[NNTP] Re: MODE READER

Russ Allbery rra at stanford.edu
Thu Nov 4 20:36:03 PST 2004 

Mark Crispin <mrc at CAC.Washington.EDU> writes:

> My released client code implements this order, which works on every NNTP
> server that I tested:
>  	STARTTLS (if needed - note that plaintext password authentication
>  		  requires TLS)
>  	AUTHINFO (if needed)
>  	MODE READER

> To re-confirm, I just verified on an inn server that inn *does* allow
> AUTHINFO before MODE READER.

Then your INN server is configured in a way that doesn't require MODE
READER.  Please note that almost all INN configurations do not require
MODE READER, since even when the initial connection is handled by innd, it
is immediately shunted to nnrpd unless the connecting host has permission
to issue transit commands.

As the maintainer of INN, I can assure you with 100% certainty that this
order will NOT work in the unusual situation where MODE READER is
required.  Your AUTHINFO command will fail before MODE READER, and after
nnrpd spawns it will have no idea that you ever attempted it.

Note that most servers have eliminated the need for MODE READER by
ensuring that one of the following conditions is true:

 * The same server process is used for both transit and reader
   connections.  I think this design makes it considerably harder to
   maintain the server, for a wide host of reasons, but admittedly those
   reasons are internal to server design.

 * There are no connecting hosts which are both allowed to issue transit
   commands and are allowed to read news.  This is the common case and is
   the reason why one can completely ignore MODE READER with nearly all
   INN installations and get away with it.

 * The transit server is running on the separate port reserved for that
   purpose (433) and the reader-only server is running on 119.

Of the solutions, I actually prefer the last one, since I've encountered
rare but significant instances where I really needed to give both transit
and reader permissions to the same client host.  It's obnoxious in that
NNTP consumes an extra low-numbered port, which is really highly rude of
it, but the damage (in terms of the port registration) was already done
many years ago.

I don't like MODE READER either.  Personally, I implement the third
solution for all of my servers.  But mandating one of the above cases
makes me pretty nervous.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>

More information about the ietf-nntp mailing list