INN 2.7.2

2024-06-22
Full changes and diff from previous release

New Features

• Added two new options in storage.conf, contributed by Christoph Biedl:

  • a filtered option to store articles which have been rejected by a Perl or Python filter for innd into a separate storage class, when dontrejectfiltered is set to true in inn.conf;

  • a path option to store articles by the contents of the Path header field, notably to isolate the storage of spammy sites from other sites.

• The delayer program, which previously was in the contrib directory, is now installed by default. It notably permits generating a delayed feed, for instance to give cancel control articles and NoCeM messages time to arrive, and therefore actually cancel articles before they are locally stored. Thanks to Christoph Biedl for the documentation, testing, and addition of several useful flags to delayer.

• Added the INN::ovsqlite_client Perl module to access an ovsqlite overview database through ovsqlite-server from a Perl script. This module provides search, add, remove and expire functions for information stored in an ovsqlite database (newsgroups and overview data associated to articles in these newsgroups). Many thanks to Bo Lindbergh for it, as well as for two samples in the contrib directory (ovsqlite-dump and ovsqlite-undump) showing how to use the module.

• Added several new options to better parameterize perl-nocem. The location of its configuration file, the keyring to use, and the full gpg and gpgv commands to run can now be modified by flags passed to the program. Unprocessed NoCeM notices will also show up in daily Usenet reports generated by innreport. Log verbosity can be controlled, cancelled articles can be backed up into files, and perl-nocem can write logs to a separate perl-nocem.log file. Local rules to fine-tune within a NoCeM notice which articles get cancelled can also be applied. See its manual page for more information about the use of these options.

• innreport now supports high-precision timestamps like 2023-07-29T04:15:01.889064+02:00 that syslog can be parameterized to use; daily Usenet reports otherwise indicated all these logs as unknown entries because a format like Jul 29 04:15:01 was expected.

• innreport now alphabetically sorts lines which have the same rank instead of displaying them in random order.

• scanspool now detects empty files in a tradspool news spool and directories with an all-digit component (which may conflict with a possible file with the same name), correctly parses continuation lines in header fields, and can automatically remove articles reported to have a problem (when run with the new -r flag).

• Added a new ovflushcount parameter in inn.conf, defaulting to 50, to parameterize the number of articles received between flushing their overview data to disk, when using the buffindexed overview storage method. (In previous releases, that number was ten times the value of icdsynccount, but a dedicated parameter is better.)

Bug Fixes

• perl-nocem now correctly parses the identifiers of NoCeM issuers with special characters like + in the configuration file.

• Fixed a hang when posting articles if COMPRESS DEFLATE is active but TLS is not. Thanks to Enrik Berkhan for the patch for nnrpd.

• innd no longer dies when ctlinnd trace is run on an invalid channel.

• INN now properly handles header field names starting with a leading dot: innd accurately computes the :bytes metadata item of articles with such header field names, and nnrpd correctly preserves the leading initial dot at injection time and rightly parses such header field names in HDR, XHDR and XPAT commands.

• nnrpd now rejects articles with invalid dot-stuffing (that is to say when a dot at the beginning of a line is not doubled) as it is a violation of the NNTP protocol. (innd still goes on accepting and propagating such articles as they have already been injected and propagated.)

• Fixed the computation of the Bytes header field by pullnews (in header-only mode with the -B flag).

• Fixed the generation of rnews batches by pullnews (when using the -r flag) which had not the expected native LF line termination.

• Fixed inndf on 32-bit architectures with large file support (previously, inndf could not count more than 2^32 bytes or inodes on these architectures).

• Fixed an issue preventing articles from expiring when using the ovsqlite method, in a very rare case. When an article had more than 100,000 bytes of overview data (for instance with a Subject header field of that length), overview expiration was no longer done for newsgroups carrying this article. Such articles, which most certainly are spams anyway, are no longer added to the ovsqlite database. Thanks for Jesse Rehmer for the bug report.

• Fixed a database lock issue when running ovsqlite-util on a running server with the transtimelimit parameter in ovsqlite.conf set to a higher value than the default busy timeout of 30 seconds of ovsqlite-util. Thanks to Jesse Rehmer for the bug report and Bo Lindbergh for the fix.

• Fixed a foreign key issue preventing ovsqlite-util from fixing problems found when running with the -F flag.

• innd no longer malfunctions nor throttles when the maximum number of file descriptors supported by the system is reached. If needing to use more file descriptors than the default system limit, a new LARGE_FD_SETSIZE option can be set at build time. See the documentation for rlimitnofile in inn.conf for more information. Thanks to Jesse Rehmer for the bug report.

Other Change

• Up-to-date control.ctl and nocem.ctl files are provided with this release. You may want to manually update your configuration with the new information recorded about hierarchies and NoCeM issuers, and make sure the relevant PGP keys are installed on your system.

INN 2.7.2rc1

2024-05-19
See release information for INN 2.7.2.

INN 2.7.1

2023-04-16
Full changes and diff from previous release

Bug Fixes

• pullnews now detects a socket timeout while downloading articles from a remote peer. The download gracefully stops, and another attempt can be automatically made according to the setting given with the -t flag. Thanks to Jesse Rehmer for the bug report.

• Fixed the generation and the handling of storage tokens on wrapped CNFS buffers, thanks to bug reports from Kamil Jonca:

  • Duplicate entries were returned by makehistory on fully wrapped cyclic buffers (the first article of the cyclic buffer appeared twice in the output).

  • The first article of a fully wrapped cyclic buffer was removed too soon from history (expire wrongly thought its storage token was no longer existing after a wrap).

  • The first article of the previous cycle number of a cyclic buffer containing articles from two different cycle numbers was wrongly considered by makehistory to belong to the current cycle number.

• innd no longer dies when a newsfeeds entry has an unexpected trailing whitespace.

• The size of duplicated articles was counted twice in totals, average article sizes and graphs by innreport, when parsing innd checkpoints. Thanks to Hauke Lampe for the patch to count it only once.

• Improved the speed of article searches with HDR, LAST, NEXT, and XPAT commands when there is a (huge) gap in article numbers. On newsgroups with several millions of consecutive missing articles (which is a rare situation), these commands could take several seconds to run.

• Incoming articles in newsgroups that have exceeded the maximum number of articles they can contain (2^31-1) are now correctly rejected. INN was otherwise happily accepting them but either numbers returned in NNTP responses were not right, or some news clients choked when receiving unexpected large article numbers. (The current version of the NNTP protocol only allows article numbers up to 2^31-1.)

• Fixed the renumbering of reported low water marks for empty newsgroups in active after overview expiration, when using the ovsqlite method. They were set to 1 for empty newsgroups whereas they were not supposed to decrease. (These reported low water marks regained their expected values during the next overview expiration, provided that the newsgroup was no longer empty.)

• The reported high water mark of empty newsgroups is now correctly set to one less than the reported low water mark in overview data. (Previously, the reported low water mark was set to one more than the reported high water mark.)

• Fixed the output of the ctlinnd feedinfo '' command that was returning information only for the first site, and the output of the ctlinnd name channel command that was returning partial information for the requested channel.

• The build of external programs which include inn/storage.h was failing because of the unexpected inclusion of config.h in one of the included headers. Also, a few Autoconf results were not correctly made available to external programs. This is now fixed.

• Fixed the build on systems whose default shell does not completely meet the Posix standard. A few build scripts were run with the default shell instead of the one found by Autoconf and afterwards used for INN.

New Features

• Added a new groupexactcount parameter in readers.conf to force nnrpd to report the exact number of still existing articles in newsgroups instead of an estimated count. When the estimated number of articles is strictly below groupexactcount (set to 5 by default), nnrpd now recounts them and reports the actual value (articles that have been cancelled or overwritten in self-expiring CNFS buffers may otherwise still be counted in the estimate). News clients will then be directly aware of empty newsgroups; they would otherwise have tried to retrieve possible articles, to finally not show anything to the user.

• Programs sending mails now include, when appropriate, an Auto-Submitted header field in the message headers (either set to auto-generated or auto-replied, following the recommendation in RFC 3834). Thanks to Harald Dunkel for this suggestion which will for instance help to avoid unnecessary vacation replies.

• Added a new -a option to innmail to specify additional header fields to add in the headers of messages. This is notably used to internally support the addition of the Auto-Submitted header field in outgoing mails.

• Added new ovsqlite-util program to perform some basic consistency checks and dump operations on an overview database using the ovsqlite method. More checks and features will be added in future releases. You'll need the DBI Perl module with the DBD::SQLite driver installed on your system to use this program.

• Added TLS support in pullnews for connections to upstream servers configured in pullnews.marks, and to the downstream server in the existing -s flag. A port can now also be specified for connections to upstream servers (it was already possible for the downstream server only).

• Added a new -L option to pullnews to specify the largest wanted article size in bytes. Articles whose size exceeds that value will no longer be downloaded by pullnews.

• Customizing the domain part of Message-IDs generated by nnrpd and the server name indicated in Injection-Info header fields is now easier: the domain parameter in the access blocks of readers.conf can be directly used (without needing to set virtualhost as it was previously the case).

• If the domain parameter is set in inn.conf or in a readers.conf access block, and has invalid characters, or if the fully qualified domain name (FQDN) of the news server has invalid characters when domain is unset, a fatal error is now reported at startup. It is a basic configuration error which otherwise leads to the generation of invalid article Message-IDs.

• Use standard daemon(3) C function, when available, to daemonize innd, nnrpd, ovdb_server and ovsqlite-server instead of an INN-specific function.

INN 2.7.1rc1

2023-03-22
See release information for INN 2.7.1.

INN 2.7.0

2022-07-10
Full changes and diff from previous release

Upgrading to a major release is a good time to ensure that your configuration files, that are usually kept untouched during normal updates, are up-to-date: notably control.ctl (with your local changes in a separate control.ctl.local file), new better default values in inn.conf and innfeed.conf, improvements in innreport.conf (along with innreport-display.conf) and innreport.css, fixes in innwatch.ctl, updated moderators and nocem.ctl files.

You may also want to check that the PGP keys used to verify the signature of control articles and NoCeM notices are still up-to-date and working. The keys of a few hierarchies and NoCeM issuers have recently changed.

Upgrading from 2.6 to 2.7

The following changes require your full attention because a manual intervention may be needed:

• The require_ssl parameter in readers.conf has been renamed to require_encryption as it applies to any kind of encryption layers, including TLS and SASL security layers. Since innupgrade only takes care of the change in the file named readers.conf, you will have to manually rename that parameter in configuration files for nnrpd with an alternate name.

• The innreport.conf file in pathetc has been split into a general configuration file (innreport.conf itself) and a display configuration file (innreport-display.conf in pathlib). If you made local changes in sections other than the default section in innreport.conf, and wish to keep them, then you need renaming the new innreport-display.conf file to another name in pathlib, setting this local file name in the new display_conf_file option in innreport.conf, and re-applying your local changes to that local display configuration file.
  As a matter of fact, the default display configuration file would otherwise be overwritten each time INN is updated. Bug fixes or enhancements are made from time to time to the display configuration of innreport, and previously couldn't be automatically be merged in innreport.conf on update. This new separate configuration file to parameterize the display will now permit an automatic update (if of course you use the default display configuration file).

• A new inn-secrets.conf configuration file has been added in pathetc. The intent is that, from now on, new secrets used by INN are added to that file, and that all secrets currently stored in several other configuration files eventually move to that file. Make sure it is properly created during the upgrade, and not world-readable. It currently only stores the secrets used for the new Cancel-Lock functionality.

• The -C flag given to innd to disable the execution of cancels has been deprecated and is no longer taken into account (an error message will be present in your logs if innd is started with it). Instead, a new parameter has been added in inn.conf to tune the types of cancels innd should process. If docancels is set to require-auth, which is the default if INN has Cancel-Lock support, only articles originally protected by the Cancel-Lock authentication mechanism can be withdrawn by a valid authenticated cancel article or a valid authenticated supersede request. Withdrawals of articles not originally protected by Cancel-Lock will not be executed. See inn.conf(5) for more details about the different values of the new docancels parameter, and make sure to parameterize it according to your needs.

• The refusecybercancels and verifycancels parameters have been removed from inn.conf. The first was performing an inefficient and inexact check (that should be done, if wanted, in the special ME entry in newsfeeds, or even better, ask your peers not to feed you articles with cyberspam in the Path header field body); the second check performed on the newsgroups present in cancel articles was not useful in innd (this check is relevant to posting agents).
  The related lines in inn.conf will be commented by innupgrade during the upgrade.

• The XBATCH command is no longer enabled by default in innd. You'll have to explicitly enable that capability by setting the new xbatch parameter to true in incoming.conf for the peers sending you such compressed batches.

• The nolist and noresendid parameters in incoming.conf have been respectively renamed to list and resendid (and the meaning of their related boolean values is now the opposite). Besides, the unused comment and email parameters in incoming.conf have been removed. innupgrade will take care of the changes (inverting the boolean values, and commenting the lines with removed parameters).

• filechan is no longer shipped with INN; it was just a simple version of buffchan. All calls to filechan will be changed to buffchan -u (for its unbuffered mode) in newsfeeds by innupgrade. If you have local scripts running filechan, you will have to manually take care of the change.

• send-nntp is no longer shipped with INN. If you have local scripts running it, you will have to manually adjust them to use nntpsend which basically does the same thing, better. Or, even greater, use innfeed if that is possible.

• Wrappers around old Perl and Python authentication and access hooks, pre-dating INN 2.4.0 and identifiable by the nnrpperlauth and nnrppythonauth parameters in inn.conf, are no longer shipped as samples in INN releases. If not already done, you should either replace old hooks with new modern hooks or use the possibilities that readers.conf and regular authenticator and resolver programs offer.

• The libauth.h header file and the libstorage library have been renamed to libinnauth.h and libinnstorage to homogenize their name with existing libinnhist library. External programs building or linking against them need a manual change.

If you are upgrading from a version prior to INN 2.6, see also upgrades instructions from 2.5 to 2.6.

Bug Fixes

• Fixed the parsing of hosts and localaddress parameters in readers.conf; exclusion patterns (beginning with !) have not been working since INN 2.5.0.

• Improved the robustness of innxmit when receiving 500 or 501 response codes from peers, indicating they do not understand the NNTP command or (wrongly) think there is a syntax error. Richard Kettlewell added a proper handling of these responses, making innxmit dropping the refused article instead of keeping sending it over and over (and thus receiving each time the same error in response codes).

• All of the applicable bug fixes from the INN 2.6 STABLE series are also included in INN 2.7.

New Features

• Bo Lindbergh has implemented a new overview storage method based on SQLite, known for its long-term stability and compatibility. Robust and faster at reading ranges of overview data, but somewhat slower at writing, this new SQLite-based method is a perfect choice to store overview data.
  To select it as your overview method, set the ovmethod parameter in inn.conf to ovsqlite. Details about ovsqlite, the ovsqlite.conf configuration file and how to switch to that new modern overview storage method can be found in the ovsqlite(5) and makehistory(8) man pages.

• Julien Élie has implemented Cancel-Lock support in innd and nnrpd, based on RFC 8315 and libcanlock. A new inn-secrets.conf configuration file has been added in pathetc wherein you can set the secrets to use for Cancel-Lock. See the inn-secrets.conf(5) man page for more details.
  A new -F flag is recognized by innconfval to indicate the type of file to parse (by default inn.conf); just run innconfval -F inn-secrets.conf to get the values of that new configuration file. Another new flag, -f, permits specifying another file name to parse than the standard one.
  The addcanlockuser parameter has been added in readers.conf to deactivate the generation of user-specific hashes when several different posters have the same identity in an access group. This parameter also permits setting whether the hash, when generated, is based on the username or the (static) IP of the connection.

• Added a new tool, gencancel, to help the news administrator generate authenticated cancel control messages, with the expected admin Cancel-Key hashes. See the gencancel(1) man page for more details.

• A new docancels parameter has been added in inn.conf to define which types of cancels innd should process. The -C flag given to innd is deprecated in favour of that new parameter (you'll see in your logs the message innd -C flag has been deprecated and has no effect; use docancels in inn.conf in case you're passing that flag to innd).

• Andreas Kempe has implemented blacklistd support in nnrpd. This daemon, available notably in FreeBSD and NetBSD, can be used to prevent brute force attacks by blocking attackers after a number of failed login attempts. When nnrpd is run with the new -B flag, and INN has been configured with the new --with-blacklist option, it will report login attempts to the blacklistd daemon for potential blocking.

• Building INN with TLS support using LibreSSL is now supported (only OpenSSL was previously officially supported and tested).

• innreport now collects statistics from innxbatch and generates a section for them in its reports.

• The innreport.conf file in pathetc, previously containing almost 2500 lines, has been split into a general configuration file (innreport.conf itself, still in pathetc, with about 60 lines) and a display configuration file (innreport-display.conf, a new separate file in pathlib). The name of this display configuration file can be parameterized in the new display...

INN 2.6.5

2022-02-18
Full changes and diff from previous release

Bug Fixes

• Added a stricter validation of article numbers given in NNTP commands so that numbers superior to 2^31 are correctly considered invalid. Thanks to Richard Kettlewell for the patch.

• Fixed parallel builds using make -j. Thanks to Richard Kettlewell for the path.

• nnrpd now properly gathers timer statistics when a compression layer is active.

• nnrpd now properly discards data received from a news client after a timeout when a TLS layer is active. It previously tried to read incoming data before closing the socket, leading to decoding errors from an underlying compression or SASL layer.

• innfeed and ovdb_stat now generate status reports in valid HTML syntax.

• Fixed a bug in the buffindexed overview that prevented it from working on several systems, amongst them FreeBSD. Unsupported, and useless, permission bits were given to semaphores.

• Fixed the detection of library paths at configure time: multilib directories (lib32 or lib64) are now also used if they exist, even if the system does not use multilib. It will notably fix the detection of the OpenSSL 3.0.0 library.

• Other minor bug fixes and documentation improvements, notably a revised installation checklist and a section summarizing the most used configuration at the beginning of a few complex man pages.

New Features

• A new step in INN development has been achieved with the migration of the INN project to GitHub. We now make use of the features GitHub provides: issue tracker, pull requests, continuous integration, a user-friendly interface to browse the code, etc. Our Subversion repository has therefore been migrated to Git, and our Trac tickets to the GitHub issue tracker.

• An up-to-date nocem.ctl file is provided with this release. You should manually update your nocem.ctl file with the new information recorded about NoCeM issuers, and make sure the right PGP keys are present on your system.

• Up-to-date control.ctl and moderators files are provided with this release. You should manually update them (notably for the fido7.* hierarchy).

• Added a check in rc.news for the existence of the pathrun directory. INN won't start until this directory is writable. Previously, it bailed out quickly after starting, without clear logs about why it failed.

• The tlscertfile parameter in inn.conf now permits the use of a complete certificate chain, instead of necessarily having to use tlscafile for additional certificates.

• Added support for the new OpenSSL 3.0.0 API, which deprecated a few functions.

• The inn.conf default value for tlsprotocols no longer contains TLS versions 1.0 and 1.1, which have been deprecated by RFC 8996.

• A new inn.conf parameter has been added to tune the length of the queue of pending connections to innd, nnrpd and the ovdb overview storage method: the maxlisten parameter now permits configuring their listen backlog, whose previously hard-coded values were 128 for nnrpd and 25 for the others, which was not high enough for some uses. The default value is now 128 for all of them, and configurable in inn.conf. Thanks to Kevin Bowling for the patch.

• The name of seven man pages for routines built in libinn(3) are now prefixed with libinn_ so as not to consume namespace and conflict with other packages (notably, the list(3) and uwildmat(3) man pages are now named libinn_list(3) and libinn_uwildmat(3)).

INN 2.6.4

2021-01-21
Full changes and diff from previous release

Bug Fix

• nnrpd now adapts the length of the DH parameter used during a DHE key exchange so as to comply with the security level OpenSSL 1.1.0 or later expects. Thanks to Michael Baeuerle for the bug report.

New Features

• Added support for systemd notifications and socket activation. Use of more features provided by systemd, including more notifications, will come in future releases. Thanks to Marco d'Itri for this first systemd integration into INN.

• cnfsstat now also returns information about retired CNFS buffers: buffers mentioned in cycbuff.conf as a cycbuff but not declared in a metacycbuff.

• Switch default innreport behaviour to the common practice of externalizing CSS into a separate file. Its name can be configured with the html_css_url parameter in innreport.conf. If this parameter is unset, the default innreport.css file name will be used and innreport will generate this CSS file for you.
  Previously generated reports are kept untouched, though, and will still contain inline CSS if you had not already set the html_css_url parameter in previous INN versions. Thanks to Richard Kettlewell for the patch.

• sm can now read and store any number of articles given in wire format on its standard input when both -s and -R are used. Only native format was previously possible. Thanks to Bo Lindbergh for the patch.

• Added new -a flag to rnews to disallow, if needed, the use of additional unpackers from the rnews.libexec sub-directory of pathbin (as set in inn.conf); only rnews and cunbatch will then be recognized as valid batch commands.

• Added new -b flag to rnews to save rejected articles in the bad sub-directory of pathincoming (as set in inn.conf). Otherwise, rnews just logs and discards any articles that are rejected or cannot be parsed for some reason.

• Added new -d flag to rnews to log via syslog the message-ID and the Path header body of each article rejected as a duplicate.

• Added new --enable-hardening-flags configure-time option, enabled by default, to use hardening build flags like -fPIE and -fstack-protector-strong. This option can easily be disabled if the compiler or the platform does not support them well. More hardening build flags will eventually be added in future releases.

INN 2.6.3

2019-02-07
Full changes and diff from previous release

Bug Fixes

• Fixed the selection of the elliptic curve to use with OpenSSL 1.1.0 or later; NIST P-256 was enforced instead of using the most secure curve.

• Fixed a regression since INN 2.6.1 that prevented articles with internationalized header fields (that is to say encoded in UTF-8) from being posted.

• nnrpd now properly logs the hostname of clients whose connection failed owing to an issue during the negotiation of a TLS session or high load average.

New Features

• A new inn.conf parameter has been added to fine-tune the cipher suites to use with TLS 1.3: the tlsciphers13 now permits configuring them. A separate cipher suite configuration parameter is needed for TLS 1.3 because TLS 1.3 cipher suites are not compatible with TLS 1.2, and vice-versa. In order to avoid issues where legacy TLS 1.2 cipher suite configuration configured in the tlsciphers parameter would inadvertently disable all TLS 1.3 cipher suites, the inn.conf configuration has been separated out.

• Support for Python 3 has been added to INN. Embedded Python filtering and authentication hooks for innd and nnrpd can now use version 3.3.0 or later of the Python interpreter. In the 2.x series, version 2.3.0 or later is still supported.
  When configuring INN with the --with-python flag, the PYTHON environment variable, when set, is used to select the interpreter to embed. Otherwise, it is searched in standard paths.
  In case you change the Python interpreter to embed, make sure that the Python scripts you use are written in the expected syntax for that version of the Python interpreter. Notably, buffer objects have been replaced with memoryview objects in Python 3, and UTF-8 encoding now really matters for string literals (Python 3 uses bytes and Unicode objects).
  INN documentation and samples of Python hooks have been updated to provide more examples.

• When a Python or Perl filter hook rejects an article, innd now mentions the reason in response to CHECK and TAKETHIS commands. Previously, the reason was given only for the IHAVE command.

INN 2.6.2

2018-03-18
Full changes and diff from previous release

Bug Fixes

• Fixed a bug in inews that was rejecting articles containing header fields whose length exceeded 998 bytes. This limitation is for the length of a single line of a header field (and not for the length of the whole header field, as it was wrongly the case).

• The buffindexed overview method will now hopefully work properly on systems with a native page size larger than 16KB.

• mailpost now removes empty header fields before attempting to post articles, and keeps trace of them in the newly generated X-Mailpost-Empty-Hdrs header field body. Also, mailpost now sanitizes header fields with regards to empty continuation header lines. Thanks to Kamil Jonca for these bug reports.

• A few commands listed in the "Control commands to INND" section in daily Usenet reports were appearing as a mere letter; all of them are now properly converted to meaningful words.

• Use of the ovdb_server helper server is now the default when using the ovdb overview method, that is to say the default value for the readserver parameter in ovdb.conf is now set to true. It improves stability and avoids deadlocks, timing issues and corrupted ovdb databases.

• Added support for GnuPG's gpg binary (in addition to gpgv) in pgpverify. Indeed, gpg still validates signatures made with weak digest algorithms like MD5 whereas gpgv no longer does. Thanks to Thomas Hochstein for the patch, which permits validating control articles for hierarchies that are still using old PGP keys.

• Added similar support for GnuPG's gpg binary in perl-nocem to validate NoCeM notices from issuers who are still using old PGP keys.

• Other minor bug fixes and documentation improvements.

New Features

• A new syntaxchecks parameter has been added in inn.conf. It permits controlling the level of checks performed by innd and nnrpd. Up to now, only one check can be enabled/disabled: when laxmid is mentioned in the values of this new parameter, INN accepts Message-IDs that contain .. in the left part, as well as Message-IDs with two @ (such Message-IDs would otherwise be considered as syntactically invalid). See the inn.conf(5) man page for more details.
  The check is disabled by default (no-laxmid), which corresponds to the legacy behaviour of INN 2.6.1 and earlier.

• A new -z parameter has been added to mailpost to mention a list of header fields to remove from the gated message. Thanks to Dieter Stussy for the patch.

• The tlsprotocols parameter in inn.conf now recognizes the TLSv1.3 value (for OpenSSL versions implementing TLS 1.3, that is to say starting from OpenSSL 1.1.1).

INN 2.6.1

2016-11-27
Full changes and diff from previous release

Bug Fixes

• nnrpd now uses -0000 as the time zone for Date and Injection-Date header fields it generates. It was previously using +0000, wrongly systematically indicating a local time zone at Universal Time when localtime is set to false (which is the default) in readers.conf. The +0000 time zone will now be used only if localtime is set to true and UTC is really the local time zone of the server.

• rnews no longer segfaults at startup when started setuid news. Thanks to Marcus Jodorf for the bug report.

• Fixed slow nnrpd responses for a few NNTP commands. The TCP_NODELAY option was unconditionally set whereas only BSD/OS systems needed it. Thanks to Christian Mock for having discovered that.

• Articles containing a Received or a Posted header field are no longer rejected by nnrpd at injection time.

• Articles containing control characters or whitespace-only content lines in their headers are now rejected by nnrpd at injection time.

• When an encryption layer is negotiated during a successful use of the STARTTLS command, or after a successful authentication using an SASL mechanism that negotiates an encryption layer, nnrpd now updates the permissions of the news client according to the new secure state of his connection (that is to say auth blocks in readers.conf using the require_ssl parameter are taken into account). Previously, only connections on a dedicated port (usually 563) were taking benefit from that parameter. Thanks to Steve Crook for the bug report.

• When a data integrity layer was negotiated during a successful SASL authentication, nnrpd was wrongly reseting any knowledge obtained from the client, such as the current newsgroup and article number. This behaviour now applies only when an encryption layer is negotiated.

• nntpsend now correctly waits until all of the child innxmit processes exit before it does. It was causing nntpsend to fail to work properly on systems that use systemd, because when it exits prematurely, systemd kills all of the processes it launched, including the innxmit processes. Thanks to Jonathan Kamens for the patch.

• Other minor bug fixes and documentation improvements.

New Features

• Julien Elie has implemented in nnrpd the new COMPRESS command described in the draft-murchison-nntp-compress Internet-Draft that extends the NNTP protocol to allow a connection to be effectively and efficiently compressed. News clients that also support that extension will be able to benefit from that bandwidth optimization and improvement in speed. Moreover, using COMPRESS is more secure than TLS-level compression, as far as authentication credentials are concerned.

• The default value for the tlscompression parameter in inn.conf has changed. TLS-level compression is now disabled by default, to comply with the best current practices for a secure use of TLS in application protocols like NNTP. Using the new COMPRESS command is recommended.

• The tlscompression parameter in inn.conf now also permits disabling TLS-level compression with OpenSSL 0.9.8. It previously had an effect only when OpenSSL 1.0.0 or later was used.

• OpenSSL 1.1.0 support has been added to INN.

• Update from GNU Libtool 2.4.2 to 2.4.6.