Suprisingly a Peering request

Discussion:

(too old to reply)

smash

2021-11-10 18:51:50 UTC

Dear ppl of the usenet,
after two decades I have set up an own newsserver for fun and keeping
things alive. Also for the nostalgia and because usenet is still the
most elegant form of discussion i can think of.

After I did not fuck up the first peering, I'm eager to expand :)

# Service.name.........: Cyber23 news
# Hostname.............: news.cyber23.de
# IPV4.addr............: 185.137.122.16
# IPV6.addr............: 2a02:c206:3008:1470::1
# Send.To..............: news.cyber23.de
# Accept.From..........: news.cyber23.de
# (use FQDN instead of IP if you can)
# Path.Exclusion.......: news.cyber23.de
# Hierarchies..........: *
# Contact..............: ***@cyber23.de
# Spam.filtering.......: no (actually that is 'not yet')
# Working.abuse.mailbox: yes (***@cyber23.de)
# Feeding-Systems......: VPS, 4x AMD EPYC 7282
# 8 Gb RAM, 200GB SSD
# inn 2.6.4 on FreeBSD 12.2
# Bandwidth............: 200MBit
# Location.............: Duesseldorf, Germany
# ISP..................: contabo, https://www.contabo.de (AS51167)

As you can see I'm willing to take all, including binaries. That is for
a simple reason: I think its a good idea to keep communication free and
unlimited. And as I don't believe 'commercial' usenet servers will peer
with me our the others that might be willing to peer with me, the
biggest part of the lets call it 'binary problem' is from the table
already.... So those of you, who might allow binaries (if there are any)
will most probably only have binaries from their userbase. And I believe
that to be harmless (both, regarding traffic and questionable content).

Maybe I'm wrong and giganews will offer me a full binary feed and I'll
have to politely say no - but I srsly doubt that's gonna happen ;).
Maybe there are other reasons to reject binaries, would love to hear
about those.

yours,
smash

Grant Taylor

2021-11-11 05:23:04 UTC

Permalink

Post by smash
Dear ppl of the usenet,

Hi,

Post by smash
after two decades I have set up an own newsserver for fun and keeping
things alive. Also for the nostalgia and because usenet is still the
most elegant form of discussion i can think of.

Welcome back.

Post by smash
After I did not fuck up the first peering, I'm eager to expand :)

Send me a direct email.

Post by smash
As you can see I'm willing to take all, including binaries. That is for
a simple reason: I think its a good idea to keep communication free and
unlimited. And as I don't believe 'commercial' usenet servers will peer
with me our the others that might be willing to peer with me, the
biggest part of the lets call it 'binary problem' is from the table
already.... So those of you, who might allow binaries (if there are any)
will most probably only have binaries from their userbase. And I believe
that to be harmless (both, regarding traffic and questionable content).

I have some reservations about all newsgroups, including binary, but I'm
willing to deal with that if it becomes an issue. I suspect that
judicious feed pruning will probably suffice.

I also take it that you will be implementing some sort of spam filtering.

--
Grant. . . .
unix || die

Martin Burmester

2021-11-11 16:10:13 UTC

Permalink

Post by smash
# Spam.filtering.......: no (actually that is 'not yet')

[...]

If you go that route, it might be a good idea to get cleanfeed running
und make sure you accept binaries only in binary groups and not (through
crossposts e.g.) in groups that are supposed to be text only. Otherwise
you might send those binaries also to peers who explicitely dont want
them and cause a lot of traffic.

Cheers,
Martin

PS: I am generally open to peering after resolving that point, contact
by mail (gerne auch auf deutsch).

Martin Burmester

2021-11-12 17:27:09 UTC

Permalink

Hi,

Post by Martin Burmester

Post by smash
# Spam.filtering.......: no (actually that is 'not yet')

[...]

after posting this, I remembered that adding @*binaries* and the like
should be sufficent to configure text feeds that excludes binaries
crossposted to text only groups. Nontheless having a filter for that is
a good idea.

Cheers,
Martin

😉 Good Guy 😉

2021-11-12 17:52:36 UTC

Permalink

I have used 21st century technology to compose this post to make it easier for people to read the message in hypertext. I used a DELL keyboard to compose this message.
--
Windows-10: <news://freenews.netfront.net/alt.comp.os.windows-10>
Windows-8: <news://freenews.netfront.net/alt.comp.os.windows-8>
Windows-7: <news://freenews.netfront.net/alt.windows7.general>
Windows XP: <news://freenews.netfront.net/microsoft.public.windowsxp.general>
Windows-XP: <news://freenews.netfront.net/microsoft.public.windowsxp.general>
Firefox: <news://freenews.netfront.net/alt.comp.software.firefox>
Thunderbird: <news://freenews.netfront.net/alt.comp.software.thunderbird>

Google Groups: <https://groups.google.com/g/microsoft.public.windowsxp.general>

R. Holme

2022-01-05 23:58:35 UTC

Permalink

Post by smash
Dear ppl of the usenet,
after two decades I have set up an own newsserver for fun and keeping
things alive. Also for the nostalgia and because usenet is still the
most elegant form of discussion i can think of.

Thanks for setting this up. After several tests I am not able to connect
with SSL/TLS on port 563. Is this an oversight or is encrypted
connection on another port?

--
R. Holme

The Doctor

2022-01-06 01:04:39 UTC

Permalink

Post by R. Holme

Thanks for setting this up. After several tests I am not able to connect
with SSL/TLS on port 563. Is this an oversight or is encrypted
connection on another port?

Which server SW are you using?

Post by R. Holme
--
R. Holme

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b
Birthdate 29 Jan 1969 Redhill Surrey England Beware https://mindspring.com

R. Holme

2022-01-06 03:17:31 UTC

Permalink

Post by The Doctor

Post by R. Holme

Thanks for setting this up. After several tests I am not able to connect
with SSL/TLS on port 563. Is this an oversight or is encrypted
connection on another port?

Which server SW are you using?

No server. Client for reader mode. Fails with openssl and socat as well
as all newsreaders.

See for yourself:

$> openssl s_client -ign_eof -connect news.cyber23.de:563

Port 119 is MITM spook and blackhat territory. This is why I ask about a
secure connection being available.

Posting _anything_ to port 119 that is not cryptographically signed can
allow the blackhats and spooks to interject, change en route your data.

--
R. Holme

Caprisky

2022-01-06 04:12:12 UTC

Thanks for setting this up. After several tests I am not able to connect
with SSL/TLS on port 563. Is this an oversight or is encrypted
connection on another port?

Which server SW are you using?

No server. Client for reader mode. Fails with openssl and socat as well
as all newsreaders.
$> openssl s_client -ign_eof -connect news.cyber23.de:563

Not sure they were advertising an open server for clients, but were asking for peers. I could be wrong, that happens a lot.

The Doctor

2022-01-06 05:34:37 UTC

Thanks for setting this up. After several tests I am not able to connect
with SSL/TLS on port 563. Is this an oversight or is encrypted
connection on another port?

Which server SW are you using?

No server. Client for reader mode. Fails with openssl and socat as well
as all newsreaders.
$> openssl s_client -ign_eof -connect news.cyber23.de:563
Port 119 is MITM spook and blackhat territory. This is why I ask about a
secure connection being available.
Posting _anything_ to port 119 that is not cryptographically signed can
allow the blackhats and spooks to interject, change en route your data.
--
R. Holme

NNTps is activated by inetd.

Matija Nalis

2022-01-06 15:01:44 UTC

Permalink

Post by R. Holme
$> openssl s_client -ign_eof -connect news.cyber23.de:563
Port 119 is MITM spook and blackhat territory. This is why I ask about a
secure connection being available.
Posting _anything_ to port 119 that is not cryptographically signed can
allow the blackhats and spooks to interject, change en route your data.

Why do you think there is any difference in security between
"TLS connect to port 563 directly" compared to "plaintext connect to
port 119, issue 'STARTTLS' command, and refuse to proceed unless server
offers TLS" ?

(assuming your client has an option "force use of STARTTLS", of course -
if it does not, that seems like a client bug, if it's interested in
offering transport security).

--
Opinions above are GNU-copylefted.

Grant Taylor

2022-01-06 20:08:25 UTC

Permalink

Post by Matija Nalis
assuming your client has an option "force use of STARTTLS"

That is the operative part of your question.

Not all clients support it, nor do all the people have it enabled who
have clients that do support it.

That's a client side configuration option which server operators have no
control and very little influence over.

--
Grant. . . .
unix || die

R. Holme

2022-01-06 23:18:12 UTC

Permalink

Post by Grant Taylor

Post by Matija Nalis
assuming your client has an option "force use of STARTTLS"

That is the operative part of your question.
Not all clients support it, nor do all the people have it enabled who
have clients that do support it.
That's a client side configuration option which server operators have no
control and very little influence over.

Many clients have no option for STARTTLS on a clear text port. It's not
part of the modern way of doing the protocol and AFIK never has been.

STARTTLS is more of a pop3/imap thing. If you look at Thunderbird, you
will see that StartTLS is available for mail server settings but not for
NNTP server settings. It's not an oversight or bug, just not considered
necessary since it is expected for the server to offer a dedicated
SSL/TLS port to the client, usually port 563 or 465.

I also see no STARTTLS functionality on the server in question. Socat
and s_client can't detect it. My tests just return "wrong version
number." This usually means there is no encryption handshake present on
the server.

--
R. Holme

Julien ÉLIE

2022-01-07 08:32:10 UTC

Permalink

Hi R. Holme,

Post by R. Holme
Many clients have no option for STARTTLS on a clear text port. It's not
part of the modern way of doing the protocol and AFIK never has been.
STARTTLS is more of a pop3/imap thing. If you look at Thunderbird, you
will see that StartTLS is available for mail server settings but not for
NNTP server settings. It's not an oversight or bug, just not considered
necessary since it is expected for the server to offer a dedicated
SSL/TLS port to the client, usually port 563 or 465.
I also see no STARTTLS functionality on the server in question. Socat
and s_client can't detect it. My tests just return "wrong version
number." This usually means there is no encryption handshake present on
the server.

STARTTLS is correctly implemented in OpenSSL for NNTP. It is not only
for POP3 and IMAP...
I agree that Thunderbird and probably the NNTP server you are using do
not implement it, but that does not mean STARTTLS is not feasible
(though implicit TLS on port 563 is the preferred way in RFCs).

s_client: Value must be one of:
smtp
pop3
imap
ftp
xmpp
xmpp-server
telnet
irc
mysql
postgres
lmtp
nntp
sieve
ldap

% openssl s_client -starttls nntp news.aioe.org:119

Works fine!

--
Julien ÉLIE

« J'oubliais qu'Assurancetourix a une nouvelle corde à sa harpe ! »
(Astérix)