root and cause INN to exit.
  2. Edit the following fields in /etc/news/inn.conf
    #/etc/news/inn.conf
    organization: My Very Fine Company
    server: news.acme.com
    pathhost: acme.com
    moderatormailer:
    domain: acme.com
    fromhost: news.acme.com
  3. Edit /etc/news/nnrp.access to allow connections from hosts other that the one where innd is running
  4. Edit /etc/news/newfeeds, and add dummy-feed:!*::. This is needed while your server is a stand-alone news server, and is not being fed by your ISP.
  5. Start Innd through /etc/rc.d/init.d/innd start, and check for errors in /var/log/messages and /var/log/news/news.crit or news.err
  6. To add a first newsgroup while INNd is running, run ctrlinnd newgroup acme.myfirstng y "Added non-moderated acme.myfirstng"
  7. From a remote host, run your favorite news client, and have it download the list of newsgroups available from news.acme.com. You're in business.

Testing NNTP with Telnet

telnet localhost nntp
Trying 127.0.0.1...
Connected to localhost.localdomain.
Escape character is '^]'.
200 localhost InterNetNews server INN 2.2.1 25-Aug-1999 ready
IHAVE <test1@kiwi.ora.com>
435 Duplicate
IHAVE <test2@kiwi.ora.com>
335
Path: not-for-mail
From: nobody@kiwi.ora.com
Newsgroups: test
Subject: testing new INN installation
Message-ID: <test2@kiwi.ora.com>
Date: 26 April 2000 18:00:00 GMT

Short test
.
235
quit
205 .
Connection closed by foreign host.

How does this beast work?

Judging by the number of files that the RPM package installs, INN clearly looks like one complicated thingie, so here's a diagram of how it works:

 

News servers can be either leaf nodes (a site that does not serve as a pathway for articles between other sites. The only articles it sends to its neighbors are locally generated ones), hub nodes (sites that are responsible for transporting news between all of the various news systems that comprise Usenet), or gateways (set up to to allow access to mailing lists in newsgroups, or to offer access to newsgroups to people who do not have acess to Usenet.)

In a nutshell, the INNd daemon only waits for connections, from your newsfeed or clients on your LAN. If an incoming connection originates from a client, it forks an instance of NNRPd to handle the rest of the NNTP session between your local news server and a client. Access rights from clients are checked with the nnrpd.access file.
As both feeds and clients connect to the same port number (119), INN can tell them apart based on the hosts.nntp file which lists news server with which your news server interacts. Practically, it should contain only a reference to the news feed at your ISP.

NNTP is both a relayer-to-relayer transport protocol and a newsreader-access protocol, and basic NNTP commands are inews, ihave, head. The collection of NNTP newsreader services is called the "Network News Reader Protocol", or NNRP, and is implemented under INN as nnrpd.

In addition to its own configuration file (/etc/news/inn.conf), INNd uses the configuration file active which lists the newsgroups your server will accept from your ISP and will make available to your users. Each article generates a log entry in the history file, which can grow pretty big. You do not need to back it up as it can be re-created following a crash.
Whether you'll be running it as a private news server (ie. it will only contain private, corporate newsgroups) or a public news server (ie. it is fed by a news server at your ISP and will contain some or all of the newsgroups available from your ISP) depends on the active file. Articles are saved in a tree structure of sub-directories that maps the newsgroup architecture. When installing INN through an RPM package, this tree could be located under /var/spool/news/ . Sub-directories are created automatically by INNd as needed, and articles belonging to the same newsgroup are saved in the adequate sub-directory. As an example, article #57 in comp.lang.pascal will be saved in
/var/spool/news/comp/lang/pascal/
, along with other articles currently available on your news server for newsgroup comp.lang.pascal.

 

Articles that are generated locally are uploaded to your newsfeed by running NNTPSEND, which is actually a script that calls the INNXMIT binary.
Where articles generated by your local users are sent and how they are sent is determined by the newsfeed file. Setting up this file is probably the hardest part of installing INN on your network.

In addition, uploading articles requires adding the destination server (ie. your ISP's newsfeed) in the nntpsend.ctl configuration file, and should match what is said in the newsfeed file. You should add a call to nntpsend in news' cron so that it runs automatically, and at a regular interval, eg. every 10 minutes. Articles are expired (ie. deleted) by having cron run the script news.daily. This script relies on the configuration file expire.ctl.

Changes to your news server can be done by running the binary ctlinnd with ad hoc parameters. Ctrlinnd also makes use of its configuration file control.ctl. Changes are actually sent to INNd through special types of news articles that contain an additional Control field. Common tasks are cancel (to remove articles), creating and removing groups (newgroup and rmgroup), verifying the groups that should exist in a hierarchy (checkgroups), sending information about your system (sendsys, senduuname, and version), and implementing a special type of feed usually used by UUCP systems (ihave and sendme.)
As the news feed could send such control articles and make changes to your server, it is highly recommended that you take advantage of the PGP feature to only allow changes from your ISP.

Main configuration files

Inn.conf

Feeds and the local host must agree on this name, and disagreements can cause various nasty problems, such as getting copies of article that originated from the local host. Most news software consider news names to be case-sensitive.

Newsfeed

Here's a sample of a newsfeed file:
ra/ra.nrl.navy.mil:*,!psu.*/!psu:Tf,Wnm:
The first field is very important, as NNTPSEND uses it to tell whether an article available on your local server was generated locally or originated from your feed. In other words, an article that contains this first line in its PATH field was already dowloaded from your feed and should not be uploaded to your ISP. ra is the name of the feed, and ra.nrl.navy.mil is an alias for ra. Using a Fully-Qualified Domain Name ensures that this entry in the Path field is unique.

The second field (*,!psu.*/!psu) tells what articles will be sent out to the site ra (ra.nrl.navy.mil), namely all articles except those found under the psu. newsgroups (Pennsylvania University), and those with a Distribution field of psu .

The last field specifies that the feed is a file feed (Tf; most feeds are file feeds), and that the relative parth name and the Message-ID of the article should be written to this file (Wnm; The "n" means "relative path name", the "m" means "Message-ID of the article").
By default, the output file is called the same name as your feed file, and is in your out.going directory. In this exemple, every article meant for the ra feed will have its filename and Message-ID written to the file /var/spool/news/out.going/ra.

Remember that any change to a file requires that you relaunch INNd (here, through ctlinnd reload newsfeed 'testing' ).

Nntpsend.ctl

This file is used in addition to the newsfeed file, and specifies how your news server connects to the feed at your ISP. Here's a sample: ra:ra.nrl.navy.mil

This tells nntpsend that articles in the feed file "ra" (really, /var/spool/news/out.going/ra), should be sent to the site "ra.nrl.navy.mil".

Hosts.nntp

This file specifies the news servers with which your server interacts. If you only have one feed, from your ISP, this file contains only one reference. Remember to run ctlinnd reload hosts.nntp "Made changes to hosts.nntp" after making any change to this file.

Active

This configuration file specifies which newsgroups your server offers, and which newsgroups it accepts from your ISP newsfeed. It lists each known newsgroup, the highest article number in it, and some additional control information.

The format of the active file is four fields per line, separated by single spaces. The fields are: the group name, the maximum article number in the group, the minimum article number in the group, and a control flag for the group (usually either y for an unmoderated group or m for a moderated one.) If you try to post an article to a moderated newsgroup, the posting agent mails the article to the moderator for consideration, rather than sending it to your host's relayer.

Here are some samples:

control 0001671903 0001530841 y
news.announce.newsgroups 0000006307 0000006117 m

The maximum and minimum fields are fixed length, now typicall ten digits, and padded with zeros. For local newsgroups, use organization-specific names, eg. acme.general, to avoid clashes with established newsgroups names.

When the control flag is set to n, the newsgroup does not accept any locally generated postings. Setting the control flag to x for a group causes any article posted only to that group to be completely discarded, which is useful when your feed is sending you something that you can't manage to make him stop, but that you don't want to waste any resources storing.
INN also support flag j to accept articles for groups that you don't want stored in the regular newsreader space, but do want to be able to propagate to neighbors. The articles are instead stored in the junk pseudogroup and propagated according to their Newsgroups headers.
The = flag can be used to file articles from one newsgroup in another group.

 

Nnrpd.access

It specifies access rights from local news clients on your LAN.

History

The biggest single news file is the history file, which contains one line per current or recently expired article. It is used both for indexing and as the master control file for expiry. It is accompanied by a pair of auxiliary files, history.pag and history.dir.

Keep an eye on explicit expiry dates set by someone who decided that his articles deserver to expire when he wants them to. The entries in the history file should be retained for at least a week, even if the articles themselves expire sooner, so that the news software can detect duplicate copies of arriving articles.

Expire.ctl

It specifies how articles are deleted. Settings can be newsgroup-specific. If you're only running a private server, with no feed from the Internet, and articles do not contain binary files, you could disable expiring and keep all articles.

The following sample specifies that history entries should be kept for at least 14 days, that default newsgroups should have their articles kept for a minimum of one day with a the default expiration of 7 days (if there is no "Expires" header) and 21 days at the maximum, while settings for the psu.* newsgroups should be 1 day, 14 days, and 28 days, respectively:

/remember/:14
*:A:1:7:21
psu.*:A:1:14:28

Default settings should be listed first, and specific settings last.

/var/lib/news/newsgroups

Offers short description of newsgroups available on the news server

passwd.nntp

Contains user + password if you use innxmit to connect to sites that require your site to authenticate itself.

Performance

Since INN is quite CPU- , RAM-, and hard disk-hungry, it is highly recommended that your news server be a higher-end server, and that articles be saved on a fast SCSI hard disk, preferably separate from the rest of your system, and formated with small sectors. Remember that the history file and index files also require a lot of disk space. Also, updating the "access time" of a file every time the file is read can involve a lot of overhead to maintain fairly uninteresting information, so check if your system lets you specify that the access times on a filesystem should not be updated. This will increase performance, and minimize the consequences should your hard disk fill up.

In case your host has been down for a while, first do an immediate expire run with much shorter expiry times than usual, to make room for the incoming deluge from your feed.

 

Security issues

Watch out for the antiquated control messages sendsys and version, which were used in the early days to keep a map of the Usenet network, but have great potential for abuse (eg. they can make hundreds or thousands of hosts all send email to the same address, a.k.a. "sendsys bombing.")

If your news server contains both Internet newsgroups, and private corporate newsgroups, users could end up cross-posting to both public and private newsgroups. Besides keeping two separate servers (one for Internet newsgroups as delivered by your ISP, and another for corporate newsgroups only), you could set up your news software to forbid crossposting to both internal and external newsgroups. Actually, this is an additional protection, since it's possible for an outsider to post an article to both a Usenet newsgroup and one of your internal newsgroups, if he knows the name of the internal newsgroup, and thus, mislead your own users into posting followup articles that also go to both newsgroups.

Also watch out for the ihave/sendme control-message protocol: Even though message IDs are no longer very predictable, an outside could still get confidential information posted to internal newsgroups. Disable ihave/sendme control messages.

 

Managing INN

Besides keeping an eye on hard disk use to make sure there is enough space available, basic tasks involves updating the active file to add or remove newsgroups. If you only need to make a few updates, you do not need to actually stop INNd, but instead use the ctrlinnd command live:
ctrlinnd newgroup linux.acme.com.newgroup1 y "Adding newgroup1, non-moderated"
ctrlinnd rmgroup linux.acme.com.newgroup1
ctrlinnd changegroup linux.acme.com.newgroup1 m "Changing newgroup1 to moderated"

On the other hand, if you need to make heavy changes to the active file, use the following sequence:

ctlinnd pause "John Doe/Pausing INN to update active file"
-- Here, edit the active file with your favorit editor or through a script
inncheck
ctlinnd reload active "John Doe/Reloading the active file"
ctlinnd go "John Doe/Pausing INN to update active file"
Note: The "reason" (ie. the string) given in a go command must match what is given in the string of the pause command.

Here's a sample script to add several newsgroups to the active file:

cd NEWSCTL
ctlinnd pause 'adding new rec.photo group'
ctlinnd flush <CHECK: If this still needed?>
cat >> active << EOF
rec.photo.advanced 0000000000 0000000000 y
rec.photo.darkroom 0000000000 0000000000 y
EOF
ctlinnd reload active 'rec.photo reorg'
ctlinnd go 'adding new rec.photo groups'

Caution: Since a cltinnd newgroup/rmgroup could have arrived before you paused innd, run a ps and check for any active control message scripts, like newgroup or rmgroup, before proceeding with the active file update.

 

Q & A


INNd does not start with /etc/rc.d/init.d/innd start

Check /var/log/news/news.crit for SERVER cant fopen /var/lib/news/history Permission denied, and do a chown news:news /var/lib/news/* .

INN creates and requires some control newsgroups (control, control.cancel, junk, test, to). How do I keep those from showing up in the list of available newsgroups?

Under development

How to get rid of the "BAD_NEWSFEEDS no feeding sites" message in /var/log/news/news.err?

Rich Salz replies: The syslog message is telling you that you are not feeding news to any sites. You have to have at least one feed. (You may consider this to be a bug, it's just that I'm too lazy to make everything work right if you don't have any newsfeeds.) Until you go into production and start feeding sites, add a line like this:
dummy-feed:!*::

How to tell INN to hide its name and version number in the banner when telneting to port NNTP?

A basic, general security measure. You don't want to make it any easier for hackers to get into your system or cause Denial of Service.
Connected to linux.acme.com.
Escape character is '^]'.
200 news.acme.com InterNetNews NNRP server INN 2.2.2 13-Dec-1999 ready (posting ok).
Under development.

Old .news.daily file

If you get the following:
Subject: Boot-time Usenet warning on linux.acme.com
From: news@linux.acme.com (news)

Old .news.daily file; need to run news.daily?
... you need to run news.daily from /etc/cron.daily:
#!/bin/bash /usr/bin/news.daily
<CHECK: Does running this script when connected as root cause history files to end up being owned by root and cause INN to crash?>

I added some local private newsgroups, updated /var/lib/news/newsgroups, relaunched INNd, but the descriptions don't show in my newsreader

Quirk in the PAN Gnome newsreader? Check with a reader under Windows that supports Description (Outlook?).