From Newsgroup: news.software.nntp

I will tell you the whole procedure I performed.
I want to have port 119 in clear and port 563 with tls.
As soon as I installed inn2 on ubuntu22.04 I had port 119 in clear.
To also have port 563 instead for tls I added the option -S to nnrpdflags in etc/news/inn.conf.
Result both ports 119 and 563 support tls.
So wanting to manage the two processes independently of each other, I remove the option -S from nnrpdflags in etc/news/inn.conf and create an init file for nnrpd with systemd, ExecStart=/usr/lib/news/bin/nnrpd -p 563 -b 0.0.0.0 -S, which however does not work. I see with systemctl status inn-nrrpd that the script failed due to binding on busy port 563 and .... killall nnrpd.
After this command nnrpd is really dead, even adding -S to nnrpdflags again I was not able to start it anymore, not even with a server reboot. It was only with the command sudo -u news /usr/lib/news/bin/nnrpd -S -D -p 563 that nnrpd is "resurrected" and with which it is now active.
I removed the nnrpdflags -S option from etc/news/inn.conf but port 119 is still not exactly clear

$ openssl s_client news.tcpreset.net:119
Connecting to 2a01:4f8:c0c:2f94::1
CONNECTED(00000003)
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=R11
verify return:1
depth=0 CN=news.tcpreset.net
verify return:1
---

Any help appreciated
Best regards

Gabx

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: news.software.nntp

"Gabx" wrote:
,----[ Quote vshfc5$2dfs$1@news.tcpreset.net ]
| I removed the nnrpdflags -S option from etc/news/inn.conf but port 119 is still not exactly clear
`----
IMHO, is the correct procedure but you have restarted the INN2 server?
After launch append su news /usr/inn/nnrpd -D -p 563 -S to the startup script Gabx, congratulations on your NNTP server, you have excellent peers!
--
Roberto.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: news.software.nntp

Roberto CORRADO wrote:

"Gabx" wrote:

,----[ Quote vshfc5$2dfs$1@news.tcpreset.net ]
| I removed the nnrpdflags -S option from etc/news/inn.conf but port 119 is still not exactly clear
`----

IMHO, is the correct procedure but you have restarted the INN2 server?
After launch append su news /usr/inn/nnrpd -D -p 563 -S to the startup script Gabx, congratulations on your NNTP server, you have excellent peers!

Thanks !!!
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: news.software.nntp

In news.admin.peering Gabx <personne@null.domain> wrote:

Any help appreciated

I'm late to the party (I've not been active here recently), but if you
still have the issue, here's my configuration.

I have inn running normally, on port 119, and it drops non-peers to
nnrpd, which accepts STARTTLS to switch to TLS.

I also have the following entry in my inetd.conf:

nntps stream tcp nowait news /usr/local/news/bin/nnrpd nnrpd -S

So connections to port nntps (563) are guarded by TLS from the beginning (without STARTTLS).

I don't know if it's the official way to do it, but it works without any problems.

BTW, when you post to multiple groups, don't insert spaces after the
commas. Some software might not like it (tin complains).
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: news.software.nntp

Adam W. wrote:

I have inn running normally, on port 119, and it drops non-peers to
nnrpd, which accepts STARTTLS to switch to TLS.

I also have the following entry in my inetd.conf:

nntps stream tcp nowait news /usr/local/news/bin/nnrpd nnrpd -S

So connections to port nntps (563) are guarded by TLS from the beginning (without STARTTLS).

Hi !
I am on Ubuntu-22.04 and my NNTP server is INN2.6.4 installed with apt.
I have a systemd script:

[Unit]
Description=NNRP Daemon (standalone TLS on port 563) After=network-online.target
Wants=network-online.target
Requires=inn2.service

[Service]
Type=simple
User=news
Group=news
ExecStart=/usr/lib/news/bin/nnrpd -p 563 -b 0.0.0.0 -S
Restart=on-abort
ConfigurationDirectory=news
LogsDirectory=news
LogsDirectoryMode=775
RuntimeDirectory=news
StateDirectory=news
StateDirectoryMode=775
ReadWritePaths=/var/spool/news/
ProtectSystem=full
ProtectControlGroups=yes
ProtectHome=yes
LimitNOFILE=infinity

[Install]
WantedBy=multi-user.target

I am on Ubuntu-22.04 and my NNTP server is INN2.6.4 installed with apt.
The server is in production, stopping the service would not be nice, you
will understand me.

I hope to find a nnrpd ssl configuration that definitely works with my environment.

Certificates are ready with letsencrypt.
This the desired configuration in etc/news/inn.conf:

#tlscafile: /etc/news/ssl/chain.pem
#tlscapath: /etc/news/ssl
#tlscertfile: /etc/news/ssl/cert.pem
#tlskeyfile: /etc/news/ssl/privkey.pem
#tlsciphers: "ECDHE+AESGCM"
#tlsciphers13: "TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256"
#tlscompression: false
#tlseccurve: "X25519:P-256:P-384:P-521"
#tlspreferserverciphers: true
#tlsprotocols: [ TLSv1.2 TLSv1.3 ]

These are the errors in the logs for nnrpd launche by systemd:

Jun 08 20:32:49 news.tcpreset.net nnrpd[3657084]: unable to get certificate from '/etc/news/cert.pem'
Jun 08 20:32:49 news.tcpreset.net nnrpd[3657084]: error initializing TLS: [CA_file: ] [CA_path: /etc/news] [cert_file: /etc/news/cert.pem] [key_

Uncommenting the settings in etc/news/inn.conf would probably solve this.
There would also be *nnrpdflags* parameter where I wouldn't know whether
to use -S when already used in the systemd script,

too many doubts.

Gabx
--
0745074DFEAA9CB762E9D89D3E54F490F2CC5A82
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: news.software.nntp

In news.admin.peering Gabx <info@tcpreset.invalid> wrote:

The server is in production, stopping the service would not be nice, you will understand me.

I sure do. When I want to do some invasive experiments on my server, I
just copy the files (minus huge spools) to the VM and do them there. It
might be a solution.

These are the errors in the logs for nnrpd launche by systemd:

Jun 08 20:32:49 news.tcpreset.net nnrpd[3657084]: unable to get certificate from '/etc/news/cert.pem'

Does this file exist? What are its access rights (and access rights for /etc/news directory itself)? Is it possible that it's a simple file access error? If not, then does the file start with "-----BEGIN CERTIFICATE-----"?
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: news.software.nntp

On Sun, 8 Jun 2025 22:46:05 +0200, Gabx <info@tcpreset.invalid> wrote:

too many doubts.

no doubt this troll farm "from" puppet has deployed at least a hundred aliases that resemble "gabx" ... e.g. news:alt.privacy.anon-server on blueworldhosting:

admin@gabrix.ath.cx (G)
admin@gabrix.ath.cx (Gab)
admin@nomail.com (Gab)
anon@gabrix.invalid (anonymous)
anon@gabrix.invalid (scoty)
anon@remailergabrix.ath.cx (g)
Ban DU <bandu@nym.gabrix.ath.cx>
Cloaked <cloaked@nym.gabrix.ath.cx>
Gab -Otagifs- <send-mail-to-gpg-key80231A90@noauth.invalid>
Gab <0x80231A90@noauth.invalid>
Gab <admin@gabrix.ath.cx>
Gab <gab@domain.invalid>
Gab <gabriele@riseup.net>
gab <gabrix@gabrix.ath.cx>
Gab <gabrix@NOSPAM_gabrix.ath.cx>
Gab <gabrix@NOSPAMremailer.dyndns.org>
Gab <gabrix@remailer.dyndns.org>
Gab <gabx@mail2tor.com>
Gab <krozus@tormail.net>
Gab <noauth@autistici.org>
Gab <noauth@domain.invalid>
Gab <noauth@gabrix.ath.cx>
Gab <none@domain.invalid>
Gab <send-mail-to-gpg-key80231A90@domain.invalid>
Gab <unklean@domain.invalid>
Gab <Use-Author-Supplied-Address-Header@[127.1]>
Gab <usenet-180709@news.gabrix.ath.cx>
Gab <usenet-190709@news.gabrix.ath.cx>
Gab <usenet-220709@news.gabrix.ath.cx>
Gab <usenet-240709@somewhere.invalid>
Gab Anonymous_X Admin <remailer-admin@No_Spam_Please.smtp.remailer.dyndns.org>
Gab_Noauth <send-mail-to-gpg-key80231A90@noauth.invalid>
gab@noauth.invalid (Gab)
gab@nomail.no (Gab)
Gabriele <not-for-mail@domain.invalid>
Gabriele Salati <Use-Author-Supplied-Address-Header@[127.1]>
Gabriele Toulouse <g48rix@googlemail.com>
gabrix <gabrix@domain.invalid-not-for-mail>
gabrix <gabrix@gabrix.ath.cx>
gabrix <gabrix@news.gabrix.ath.cx>
gabrix <noauth@autistici.org>
gabrix <noauth666@riseup.net>
gabrix <remailer-admin@remailer.gabrix.ath.cx>
gabrix <Use-Author-Supplied-Address-Header@[127.1]>
gabrix <usenet@gabrix.ath.cx>
"Gabrix.ath.cx OP" <admin@gabrix.ath.cx>
Gabrix Noauth - Gab <Use-Author-Supplied-Address-Header@[127.1]>
gabrix@gabrix.ath.cx (Gab)
Gabx <fake@email.addr>
Gabx <personne@zero.null>
Gabx <victor@domain.invalid>
Gabx <00000@zero.null>
Gabx <bmux-onion@secmail.pro>
Gabx <dogfromhell666@mail2tor.com>
Gabx <gab@gmail.com>
Gabx <gabriel1@virebent.art>
Gabx <Gabx@tcpreset.invalid>
Gabx <info@tcpreset.invalid>
Gabx <info@verebent.art>
Gabx <invalid@gmail.com>
Gabx <my@email.address>
Gabx <my@own.email>
Gabx <nessuno@domain.invalid>
Gabx <nessuno@niente.null>
Gabx <nessuno@tcpreset.invalid>
Gabx <nessuno@u44mxsvwctps3fxvgmr2fuzuzn74gzatiwuwyqpyr4rk74ipfsercfqd.onion>
Gabx <nessuno@virebent.invalid>
Gabx <nobody@email.not>
Gabx <nobody@n4vjl2rfnmf3ctjs.onion>
Gabx <nobody@niente.null>
Gabx <nobody@yamn.paranoici.org>
Gabx <noreply@mixmin.net>
Gabx <null@tcpreset.invalid>
Gabx <tcpreset@virebent.invalid>
Gabx <Use-Author-Supplied-Address-Header@[127.1]>
Gabx <virebent@tcpreset.invalid>
Gabx <zeman@antifa>
Gabx Kdog <noreply@mixmin.net>
Gabx Kdog <Use-Author-Supplied-Address-Header@[127.1]>
Gabx@nessun.rimorso
Gabx@tcpreset.invalid
Generic Poster <generic_poster@nym.gabrix.ath.cx>
Jybril <gabx@mail2tor.com>
Neverwhere <neverwhere@nym.gabrix.ath.cx>
noauth <anon@remailer.gabrix.ath.cx>
Noauth <gab@noauth.invalid>
NoAuth <nobody@gabrix.ath.cx>
noauth <remailer@mail.gabrix.ath.cx>
noauth@autistici.org (Gab)
noauth@domain.invalid (Gab)
noauth@nomail.null (Gab)
none <""gabrix\"@(none).invalid">
None <gabrix@gabrix.ath.cx>
None <gabrix73@googlemail.com>
none@gabrix.localhost (Gab)
Null <admin@gabrix.ath.cx>
OmniMix <om@nym.gabrix.ath.cx>
Otagifs <usenet-010809@news.gabrix.ath.cx>
remailer-admin@mail.gabrix.ath.cx (Gab)
Test_Gab <test@test.invalid>
...

decades of endless campaigns to promote pseudonymity, hammering a.p.a-s
and other forums relentlessly with their "tormailer" entrapment schemes

but of course, most active newsgroups are continually occupied by troll
farm marionettes, so there's nothing particularly unusual about "gab-x"
--- Synchronet 3.21a-Linux NewsLink 1.2