inn.conf - Configuration data for InterNetNews programs
inn.conf in pathetc is the primary general configuration file for all InterNetNews programs. Settings which control the general operation of various programs, as well as the paths to all portions of the news installation, are found here. The INNCONF environment variable, if set, specifies an alternate path to inn.conf.
This file is intended to be fairly static. Any changes made to it will generally not affect any running programs until they restart. Unlike nearly every other configuration file, inn.conf cannot be reloaded dynamically using ctlinnd(8); innd(8) must be stopped and restarted for relevant changes to inn.conf to take effect (
ctlinnd xexec inndis the fastest way to do this.)
Blank lines and lines starting with a number sign (
#) are ignored. All other lines specify parameters, and should be of the following form:
(Any amount of whitespace can be put after the colon and is optional.) If the value contains embedded whitespace or any of the characters
<\:>, it must be enclosed in double quotes ("). A backslash (
\) can be used to escape quotes and backslashes inside double quotes. <name> is case-sensitive;
serveris not the same as
SERVER. (inn.conf parameters are generally all in lowercase.)
If <name> occurs more than once in the file, the first value is used. Some parameters specified in the file may be overridden by environment variables. Most parameters have default values if not specified in inn.conf; those defaults are noted in the description of each parameter.
Many parameters take a boolean value. For all such parameters, the value may be specified as
onto turn it on and may be any of
offto turn it off. The case of these values is significant.
This documentation is extremely long and organized as a reference manual rather than as a tutorial. If this is your first exposure to INN and these parameters, it would be better to start by reading other man pages and referring to this one only when an inn.conf parameter is explicitly mentioned. Those parameters which need to be changed when setting up a new server are discussed in INSTALL.
These parameters are used by a wide variety of different components of INN.
|domain||This should be the domain name of the local host. It should not have a leading period, and it should not be a full host address. It is used only if the GetFQDN() routine in libinn(3) cannot get the fully qualified domain name by using either the gethostname(3) or gethostbyname(3) calls. The check is very simple; if either routine returns a name with a period in it, then it is assumed to have the full domain name. As this parameter is rarely used, do not use it to affect the righthand side of autogenerated Message-IDs; see instead virtualhost and domain in readers.conf(5). The default value is unset.|
|innflags||The flags to pass to innd on startup. See innd(8) for details on the possible flags. The default value is unset.
Note that these flags are only used when innd is started from rc.news or nntpsend.
|mailcmd||The path to the program to be used for mailing reports and control messages. The default is pathbin/innmail. This should not normally need to be changed.|
|mta||The command to use when mailing postings to moderators and for the use of innmail(1). The message, with headers and an added To: header, will be piped into this program. The string
For most systems,
|pathhost||What to put into the Path: header to represent the local site. This is added to the Path: header of all articles that pass through the system, including locally posted articles, and is also used when processing some control messages and when naming the server in status reports. There is no default value; this parameter must be set in inn.conf or INN will not start. A good value to use is the fully qualified hostname of the system.|
|runasgroup||The group under which the news server will run. The default is
|runasuser||The user under which the news server will run. The default is
|server||The name of the default NNTP server. If nnrpdposthost is not set and UNIX domain sockets are not supported, nnrpd(8) tries to hand off locally-posted articles through an INET domain socket to this server. actsync(8), nntpget(8), and getlist(8) also use this value as the default server to connect to. In the latter cases, the value of the NNTPSERVER environment variable, if it exists, overrides this. The default value is unset.|
|syntaxchecks||A list of values controlling the level of checks performed by innd and nnrpd. For instance:
The last occurrence of a given value takes precedence, that is to say if
Only one check can currently be enabled/disabled:
These parameters govern incoming and outgoing feeds: what size of articles are accepted, what filtering and verification is performed on them, whether articles in groups not carried by the server are still stored and propagated, and other similar settings.
|artcutoff||Articles older than this number of days are dropped. The default value is
In order to disable that check on date, you can set this parameter to
The number on the
|bindaddress||Which IP address innd(8) should bind itself to. This must be in dotted-quad format (nnn.nnn.nnn.nnn). If set to
|bindaddress6||Like bindaddress but for IPv6 sockets. If only one of the bindaddress and bindaddress6 parameters is used, then only the socket for the corresponding address family is created. If both parameters are used then two sockets are created. If neither of them is used, the list of sockets to listen on will be determined by the system library getaddrinfo(3) function. The value of the INND_BIND_ADDRESS6, if set, overrides this setting. The default value is unset.
Note that you will generally need to put double quotes ("") around this value if you set it, since IPv6 addresses contain colons.
|dontrejectfiltered||Normally innd(8) rejects incoming articles when directed to do so by any enabled article filters (Perl or Python). However, this parameter causes such articles not to be rejected; instead filtering can be applied on outbound articles. If this parameter is set, all articles will be accepted on the local machine, but articles rejected by the filter will not be fed to any peers specified in newsfeeds with the
|hiscachesize||If set to a value other than
|ignorenewsgroups||Whether newsgroup creation control messages (newgroup and rmgroup) should be fed as if they were posted to the newsgroup they are creating or deleting rather than to the newsgroups listed in the Newsgroups: header. If this parameter is set, the newsgroup affected by the control message will be extracted from the Control: header and the article will be fed as if its Newsgroups: header contained solely that newsgroup. This is useful for routing control messages to peers when they are posted to irrelevant newsgroups that shouldn’t be matched against the peer’s desired newsgroups in newsfeeds. This is a boolean value and the default is false.|
|immediatecancel||When using the timecaf storage method, article cancels are normally just cached to be cancelled, not cancelled immediately. If this is set to true, they will instead by cancelled as soon as the cancel is processed. This is a boolean value and the default is false.
This setting is ignored unless the timecaf storage method is used.
|linecountfuzz||If set to something other than
|maxartsize||The maximum size of article (headers and body) that will be accepted by the server, in bytes. A value of
|maxconnections||The maximum number of incoming NNTP connections innd(8) will accept. The default value is
|pathalias||If set, this value is prepended to the Path: header of accepted posts (before pathhost) if it doesn’t already appear in the Path: header. The main purpose of this parameter is to configure all news servers within a particular organization to add a common identity string to the Path: header. The default value is unset.|
|pathcluster||If set, this value is appended to the Path: header of accepted posts (after pathhost) if it isn’t already present as the last element of the Path: header. The main purpose of this parameter is to make several news servers appear as one server. The default value is unset.
Note that the Path: header reads right to left, so appended means inserted at the leftmost side of the Path: header.
|pgpverify||Whether to enable PGP verification of control messages other than cancel. This is a boolean value and the default in the inn.conf sample file is based on whether configure found pgp, pgpv, pgpgpg, gpgv, gpgv1, gpgv2, gpg, gpg1 or gpg2. Note that if the parameter is not present in the configuration file, it defaults to false.|
|port||What TCP port innd(8) should listen on. The default value is
|refusecybercancels||Whether to refuse all articles whose message IDs start with
This is a somewhat messy, inefficient, and inexact way of refusing spam cancels. A much better way is to ask all of your upstream peers to not send to you any articles with
|remembertrash||By default, innd(8) records rejected articles in history so that, if offered the same article again, it can be refused before it is sent. If you wish to disable this behavior, set this to false. This can cause a substantial increase in the amount of bandwidth consumed by incoming news if you have several peers and reject a lot of articles, so be careful with it. Even if this is set to true, INN won’t log some rejected articles to history if there’s reason to believe the article might be accepted if offered by a different peer, so there is usually no reason to set this to false (although doing so can decrease the size of the history file). This is a boolean value and the default is true.|
|sourceaddress||Which local IP address to bind to for outgoing NNTP sockets (used by innxmit(8) among other programs, as well as innfeed(8) as long as not overridden by bindaddress in innfeed.conf(5)). This must be in dotted-quad format (nnn.nnn.nnn.nnn). If set to
|sourceaddress6||Like sourceaddress but for IPv6 sockets. Note that you will generally need to put double quotes ("") around this value if you set it, since IPv6 addresses contain colons.|
|verifycancels||Set this to true to enable a simplistic check on all cancel messages, attempting to verify (by simple header comparison) that at least one newsgroup in the cancel message can be found in the article to be cancelled. This check can’t be done if the cancel arrives before the article does. This is a boolean value, and the default is false.
Note that RFC 5537 (USEPRO) mentions that cancel control messages are not required to contain From: and Sender: header fields matching the target message. This requirement only encouraged cancel issuers to conceal their identity and provided no security. This check is therefore not done as it is extremely easy to spoof.
|verifygroups||Set this to true to reject incoming articles which contain an unknown newsgroup in the whole list of newsgroups to which they are posted. In case wanttrash is set to true, such articles will still be rejected. This is a boolean value, and the default is false.|
|wanttrash||Set this to true if you want to file articles posted to unknown newsgroups (newsgroups not in the active file) into the
The logtrash parameter specifies whether such articles should be logged as posted to unwanted newsgroups in the news log file.
|wipcheck||If INN is offered an article by a peer on one channel, it will return deferral responses (code 436) to all other offers of that article for this many seconds. (After this long, if the peer that offered the article still hasn’t sent it, it will be accepted from other channels.) The default value is
|wipexpire||How long, in seconds, to keep track of message IDs offered on a channel before expiring articles that still haven’t been sent. The default value is
The following parameter affect the history database.
|hismethod||Which history storage method to use. The only currently supported value is
These parameters affect how articles are stored on disk.
|cnfscheckfudgesize||If set to a value other than
|enableoverview||Whether to write out overview data for articles. If set to false, INN will run much faster, but reading news from the system will be impossible (the server will be for news transit only). If this option is set to true, ovmethod must also be set. This is a boolean value and the default is true.|
|extraoverviewadvertised||Besides the seven standard overview fields (which are in order
it implies that nnrpd will advertise
The default value is an empty list (no additional fields are stored). Owing to optimizations when innd parses the articles it receives, it is possible that all the values in the list are not recognized by innd as standard headers. In such cases, innd will log an error in news.err at startup and the unrecognized fields will be discarded.
You should advertise only fields for which the overview database is consistent, that is to say it records the content or absence of these fields for all articles, including those already existing in the news spool. Consequently, if you decide to add or remove a field from your overview database, you should either modify extraoverviewadvertised and rebuild your overview database with makehistory(8) after removing all existing overview files, or implement a transition period by first using extraoverviewhidden as described below.
Use of a transition period can accommodate most overview reconfigurations, but certain drastic changes may still require a complete overview rebuild.
If for instance you want to store the content of the To: header in addition to the fields already stored above, you should use:
Now suppose you want to remove the content of the Injection-Info: header from the overview. As order matters, the overview database will no longer be consistent for the To: header. Therefore, you need to specify:
And once overview data is accurate for all articles, you should use:
Note that you have to restart nnrpd if it runs as a daemon whenever you change the value of extraoverviewadvertised; a mere
|extraoverviewhidden||This parameter should be used in conjunction with extraoverviewadvertised (see above for more details). It expects a list of headers names. Overview data for these headers will be generated for each new article at the time of arrival but, contrary to the fields mentioned in extraoverviewadvertised, nnrpd will not advertise them in response to the LIST OVERVIEW.FMT command. It also implies that nnrpd will not look in the overview database for fields mentioned in extraoverviewhidden when it handles HDR, XHDR and XPAT requests; nnrpd will have to parse the headers of the requested articles in the news spool, which is slower than directly querying the overview database.
The default value is an empty list (no additional fields are stored). Owing to optimizations when innd parses the articles it receives, it is possible that all the values in the list are not recognized by innd as standard headers. In such cases, innd will log an error in news.err at startup and the unrecognized fields will be discarded.
|groupbaseexpiry||Whether to enable newsgroup-based expiry. If set to false, article expiry is done based on storage class of storing method. If set to true (and overview information is available), expiry is done by newsgroup name. This affects the format of expire.ctl. This is a boolean value and the default is true.|
|mergetogroups||Whether to file all postings to
|nfswriter||For servers writing articles, determine whether the article spool is on NFS storage. If set, INN attempts to flush articles to the spool in a more timely manner, rather than relying on the operating system to flush things such as the CNFS article bitmaps. You should only set this parameter if you are attempting to use a shared NFS spool on a machine acting as a single writer within a cluster. This is a boolean value and the default is false.|
|overcachesize||How many cache slots to reserve for open overview files. If INN is writing overview files (see enableoverview), ovmethod is set to
This setting is ignored unless ovmethod is set to
|ovgrouppat||If set, restricts the overview data stored by INN to only the newsgroups matching this comma-separated list of uwildmat(3) expressions. Newsgroups not matching this setting may not be readable, and if groupbaseexpiry is set to true and the storage method for these newsgroups does not have self-expire functionality, storing overview data will fail. The default is unset.|
|ovmethod||Which overview storage method to use. Currently supported values are
|storeonxref||If set to true, articles will be stored based on the newsgroup names in the Xref: header rather than in the Newsgroups: header. This affects what the patterns in storage.conf apply to. The primary interesting effect of setting this to true is to enable filing of all control messages according to what storage class the control pseudogroups are filed in rather than according to the newsgroups the control messages are posted to. This is a boolean value and the default is true.
If the tradspool article storage method is used, storeonxref must be true.
|useoverchan||Whether to innd(8) should create overview data internally through libstorage(3). If set to false, innd creates overview data by itself. If set to true, innd does not create; instead overview data must be created by overchan(8) from an appropriate entry in newsfeeds. Setting to true may be useful, if innd cannot keep up with incoming feed and the bottleneck is creation of overview data within innd. This is a boolean value and the default is false.|
|wireformat||Only used with the tradspool storage method, this says whether to write articles in wire format. Wire format means storing articles with
|xrefslave||Whether to act as the slave of another server. If set, INN attempts to duplicate exactly the article numbering of the server feeding it by looking at the Xref: header of incoming articles and assigning the same article numbers to articles as was noted in the Xref: header from the upstream server. The result is that clients should be able to point at either server interchangeably (using some load balancing scheme, for example) and see the same internal article numbering. Servers with this parameter set should generally only have one upstream feed, and should always have nnrpdposthost set to hand locally posted articles off to the master server. The upstream should be careful to always feed articles in order (innfeed(8) can have problems with this in the event of a backlog). This is a boolean value and the default is false.|
These parameters affect the behavior of INN for readers. Most of them are used by nnrpd(8). There are some special sets of settings that are broken out separately after the initial alphabetized list.
INN has optional support for generating keyword information automatically from article body text and putting that information in overview for the use of clients that know to look for it (HDR, OVER and XPAT commands). The following parameters control that feature.
Note that the two parameters nnrpperlauth and nnrppythonauth are now obsolete; see Changes to Perl Authentication Support for nnrpd in doc/hook-perl and Changes to Python Authentication and Access Control Support for nnrpd in doc/hook-python for more information.
|allownewnews||Whether to allow use of the NEWNEWS command by clients. This command used to put a heavy load on the server in older versions of INN, but is now reasonably efficient, at least if only one newsgroup is specified by the client. This is a boolean value and the default is true. If you use the access parameter in readers.conf, be sure to read about the way it overrides allownewnews.|
|articlemmap||Whether to attempt to mmap() articles. Setting this to true will give better performance on most systems, but some systems have problems with mmap(). If this is set to false, articles will be read into memory before being sent to readers. This is a boolean value and the default is true.|
|clienttimeout||How long (in seconds) a client connection can be idle before it exits. When setting this parameter, be aware that some newsreaders use the same connection for reading and posting and don’t deal well with the connection timing out while a post is being composed. If the system isn’t having a problem with too many long-lived connections, it may be a good idea to increase this value to
|initialtimeout||How long (in seconds) nnrpd will wait for the first command from a reader connection before dropping the connection. This is a defensive timeout intended to protect the news server from badly behaved reader clients that open and abandon a multitude of connections without every closing them. The default value is
|msgidcachesize||How many cache slots to reserve for message-IDs to storage token translations. When serving overview data to clients (NEWNEWS, OVER, etc.), nnrpd(8) can cache the storage token associated with a message-ID and save the cost of looking it up in the history file; for some configurations, setting this parameter can save more than 90% of the wall clock time for a session. The default value is
|nfsreader||For servers reading articles, determine whether the article spool is on NFS storage. If set, INN will attempt to force articles and overviews to be read directly from the NFS spool rather than from cached copies. You should only set this parameter if you are attempting to use a shared NFS spool on a machine acting as a reader within a cluster. This is a boolean value and the default is false.|
|nfsreaderdelay||If nfsreader is set, INN will use the value of nfsreaderdelay to delay the apparent arrival time of articles to clients by this amount. Note that only answers to GROUP and NEWNEWS commands are affected. This value should be tuned based on the NFS cache timeouts locally. The default is
|nnrpdcheckart||Whether nnrpd should check the existence of an article before listing it as present in response to an NNTP command. The primary use of this setting is to prevent nnrpd from returning information about articles which are no longer present on the server but which still have overview data available. Checking the existence of articles before returning overview information slows down the overview commands, but reduces the number of article is missing errors seen by the client. This is a boolean value and the default is true.|
|nnrpdflags||When nnrpd(8) is spawned from innd(8), these flags are passed as arguments to the nnrpd process. This setting does not affect instances of nnrpd that are started in daemon mode, or instances that are started via another listener process such as inetd(8) or xinetd(8). Shell quoting and metacharacters are not supported. This is a string value and the default is unset.|
|nnrpdloadlimit||If set to a value other than
|noreader||Normally, innd(8) will fork a copy of nnrpd(8) for all incoming connections from hosts not listed in incoming.conf. If this parameter is set to true, those connections will instead be rejected with a 502 error code. This should be set to true for a transit-only server that doesn’t support readers, or if nnrpd is running in daemon mode or being started out of inetd. This is a boolean value and the default is false.|
|readerswhenstopped||Whether to allow readers to connect even if the server is paused or throttled. This is only applicable if nnrpd(8) is spawned from innd(8) rather than run out of inetd or in daemon mode. This is a boolean value and the default is false.|
|readertrack||Whether to enable the tracking system for client behavior. Tracked information is recorded to pathlog/tracklogs/log-ID, where ID is determined by nnrpd’s PID and launch time. Currently the information recorded includes initial connection and posting; only information about clients listed in nnrpd.track is recorded. In addition, every posted article will be saved in pathlog/trackposts/track.message-id, where message-id is the message ID of the post. This is a boolean value and the default is false.|
|tradindexedmmap||Whether to attempt to mmap() tradindexed overviews articles. Setting this to true will give better performance on most systems, but some systems have problems with mmap(). If this is set to false, overviews will be read into memory before being sent to readers. This is a boolean value and the default is true.|
This may be too slow if you’re taking a substantial feed, and probably will not be useful for the average news reader; enabling this is not recommended unless you have some specific intention to take advantage of it.
|keywords||Whether the keyword generation support should be enabled. This is a boolean value and the default is false.
If an article already contains a Keywords: header, no keyword generation is done and the original Keywords: header is kept untouched.
In order to use this feature, the regex library should be available and INN configured with the --enable-keywords flag. Otherwise, no keywords will be generated, even though this boolean value is set to true. You also have to add the integration of the Keywords: header into the overview with extraoverviewadvertised or extraoverviewhidden.
|keyartlimit||Articles larger than this value in bytes will not have keywords generated for them (since it would take too long to do so). The default value is
|keylimit||Maximum number of bytes allocated for keyword data. If there are more keywords than will fit into this many bytes when separated by commas, the rest are discarded. The default value is
|keymaxwords||Maximum number of keywords that will be generated for an article. (The keyword generation code will attempt to discard noise words, so the number of keywords actually written into the overview will usually be smaller than this even if the maximum number of keywords is found.) The default value is
These parameters are only used by nnrpd(8), inews(1), and other programs that accept or generate postings. There are some special sets of settings that are broken out separately after the initial alphabetized list.
nnrpd(8) has support for controlling high-volume posters via an exponential backoff algorithm, as configured by the following parameters.
|addinjectiondate||Whether to add an Injection-Date: header field to all local posts. This is a boolean value and the default is true.
Note that no Injection-Date: header fields will be added to local posts already containing both a Message-ID: header field and a Date: header field. This is done in conformance with standards, to help minimize the possibility of a loop in e-mail gatewaying and ensure that a newly injected article is not treated as a new, separate article in case of multiple injection of the same article to different injecting agents.
|addinjectionpostingaccount||Whether to add a posting-account attribute to the Injection-Info: header to all local posts giving the username assigned to the user at connection time or after authentication. This is a boolean value and the default is false. There is no intrinsic support for obfuscating the value. That has to be done with a user-written Perl filter, if desired.|
|addinjectionpostinghost||Whether to add a posting-host attribute to the Injection-Info: header to all local posts giving an FQDN (when known, by reverse lookup of the client IP address) and IP address of the system from which the post was received. This is a boolean value and the default is true. Note that INN either does not add this attribute or adds the name (when known) and IP address of the client. There is no intrinsic support for obfuscating the name of the client. That has to be done with a user-written Perl filter, if desired.
When this parameter is set to true, an FQDN (obtained by reverse lookup of the client IP address or, if unknown, the IP address itself) of the client is also added to the Path: header, after the
|checkincludedtext||Whether to check local postings for the ratio of new to quoted text and reject them if that ratio is under 50%. Included text is recognized by looking for lines beginning with
|complaints||The value of the mail-complaints-to attribute of the Injection-Info: header added to all local posts. The default is the newsmaster’s e-mail address. (If the newsmaster, selected at configure time and defaulting to
|fromhost||Contains a domain used to construct e-mail addresses. The address of the local news administrator will be given as <user>@fromhost, where <user> is the newsmaster user set at compile time (
|localmaxartsize||The maximum article size (in bytes) for locally posted articles. Articles larger than this will be rejected. A value of
|moderatormailer||The address to which to send submissions for moderated groups. It is only used if the moderators file doesn’t exist, or if the moderated group to which an article is posted is not matched by any entry in that file, and takes the same form as an entry in the moderators file. In most cases,
|nnrpdauthsender||Whether to generate a Sender: header based on reader authentication. If this parameter is set, a Sender: header will be added to local posts containing the identity assigned by readers.conf. If the assigned identity does not include an
|nnrpdposthost||If set, nnrpd(8) and rnews(1) will pass all locally posted articles to the specified host rather than trying to inject them locally. See also nnrpdpostport. This should always be set if xrefslave is true. The default value is unset.|
|nnrpdpostport||The port on the remote server to connect to to post when nnrpdposthost is used. The default value is
|organization||What to put in the Organization: header if it is left blank by the poster. The value of the ORGANIZATION environment variable, if set, overrides this setting. The default is unset, which tells INN not to insert an Organization: header.|
|spoolfirst||If true, nnrpd(8) will spool new articles rather than attempting to send them to innd(8). If false, nnrpd will spool articles only if it receives an error trying to send them to innd. Setting this to true can be useful if nnrpd must respond as fast as possible to the client; however, when set, articles will not appear to readers until they are given to innd. nnrpd won’t do this;
|strippostcc||Whether to strip To:, Cc:, and Bcc: headers out of all local posts via nnrpd(8). The primary purpose of this setting is to prevent abuse of the news server by posting to a moderated group and including To: or Cc: headers in the post so that the news server will send the article to arbitrary addresses. INN now protects against this abuse in other ways provided mta is set to a command that includes
Exponential posting backoff works as follows: news clients are indexed by IP address (or username, see backoffauth below). Each time a post is received from an IP address, the time of posting is stored (along with the previous sleep time, see below). After a configurable number of posts in a configurable period of time, nnrpd(8) will begin to sleep for increasing periods of time before actually posting anything (posting backoff is therefore activated). Posts will still be accepted, but at an increasingly reduced rate.
After backoff has been activated, the length of time to sleep is computed based on the difference in time between the last posting and the current posting. If this difference is less than backoffpostfast, the new sleep time will be 1 + (previous sleep time * backoffk). If this difference is less than backoffpostslow but greater than backoffpostfast, then the new sleep time will equal the previous sleep time. If this difference is greater than backoffpostslow, the new sleep time is zero and posting backoff is deactivated for this poster. (Note that this does not mean posting backoff cannot be reactivated later in the session.)
Exponential posting backoff will not be enabled unless backoffdb is set and backoffpostfast and backoffpostslow are set to something other than their default values.
Here are the parameters that control exponential posting backoff:
|backoffauth||Whether to index posting backoffs by user rather than by source IP address. You must be using authentication in nnrpd(8) for a value of true to have any meaning. This is a boolean value and the default is false.|
|backoffdb||The path to a directory, writeable by the news user, that will contain the backoff database. There is no default for this parameter; you must provide a path to a creatable or writeable directory to enable exponential backoff.|
|backoffk||The amount to multiply the previous sleep time by if the user is still posting too quickly. A value of
|backoffpostfast||Postings from the same identity that arrive in less than this amount of time (in seconds) will trigger increasing sleep time in the backoff algorithm. The default value is
|backoffpostslow||Postings from the same identity that arrive in greater than this amount of time (in seconds) will reset the backoff algorithm. Another way to look at this constant is to realize that posters will be allowed to generate at most 86400/backoffpostslow posts per day. The default value is
|backofftrigger||This many postings are allowed before the backoff algorithm is triggered. The default value is
TLS/SSL Support for Reading and Posting
Here are the parameters used by nnrpd(8) to provide TLS/SSL support.
Finally, here are the parameters that can be used to tighten the level of security provided by TLS/SSL in case new attacks exploitable in NNTP on the TLS protocol or some supported cipher suite are discovered:
The parameters related to certificates are:
|tlscafile||The path to a file containing certificate authority root certificates, used to present a trust chain to a TLS client. This parameter is only used if nnrpd is built with TLS/SSL support. The default value is an empty string.|
|tlscapath||The path to a directory containing certificate authority root certificates. Each file in the directory should contain one CA certificate, and the name of the file should be the CA subject name hash value. See the OpenSSL documentation for more information. This parameter is only used if nnrpd is built with TLS/SSL support. The default value is pathetc.|
|tlscertfile||The path to a file containing the server certificate to present to TLS clients. This parameter is only used if nnrpd is built with TLS/SSL support. The default value is pathetc/cert.pem.|
|tlskeyfile||The path to a file containing the encryption key for the server certificate named in tlscertfile. This may be the same as tlscertfile if, when you created the certificate, you put the key in the same file (if, for example, you gave the same file name to both the -out and -keyout options to
This file must only be readable by the news user or nnrpd will refuse to use it.
|tlsciphers||The string describing the cipher suites OpenSSL will support. See OpenSSL’s ciphers(1) command documentation for details. The default is unset, which uses OpenSSL’s default cipher suite list.|
|tlscompression||Whether to enable or disable TLS/SSL-level compression support. This is a boolean and the default is false, that is to say compression is disabled, so as to follow the best current practices for a secure use of TLS in application protocols (see RFC 8143 for NNTP).
Note that enabling TLS/SSL-level compression will be possible only if the OpenSSL library INN has been built with, supports that feature.
|tlseccurve||The name of the elliptic curve to use for ephemeral key exchanges. To see the list of curves supported by OpenSSL, use
The default is unset, which means an appropriate curve is auto-selected (if your OpenSSL version supports it) or the NIST P-256 curve is used.
This option is only effective if your OpenSSL version has ECDH support.
|tlspreferserverciphers||Whether to let the client or the server decide the preferred cipher suite, signature algorithm or elliptic curve to use for an incoming connection. This is a boolean and the default is true, that is to say the server will choose following its own preferences.|
|tlsprotocols||The list of TLS/SSL protocol versions to support. Valid protocols are SSLv2, SSLv3, TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3. The default value is to only allow TLS protocols:
Note that the listed protocols will be enabled only if the OpenSSL library INN has been built with, supports them. In case OpenSSL supports protocols more recent than TLSv1.3, they will be automatically enabled (which anyway is fine regarding security, as newer protocols are supposed to be more secure).
These parameters control the behavior of innwatch(8), the program that monitors INN and informs the news administrator if anything goes wrong with it.
|doinnwatch||Whether to start innwatch(8) from rc.news. This is a boolean value, and the default is true.|
|innwatchbatchspace||Free space in pathoutgoing, in inndf(8) output units (normally kilobytes), at which innd(8) will be throttled by innwatch(8), assuming a default innwatch.ctl. The default value is
|innwatchlibspace||Free space in pathdb, in inndf(8) output units (normally kilobytes), at which innd(8) will be throttled by innwatch(8), assuming a default innwatch.ctl. The default value is
|innwatchloload||Load average times 100 at which innd(8) will be restarted by innwatch(8) (undoing a previous pause or throttle), assuming a default innwatch.ctl. The default value is
|innwatchhiload||Load average times 100 at which innd(8) will be throttled by innwatch(8), assuming a default innwatch.ctl. The default value is
|innwatchpauseload||Load average times 100 at which innd(8) will be paused by innwatch(8), assuming a default innwatch.ctl. The default value is
|innwatchsleeptime||How long (in seconds) innwatch(8) will sleep between each check of INN. The default value is
|innwatchspoolnodes||Free inodes in patharticles at which innd(8) will be throttled by innwatch(8), assuming a default innwatch.ctl. The default value is
|innwatchspoolspace||Free space in patharticles and pathoverview, in inndf(8) output units (normally kilobytes), at which innd(8) will be throttled by innwatch(8), assuming a default innwatch.ctl. The default value is
These parameters control what information INN logs.
|docnfsstat||Whether to start cnfsstat(8) when innd(8) is started. cnfsstat will log the status of all CNFS cycbuffs to syslog on a periodic basis (frequency is the default for
|htmlstatus||Whether innd should write the status report as HTML file or in plain text. The HTML status file goes to pathhttp/inn_status.html, while the plain text status file is written to pathlog/inn.status. This is a boolean value and the default is true (an HTML status file is written). Also see the status parameter.|
|incominglogfrequency||How many articles to process on an incoming channel before logging the activity. The default value is
|logartsize||Whether the size of accepted articles (in bytes) should be written to the article log file. This is useful for flow rate statistics and is recommended. This is a boolean value and the default is true.|
|logcancelcomm||Set this to true to log
|logcycles||How many old logs scanlogs(8) keeps. scanlogs(8) is generally run by news.daily(8) and will archive compressed copies of this many days worth of old logs. The default value is
|logipaddr||Whether the verified name of the remote feeding host should be logged to the article log for incoming articles rather than the last entry in the Path: header. The only reason to ever set this to false is due to some interactions with newsfeeds flags; see newsfeeds(5) for more information. This is a boolean value and the default is true.|
|logsitename||Whether the names of the sites to which accepted articles will be sent should be put into the article log file. This is useful for debugging and statistics. This is a boolean value and the default is true.|
|logstatus||Whether innd should write a shortened version of its status report to syslog every status seconds. This is a boolean value and the default is true. If set to true, see the status parameter for more details on how to enable status reporting.|
|logtrash||Whether innd should add a line in the news log file to report unwanted newsgroups (that is to say newsgroups not locally carried by the news server). This is a boolean value and the default is true. It may be useful to set it to false when wanttrash is set to true.|
|nnrpdoverstats||Whether nnrpd overview statistics should be logged via syslog. This can be useful for measuring overview performance. This is a boolean value and the default is true.|
|nntplinklog||Whether to put the storage API token for accepted articles (used by nntplink) in the article log. This is a boolean value and the default is false.|
|stathist||Where to write history statistics for analysis with contrib/stathist.pl; this can be modified with ctlinnd(8) while innd is running. Logging does not occur unless a path is given, and there is no default value.|
|status||How frequently (in seconds) innd(8) should write out a status report. The report is written to pathhttp/inn_status.html or pathlog/inn.status depending on the value of htmlstatus. If this is set to
|timer||How frequently (in seconds) innd(8) should report performance timings to syslog. If this is set to
The following parameters can be modified to tune the low-level operation of INN. In general, you shouldn’t need to modify any of them except possibly rlimitnofile unless the server is having difficulty.
|badiocount||How many read or write failures until a channel is put to sleep or closed. The default value is
|blockbackoff||Each time an attempted write returns EAGAIN or EWOULDBLOCK, innd(8) will wait for an increasing number of seconds before trying it again. This is the multiplier for the sleep time. If you’re having trouble with channel feeds not keeping up, it may be good to change this value to
|chaninacttime||The time (in seconds) to wait between noticing inactive channels. The default value is
|chanretrytime||How many seconds to wait before a channel restarts. The default value is
|datamovethreshold||The threshold for deciding whether to move already-read data to the top of buffer or extend the buffer. The buffer described here is used for reading NNTP data. Increasing this value may improve performance, but it should not be increased on Systems with insufficient memory. Permitted values are between
|icdsynccount||How many article writes between updating the active and history files. The default value is
|keepmmappedthreshold||When using buffindexed, retrieving overview data (that is, responding to OVER or running expireover) causes mmapping of all overview data blocks which include requested overview data for newsgroup. But for high volume newsgroups like control.cancel, this may cause too much mmapping at once leading to system resource problems. To avoid this, if the amount to be mmapped exceeds keepmmappedthreshold (in KB), buffindexed mmap’s just one overview block (8 KB). This parameter is specific to buffindexed overview storage method. The default value is
|maxcmdreadsize||If set to anything other than
|maxforks||How many times to attempt a fork(2) before giving up. The default value is
|nicekids||If set to anything other than
|nicenewnews||If set to anything greater than
|nicennrpd||If set to anything greater than
|pauseretrytime||Wait for this many seconds before noticing inactive channels. Wait for this many seconds before innd processes articles when it’s paused or the number of channel write failures exceeds badiocount. The default value is
|peertimeout||How long (in seconds) an innd(8) incoming channel may be inactive before innd closes it. The default value is
|rlimitnofile||The maximum number of file descriptors that innd(8) or innfeed(8) can have open at once. If innd(8) or innfeed(8) attempts to open more file descriptors than this value, it is possible the program may throttle or otherwise suffer reduced functionality. The number of open file descriptors is roughly the maximum number of incoming feeds and outgoing batches for innd(8) and the number of outgoing streams for innfeed(8). If this parameter is set to a negative value, the default limit of the operating system will be used; this will normally be adequate on systems other than Solaris. Nearly all operating systems have some hard maximum limit beyond which this value cannot be raised, usually either 128, 256, or 1024. The default value of this parameter is
|patharchive||Where to store archived news. The default value is pathspool/archive.|
|patharticles||The path to where the news articles are stored (for storage methods other than CNFS). The default value is pathspool/articles.|
|pathbin||The path to the news binaries. The default value is pathnews/bin.|
|pathcontrol||The path to the files that handle control messages. The code for handling each separate type of control message is located here. Be very careful what you put in this directory with a name ending in
|pathdb||The path to the database files used and updated by the server (currently, active, active.times, history and its indices, and newsgroups). The default value is pathnews/db.|
|pathetc||The path to the news configuration files. The default value is pathnews/etc.|
|pathfilter||The path to the Perl and Python filters. The default value is pathbin/filter.|
|pathhttp||Where any HTML files (such as periodic status reports) are placed. If the news reports should be available in real-time on the web, the files in this directory should be served by a web server. The default value is the value of pathnews/http.|
|pathincoming||Location where incoming batched news is stored. The default value is pathspool/incoming.|
|pathlog||Where the news log files are written. The default value is pathnews/log.|
|pathnews||The home directory of the news user and usually the root of the news hierarchy. There is no default; this parameter must be set in inn.conf or INN will refuse to start.|
|pathoutgoing||Default location for outgoing feed files. The default value is pathspool/outgoing.|
|pathoverview||The path to news overview files. The default value is pathspool/overview.|
|pathrun||The path to files required while the server is running and run-time state information. This includes lock files and the sockets for communicating with innd(8). This directory and the control sockets in it should be protected from unprivileged users other than the news user. The default value is pathnews/run.|
|pathspool||The root of the news spool hierarchy. This used mostly to set the defaults for other parameters, and to determine the path to the backlog directory for innfeed(8). The default value is pathnews/spool.|
|pathtmp||Where INN puts temporary files. For security reasons, this is not the same as the system temporary files directory (INN creates a lot of temporary files with predictable names and does not go to particularly great lengths to protect against symlink attacks and the like; this is safe provided that normal users can’t write into its temporary directory). The default value is set at configure time and defaults to pathnews/tmp.|
Here is a very minimalist example that only sets those parameters that are required.
mta: "/usr/lib/sendmail -oi -oem %s" ovmethod: tradindexed pathhost: news.example.com pathnews: /usr/local/news hismethod: hisv6
For a more comprehensive example, see the sample inn.conf distributed with INN and installed as a starting point; it contains all of the default values for reference.
Written by Rich
$alz<rsalz> for InterNetNews and since modified, updated, and reorganized by innumerable other people.
$Id:inn.conf.pod 10245 2018-02-16 21:11:59Z iulius $