Dear ppl of the usenet,
after two decades I have set up an own newsserver for fun and keeping
things alive. Also for the nostalgia and because usenet is still the
most elegant form of discussion i can think of.

After I did not fuck up the first peering, I'm eager to expand :)

# Service.name.........: Cyber23 news
# Hostname.............: news.cyber23.de
# IPV4.addr............: 185.137.122.16
# IPV6.addr............: 2a02:c206:3008:1470::1
# Send.To..............: news.cyber23.de
# Accept.From..........: news.cyber23.de
# (use FQDN instead of IP if you can)
# Path.Exclusion.......: news.cyber23.de
# Hierarchies..........: *
# Contact..............: usenet@cyber23.de
# Spam.filtering.......: no (actually that is 'not yet')
# Working.abuse.mailbox: yes (abuse@cyber23.de)
# Feeding-Systems......: VPS, 4x AMD EPYC 7282
# 8 Gb RAM, 200GB SSD
# inn 2.6.4 on FreeBSD 12.2
# Bandwidth............: 200MBit
# Location.............: Duesseldorf, Germany
# ISP..................: contabo, https://www.contabo.de (AS51167)

As you can see I'm willing to take all, including binaries. That is for
a simple reason: I think its a good idea to keep communication free and
unlimited. And as I don't believe 'commercial' usenet servers will peer
with me our the others that might be willing to peer with me, the
biggest part of the lets call it 'binary problem' is from the table
already.... So those of you, who might allow binaries (if there are any)
will most probably only have binaries from their userbase. And I believe
that to be harmless (both, regarding traffic and questionable content).

Maybe I'm wrong and giganews will offer me a full binary feed and I'll
have to politely say no - but I srsly doubt that's gonna happen ;).
Maybe there are other reasons to reject binaries, would love to hear
about those.

yours,
smash

On 11/10/21 11:51 AM, smash wrote:
> Dear ppl of the usenet,

Hi,

> after two decades I have set up an own newsserver for fun and keeping
> things alive. Also for the nostalgia and because usenet is still the
> most elegant form of discussion i can think of.

Welcome back.

> After I did not fuck up the first peering, I'm eager to expand :)

Send me a direct email.

> As you can see I'm willing to take all, including binaries. That is for
> a simple reason: I think its a good idea to keep communication free and
> unlimited. And as I don't believe 'commercial' usenet servers will peer
> with me our the others that might be willing to peer with me, the
> biggest part of the lets call it 'binary problem' is from the table
> already.... So those of you, who might allow binaries (if there are any)
> will most probably only have binaries from their userbase. And I believe
> that to be harmless (both, regarding traffic and questionable content).

I have some reservations about all newsgroups, including binary, but I'm
willing to deal with that if it becomes an issue. I suspect that
judicious feed pruning will probably suffice.

I also take it that you will be implementing some sort of spam filtering.

--
Grant. . . .
unix || die

Hi

Am 10.11.2021 um 19:51 schrieb smash:
> # Spam.filtering.......: no (actually that is 'not yet')

[...]

> As you can see I'm willing to take all, including binaries. That is for
> a simple reason: I think its a good idea to keep communication free and
> unlimited. And as I don't believe 'commercial' usenet servers will peer
> with me our the others that might be willing to peer with me, the
> biggest part of the lets call it 'binary problem' is from the table
> already.... So those of you, who might allow binaries (if there are any)
> will most probably only have binaries from their userbase. And I believe
> that to be harmless (both, regarding traffic and questionable content).

If you go that route, it might be a good idea to get cleanfeed running
und make sure you accept binaries only in binary groups and not (through
crossposts e.g.) in groups that are supposed to be text only. Otherwise
you might send those binaries also to peers who explicitely dont want
them and cause a lot of traffic.

Cheers,
Martin

PS: I am generally open to peering after resolving that point, contact
by mail (gerne auch auf deutsch).

Hi,

Am 11.11.2021 um 17:10 schrieb Martin Burmester:
> Am 10.11.2021 um 19:51 schrieb smash:
>> # Spam.filtering.......: no (actually that is 'not yet')
>
> [...]
>
>> As you can see I'm willing to take all, including binaries. That is for
>> a simple reason: I think its a good idea to keep communication free and
>> unlimited. And as I don't believe 'commercial' usenet servers will peer
>> with me our the others that might be willing to peer with me, the
>> biggest part of the lets call it 'binary problem' is from the table
>> already.... So those of you, who might allow binaries (if there are any)
>> will most probably only have binaries from their userbase. And I believe
>> that to be harmless (both, regarding traffic and questionable content).
>
> If you go that route, it might be a good idea to get cleanfeed running
> und make sure you accept binaries only in binary groups and not (through
> crossposts e.g.) in groups that are supposed to be text only. Otherwise
> you might send those binaries also to peers who explicitely dont want
> them and cause a lot of traffic.

after posting this, I remembered that adding @*binaries* and the like
should be sufficent to configure text feeds that excludes binaries
crossposted to text only groups. Nontheless having a filter for that is
a good idea.

Cheers,
Martin

On 11/10/21 12:51 PM, smash wrote:
> Dear ppl of the usenet,
> after two decades I have set up an own newsserver for fun and keeping
> things alive. Also for the nostalgia and because usenet is still the
> most elegant form of discussion i can think of.

Thanks for setting this up. After several tests I am not able to connect
with SSL/TLS on port 563. Is this an oversight or is encrypted
connection on another port?

--
R. Holme

In article <sr5bb8$2fkkg$1@news.mixmin.net>,
R. Holme <holmer@url.invalid> wrote:
>On 11/10/21 12:51 PM, smash wrote:
>> Dear ppl of the usenet,
>> after two decades I have set up an own newsserver for fun and keeping
>> things alive. Also for the nostalgia and because usenet is still the
>> most elegant form of discussion i can think of.
>
>Thanks for setting this up. After several tests I am not able to connect
>with SSL/TLS on port 563. Is this an oversight or is encrypted
>connection on another port?
>

Which server SW are you using?
>--
>R. Holme

--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b
Birthdate 29 Jan 1969 Redhill Surrey England Beware https://mindspring.com

On 1/5/22 7:04 PM, The Doctor wrote:
> In article <sr5bb8$2fkkg$1@news.mixmin.net>,
> R. Holme <holmer@url.invalid> wrote:
>> On 11/10/21 12:51 PM, smash wrote:
>>> Dear ppl of the usenet,
>>> after two decades I have set up an own newsserver for fun and keeping
>>> things alive. Also for the nostalgia and because usenet is still the
>>> most elegant form of discussion i can think of.
>>
>> Thanks for setting this up. After several tests I am not able to connect
>> with SSL/TLS on port 563. Is this an oversight or is encrypted
>> connection on another port?
>>
>
> Which server SW are you using?

No server. Client for reader mode. Fails with openssl and socat as well
as all newsreaders.

See for yourself:

$> openssl s_client -ign_eof -connect news.cyber23.de:563

Port 119 is MITM spook and blackhat territory. This is why I ask about a
secure connection being available.

Posting _anything_ to port 119 that is not cryptographically signed can
allow the blackhats and spooks to interject, change en route your data.

--
R. Holme

In article <sr5n08$kbl$1@gioia.aioe.org>, R. Holme <holmer@url.invalid> wrote:
>On 1/5/22 7:04 PM, The Doctor wrote:
>> In article <sr5bb8$2fkkg$1@news.mixmin.net>,
>> R. Holme <holmer@url.invalid> wrote:
>>> On 11/10/21 12:51 PM, smash wrote:
>>>> Dear ppl of the usenet,
>>>> after two decades I have set up an own newsserver for fun and keeping
>>>> things alive. Also for the nostalgia and because usenet is still the
>>>> most elegant form of discussion i can think of.
>>>
>>> Thanks for setting this up. After several tests I am not able to connect
>>> with SSL/TLS on port 563. Is this an oversight or is encrypted
>>> connection on another port?
>>>
>>
>> Which server SW are you using?
>
>No server. Client for reader mode. Fails with openssl and socat as well
>as all newsreaders.
>
>See for yourself:
>
>$> openssl s_client -ign_eof -connect news.cyber23.de:563
>
>Port 119 is MITM spook and blackhat territory. This is why I ask about a
>secure connection being available.
>
>Posting _anything_ to port 119 that is not cryptographically signed can
>allow the blackhats and spooks to interject, change en route your data.
>
>--
>R. Holme

NNTps is activated by inetd.
--
Member - Liberal International This is doctor@@nl2k.ab.ca Ici doctor@@nl2k.ab.ca
Yahweh, Queen & country!Never Satan President Republic!Beware AntiChrist rising!
Look at Psalms 14 and 53 on Atheism https://www.empire.kred/ROOTNK?t=94a1f39b
Birthdate 29 Jan 1969 Redhill Surrey England Beware https://mindspring.com

On Wed, 5 Jan 2022 21:17:31 -0600, R. Holme <holmer@url.invalid> wrote:
> $> openssl s_client -ign_eof -connect news.cyber23.de:563
>
> Port 119 is MITM spook and blackhat territory. This is why I ask about a
> secure connection being available.
>
> Posting _anything_ to port 119 that is not cryptographically signed can
> allow the blackhats and spooks to interject, change en route your data.

Why do you think there is any difference in security between
"TLS connect to port 563 directly" compared to "plaintext connect to
port 119, issue 'STARTTLS' command, and refuse to proceed unless server
offers TLS" ?

(assuming your client has an option "force use of STARTTLS", of course -
if it does not, that seems like a client bug, if it's interested in
offering transport security).

--
Opinions above are GNU-copylefted.

On 1/6/22 8:01 AM, Matija Nalis wrote:
> assuming your client has an option "force use of STARTTLS"

That is the operative part of your question.

Not all clients support it, nor do all the people have it enabled who
have clients that do support it.

That's a client side configuration option which server operators have no
control and very little influence over.

--
Grant. . . .
unix || die

On 1/6/22 2:08 PM, Grant Taylor wrote:
> On 1/6/22 8:01 AM, Matija Nalis wrote:
>> assuming your client has an option "force use of STARTTLS"
>
> That is the operative part of your question.
>
> Not all clients support it, nor do all the people have it enabled who
> have clients that do support it.
>
> That's a client side configuration option which server operators have no
> control and very little influence over.

Many clients have no option for STARTTLS on a clear text port. It's not
part of the modern way of doing the protocol and AFIK never has been.

STARTTLS is more of a pop3/imap thing. If you look at Thunderbird, you
will see that StartTLS is available for mail server settings but not for
NNTP server settings. It's not an oversight or bug, just not considered
necessary since it is expected for the server to offer a dedicated
SSL/TLS port to the client, usually port 563 or 465.

I also see no STARTTLS functionality on the server in question. Socat
and s_client can't detect it. My tests just return "wrong version
number." This usually means there is no encryption handshake present on
the server.

--
R. Holme

Hi R. Holme,

> Many clients have no option for STARTTLS on a clear text port. It's not
> part of the modern way of doing the protocol and AFIK never has been.
>
> STARTTLS is more of a pop3/imap thing. If you look at Thunderbird, you
> will see that StartTLS is available for mail server settings but not for
> NNTP server settings. It's not an oversight or bug, just not considered
> necessary since it is expected for the server to offer a dedicated
> SSL/TLS port to the client, usually port 563 or 465.
>
> I also see no STARTTLS functionality on the server in question. Socat
> and s_client can't detect it. My tests just return "wrong version
> number." This usually means there is no encryption handshake present on
> the server.

STARTTLS is correctly implemented in OpenSSL for NNTP. It is not only
for POP3 and IMAP...
I agree that Thunderbird and probably the NNTP server you are using do
not implement it, but that does not mean STARTTLS is not feasible
(though implicit TLS on port 563 is the preferred way in RFCs).

s_client: Value must be one of:
smtp
pop3
imap
ftp
xmpp
xmpp-server
telnet
irc
mysql
postgres
lmtp
nntp
sieve
ldap

% openssl s_client -starttls nntp news.aioe.org:119

Works fine!

--
Julien ÉLIE

« J'oubliais qu'Assurancetourix a une nouvelle corde à sa harpe ! »
(Astérix)