From Newsgroup: news.software.nntp

In news.admin.peering Gabx <personne@null.domain> wrote:

Any help appreciated

I'm late to the party (I've not been active here recently), but if you
still have the issue, here's my configuration.

I have inn running normally, on port 119, and it drops non-peers to
nnrpd, which accepts STARTTLS to switch to TLS.

I also have the following entry in my inetd.conf:

nntps stream tcp nowait news /usr/local/news/bin/nnrpd nnrpd -S

So connections to port nntps (563) are guarded by TLS from the beginning (without STARTTLS).

I don't know if it's the official way to do it, but it works without any problems.

BTW, when you post to multiple groups, don't insert spaces after the
commas. Some software might not like it (tin complains).
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: news.software.nntp

Adam W. wrote:

I have inn running normally, on port 119, and it drops non-peers to
nnrpd, which accepts STARTTLS to switch to TLS.

I also have the following entry in my inetd.conf:

nntps stream tcp nowait news /usr/local/news/bin/nnrpd nnrpd -S

So connections to port nntps (563) are guarded by TLS from the beginning (without STARTTLS).

Hi !
I am on Ubuntu-22.04 and my NNTP server is INN2.6.4 installed with apt.
I have a systemd script:

[Unit]
Description=NNRP Daemon (standalone TLS on port 563) After=network-online.target
Wants=network-online.target
Requires=inn2.service

[Service]
Type=simple
User=news
Group=news
ExecStart=/usr/lib/news/bin/nnrpd -p 563 -b 0.0.0.0 -S
Restart=on-abort
ConfigurationDirectory=news
LogsDirectory=news
LogsDirectoryMode=775
RuntimeDirectory=news
StateDirectory=news
StateDirectoryMode=775
ReadWritePaths=/var/spool/news/
ProtectSystem=full
ProtectControlGroups=yes
ProtectHome=yes
LimitNOFILE=infinity

[Install]
WantedBy=multi-user.target

I am on Ubuntu-22.04 and my NNTP server is INN2.6.4 installed with apt.
The server is in production, stopping the service would not be nice, you
will understand me.

I hope to find a nnrpd ssl configuration that definitely works with my environment.

Certificates are ready with letsencrypt.
This the desired configuration in etc/news/inn.conf:

#tlscafile: /etc/news/ssl/chain.pem
#tlscapath: /etc/news/ssl
#tlscertfile: /etc/news/ssl/cert.pem
#tlskeyfile: /etc/news/ssl/privkey.pem
#tlsciphers: "ECDHE+AESGCM"
#tlsciphers13: "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256"
#tlscompression: false
#tlseccurve: "X25519:P-256:P-384:P-521"
#tlspreferserverciphers: true
#tlsprotocols: [ TLSv1.2 TLSv1.3 ]

These are the errors in the logs for nnrpd launche by systemd:

Jun 08 20:32:49 news.tcpreset.net nnrpd[3657084]: unable to get certificate from '/etc/news/cert.pem'
Jun 08 20:32:49 news.tcpreset.net nnrpd[3657084]: error initializing TLS: [CA_file: ] [CA_path: /etc/news] [cert_file: /etc/news/cert.pem] [key_

Uncommenting the settings in etc/news/inn.conf would probably solve this.
There would also be *nnrpdflags* parameter where I wouldn't know whether
to use -S when already used in the systemd script,

too many doubts.

Gabx
--
0745074DFEAA9CB762E9D89D3E54F490F2CC5A82
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: news.software.nntp

In news.admin.peering Gabx <info@tcpreset.invalid> wrote:

The server is in production, stopping the service would not be nice, you will understand me.

I sure do. When I want to do some invasive experiments on my server, I
just copy the files (minus huge spools) to the VM and do them there. It
might be a solution.

These are the errors in the logs for nnrpd launche by systemd:

Jun 08 20:32:49 news.tcpreset.net nnrpd[3657084]: unable to get certificate from '/etc/news/cert.pem'

Does this file exist? What are its access rights (and access rights for /etc/news directory itself)? Is it possible that it's a simple file access error? If not, then does the file start with "-----BEGIN CERTIFICATE-----"?
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: news.software.nntp

On Sun, 8 Jun 2025 22:46:05 +0200, Gabx <info@tcpreset.invalid> wrote:

too many doubts.

no doubt this troll farm "from" puppet has deployed at least a hundred aliases that resemble "gabx" ... e.g. news:alt.privacy.anon-server on blueworldhosting:

admin@gabrix.ath.cx (G)
admin@gabrix.ath.cx (Gab)
admin@nomail.com (Gab)
anon@gabrix.invalid (anonymous)
anon@gabrix.invalid (scoty)
anon@remailergabrix.ath.cx (g)
Ban DU <bandu@nym.gabrix.ath.cx>
Cloaked <cloaked@nym.gabrix.ath.cx>
Gab -Otagifs- <send-mail-to-gpg-key80231A90@noauth.invalid>
Gab <0x80231A90@noauth.invalid>
Gab <admin@gabrix.ath.cx>
Gab <gab@domain.invalid>
Gab <gabriele@riseup.net>
gab <gabrix@gabrix.ath.cx>
Gab <gabrix@NOSPAM_gabrix.ath.cx>
Gab <gabrix@NOSPAMremailer.dyndns.org>
Gab <gabrix@remailer.dyndns.org>
Gab <gabx@mail2tor.com>
Gab <krozus@tormail.net>
Gab <noauth@autistici.org>
Gab <noauth@domain.invalid>
Gab <noauth@gabrix.ath.cx>
Gab <none@domain.invalid>
Gab <send-mail-to-gpg-key80231A90@domain.invalid>
Gab <unklean@domain.invalid>
Gab <Use-Author-Supplied-Address-Header@[127.1]>
Gab <usenet-180709@news.gabrix.ath.cx>
Gab <usenet-190709@news.gabrix.ath.cx>
Gab <usenet-220709@news.gabrix.ath.cx>
Gab <usenet-240709@somewhere.invalid>
Gab Anonymous_X Admin <remailer-admin@No_Spam_Please.smtp.remailer.dyndns.org>
Gab_Noauth <send-mail-to-gpg-key80231A90@noauth.invalid>
gab@noauth.invalid (Gab)
gab@nomail.no (Gab)
Gabriele <not-for-mail@domain.invalid>
Gabriele Salati <Use-Author-Supplied-Address-Header@[127.1]>
Gabriele Toulouse <g48rix@googlemail.com>
gabrix <gabrix@domain.invalid-not-for-mail>
gabrix <gabrix@gabrix.ath.cx>
gabrix <gabrix@news.gabrix.ath.cx>
gabrix <noauth@autistici.org>
gabrix <noauth666@riseup.net>
gabrix <remailer-admin@remailer.gabrix.ath.cx>
gabrix <Use-Author-Supplied-Address-Header@[127.1]>
gabrix <usenet@gabrix.ath.cx>
"Gabrix.ath.cx OP" <admin@gabrix.ath.cx>
Gabrix Noauth - Gab <Use-Author-Supplied-Address-Header@[127.1]>
gabrix@gabrix.ath.cx (Gab)
Gabx <fake@email.addr>
Gabx <personne@zero.null>
Gabx <victor@domain.invalid>
Gabx <00000@zero.null>
Gabx <bmux-onion@secmail.pro>
Gabx <dogfromhell666@mail2tor.com>
Gabx <gab@gmail.com>
Gabx <gabriel1@virebent.art>
Gabx <Gabx@tcpreset.invalid>
Gabx <info@tcpreset.invalid>
Gabx <info@verebent.art>
Gabx <invalid@gmail.com>
Gabx <my@email.address>
Gabx <my@own.email>
Gabx <nessuno@domain.invalid>
Gabx <nessuno@niente.null>
Gabx <nessuno@tcpreset.invalid>
Gabx <nessuno@u44mxsvwctps3fxvgmr2fuzuzn74gzatiwuwyqpyr4rk74ipfsercfqd.onion>
Gabx <nessuno@virebent.invalid>
Gabx <nobody@email.not>
Gabx <nobody@n4vjl2rfnmf3ctjs.onion>
Gabx <nobody@niente.null>
Gabx <nobody@yamn.paranoici.org>
Gabx <noreply@mixmin.net>
Gabx <null@tcpreset.invalid>
Gabx <tcpreset@virebent.invalid>
Gabx <Use-Author-Supplied-Address-Header@[127.1]>
Gabx <virebent@tcpreset.invalid>
Gabx <zeman@antifa>
Gabx Kdog <noreply@mixmin.net>
Gabx Kdog <Use-Author-Supplied-Address-Header@[127.1]>
Gabx@nessun.rimorso
Gabx@tcpreset.invalid
Generic Poster <generic_poster@nym.gabrix.ath.cx>
Jybril <gabx@mail2tor.com>
Neverwhere <neverwhere@nym.gabrix.ath.cx>
noauth <anon@remailer.gabrix.ath.cx>
Noauth <gab@noauth.invalid>
NoAuth <nobody@gabrix.ath.cx>
noauth <remailer@mail.gabrix.ath.cx>
noauth@autistici.org (Gab)
noauth@domain.invalid (Gab)
noauth@nomail.null (Gab)
none <""gabrix\"@(none).invalid">
None <gabrix@gabrix.ath.cx>
None <gabrix73@googlemail.com>
none@gabrix.localhost (Gab)
Null <admin@gabrix.ath.cx>
OmniMix <om@nym.gabrix.ath.cx>
Otagifs <usenet-010809@news.gabrix.ath.cx>
remailer-admin@mail.gabrix.ath.cx (Gab)
Test_Gab <test@test.invalid>
...

decades of endless campaigns to promote pseudonymity, hammering a.p.a-s
and other forums relentlessly with their "tormailer" entrapment schemes

but of course, most active newsgroups are continually occupied by troll
farm marionettes, so there's nothing particularly unusual about "gab-x"
--- Synchronet 3.21a-Linux NewsLink 1.2