Daniele Duca
BOFH excuse for today:  because Bill Gates is a Jehovah's witness and so nothing can work on St. Swithin's day.
Server date is: 19/7/2024

This site best viewed with eyes

Say NO to software patents!

13/06/04 - Release 0.1

This HOWTO describes how to setup a leaf NNTP server with user authentication and SSL encryption. This is very useful if you want to read newsgroups from every place you go, without worrying about what news server to use in your current network.

You will need Leafnode, Stunnel and the NNTP Auth Patch written by FaUl

Once you downloaded these three packages:

# tar xvfj leafnode-1.X.X.rel.tar.bz2
# cd leafnode-1.X.X.rel
# ./configure --prefix=/usr --sysconfdir=/etc

now edit the file nntpd.c, go around line 1833 and look for something like "printf("200 Leafnode NNTP Daemon ... ");" When you found that line, replace it with "fputs ("281 Authentication accepted.\r\n",stdout);". Save the file and:

# make
# make install
# useradd -s /bin/false -d /dev/null news
# mkdir -p /usr/var/spool/news
# chown news.news /usr/var/spool/news

Now untar and compile Stunnel:

# tar xvfz stunnel-4.X.tar.gz
# cd stunnel-4.X
# ./configure --prefix=/usr --sysconfdir=/etc
# make
# make install //You will be asked to create a certificate
# cp stunnel.pem /etc/stunnel
# useradd -s /bin/false -d /dev/null stunnel
# cp tools/stunnel.conf-sample /etc/stunnel/stunnel.conf
# chown stunnel.stunnel /etc/stunnel
# chown stunnel.stunnel /etc/stunnel/*
# mkdir /var/run/stunnel
# chown stunnel.stunnel /var/run/stunnel
# cp tools/stunnel.init /etc/init.d/stunnel
# chmod +x /etc/init.d/stunnel

Untar and compile the nntp auth patch:

# tar xvfj nntpauth-0.1.0.tar.bz2
# cd nntpauth-0.1.0
# make
# make install //(binaries goes under /usr/local/bin)

Edit the file /etc/config.example (leafnode's config file), modify it and save it under the name /etc/config. Most important lines to modify are:

server = your.news.server
initialfetch = 200
allowSTRANGERS = 42 #(case sensitive)

You need to add a user able to connect to your NNTP server:

# touch /etc/nntppass
# chown news.news /etc/nntppass
# /usr/local/bin/chckpssmdb.pl /etc/nntppass
/etc/nntppass> add user
/etc/nntppass> write
/etc/nntppass> exit

Create a /etc/xinet.d/leafnode file, and type:

service nntp
     disable = no
     socket_type = stream
     protocol = tcp
     wait = no
     user = news
     server = /usr/sbin/tcpd
     server_args = /usr/local/bin/nntpauth gateway /usr/local/bin/nntpcheckpwd /etc/nntppass /usr/sbin/leafnode
     instances = 7
     per_source = 3

Reload Xinetd and test if the NNTP server with authentication works:

# telnet localhost 119
Connected to localhost.
Escape character is '^]'.
200 news.home nntpauth by FaUl, Authorization required for reading and posting.
AUTHINFO user user
381 PASS required
AUTHINFO pass password
281 Authentication accepted.

If everything worked good, you can authenticate with your NNTP proxy server. Remember to run "fetchnews" in a cronjob (read leafnode's manual, it's important :)
But reading news without SSL from outside our LAN is not safe so we are going to setup Stunnel to encrypt our connection.
Edit the file /etc/stunnel/stunnel.conf :

cert = /etc/stunnel/stunnel.pem //The ssl certificate
chroot = /var/run/stunnel/
pid = /stunnel.pid
setuid = stunnel
setgid = stunnel

accept = 563
connect = 119

And then

/etc/init.d/stunnel start
Starting universal SSL tunnel: stunnel.

If your NNTP client is SSL aware (like Sylpheed), you have finished, just change it's settings to use the new newsserver (probably you will have to re-register with your newsgroups). If your client doesn't not support SSL (Knode does not :\ ) you'll need also Stunnel on your client, so compile and install it as described above, and type in the stunnel.conf:

cert = /etc/stunnel/stunnel.pem //The ssl certificate
chroot = /var/run/stunnel/
pid = /stunnel.pid
setuid = stunnel
setgid = stunnel
client = yes
accept = 119
connect = your.leafnode.hostname:563

and then configure your client to use as it's NNTP server; requests will be forwarded to "your.leafnode.hostname" on port 563 through an SSL tunnel.

If you have something to add, or have found an error, or simply want to contact me, feel free to do it :)


No liability for the contents of this document can be accepted. Use the concepts, examples and other content at your own risk. There may be errors and inaccuracies that may damage your system. Proceed with caution, and although this is highly unlikely, the author does not and can not take any responsibility for any damage to your system that may occur as a direct or indirect result of information that is contained within this document. You are strongly recommended to make a backup of your system before proceed and adhere to the practice of backing up at regular intervals.

Informations on this page are released under the GNU FDL License
This page last updated: 08/12/05