Hi,
One of my peers brought something to my attention that they think is not correct about my configuration. They have provided enough information
to make me think I need to change something.
Before I make changes, I want to better understand what various INN
options are and how they will impact my servers.
First, I have two news servers, one is -- what I call -- my public
transit server (with a small spool) that peers with all my peers and the other is my private archive server (with a much larger spool) and only
peers with my transit server.
I've been using "tnetconsulting.net" as the entry in the Path header
thinking that it is a superset of <host>.tnetconsulting.net or <host>.<subdomain>.tnetconsulting.net. It seems as if this is probably
the incorrect value to be using.
My peer has suggested either "pathalias" or "pathcluster" with a value
of "tnetconsulting.net".
My two news servers perform different roles and I would never consider
them to be any form of cluster with each other. So I think that "pathcluster" is a non-starter.
Will someone please help me understand what my two servers should be
doing and how pathalias might influence how they interact with each
other and the rest of Usenet?
Please and thank you.
N.B. I've not named the peer in question out of courtesy. I have no objection to them naming themselves.
Hehe - the peer in question is me.
To shed further light on why Grant is asking, I noticed Grant's issue
when I switched to Diablo which does Path matching diagnostics and
I noticed this in messages coming from his site:
Path:nnrp.usenet.blueworldhosting.com!!spool1.usenet.blueworldhosting.com!dia blo1.usenet.blueworldhosting.com!usenet.blueworldhosting.com!45.33.28.24.MISM ATCH!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alp ha.home.tnetconsulting.net!not-for-mail
I had a similar configuration as Grant and told him I was using "pathalias usenet.blueworldhosting.com" with INN.
I think this is a good discussion as I think based on stuff I've seen here that INN 2.8.0 will add this Path diagnostic feature similar to Diablo.
On 3/19/23 8:08 PM, Jesse Rehmer wrote:
Hehe - the peer in question is me.
;-)
To shed further light on why Grant is asking, I noticed Grant's issue
when I switched to Diablo which does Path matching diagnostics and
I noticed this in messages coming from his site:
Path:nnrp.usenet.blueworldhosting.com!!spool1.usenet.blueworldhosting.com!dia
blo1.usenet.blueworldhosting.com!usenet.blueworldhosting.com!45.33.28.24.MISM
ATCH!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alp
ha.home.tnetconsulting.net!not-for-mail
I had a similar configuration as Grant and told him I was using "pathalias >> usenet.blueworldhosting.com" with INN.
I suspect that I'm going to end up using pathalias as you suggested.
I'm hoping to learn and understand better what should be happening, why
it should be happening, and how I'm (accidentally) going against that now.
I think this is a good discussion as I think based on stuff I've seen here >> that INN 2.8.0 will add this Path diagnostic feature similar to Diablo.
:-)
To piggy onto this, and something I would like to further understand,
is the proper 'technically expected' usage of pathalias vs pathcluster.
I understand the two basically differ whether they append or preprend
the element, but I'm not certain which is correct to use in which
scenarios.
As I explained to Grant via e-mail, in my experience it didn't seem
to matter the ordering of the Path elements so much, but more that
the Path I've told my peers to expect appears somewhere in the Path
header of articles I offer to them.
Hi Jesse,
I noticed Grant's issue when I switched to Diablo which does Path
matching diagnostics and I noticed this in messages coming from his site:
Path:nnrp.usenet.blueworldhosting.com!!spool1.usenet.blueworldhosting.com!dia
blo1.usenet.blueworldhosting.com!usenet.blueworldhosting.com!45.33.28.24.MISM
ATCH!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alp
ha.home.tnetconsulting.net!not-for-mail
FWIW, the standardized syntax is "!.MISMATCH.45.33.28.24", in coherence
with "!.POSTED.alpha.home.tnetconsulting.net". The diagnostic is
followed with a value.
I had a similar configuration as Grant and told him I was using "pathalias >> usenet.blueworldhosting.com" with INN.
I think this is a good discussion as I think based on stuff I've seen here >> that INN 2.8.0 will add this Path diagnostic feature similar to Diablo.
According to Diablo's changelog:
Diablo V1.12
Added Path: name checking. If the first element of the Path:
received by an article does not match any 'alias' statements
for the incoming connection, the IP address is prepended
to the path: with .MISMATCH appended.
files to locate incoming feeds with improperly configuredNOTE <<< you should grep through newly created spool> directories >>>> every so often looking for .MISMATCH in the spool
'alias's (in dnewsfeeds). When I turned this feature on,
I found that four of my 80+ feeds were misconfigured.
I noticed Grant's issue when I switched to Diablo which does Path
matching diagnostics and I noticed this in messages coming from his site:
Path:nnrp.usenet.blueworldhosting.com!!spool1.usenet.blueworldhosting.com!dia blo1.usenet.blueworldhosting.com!usenet.blueworldhosting.com!45.33.28.24.MISM ATCH!tncsrv06.tnetconsulting.net!tncsrv09.home.tnetconsulting.net!.POSTED.alp ha.home.tnetconsulting.net!not-for-mail
I had a similar configuration as Grant and told him I was using "pathalias usenet.blueworldhosting.com" with INN.
I think this is a good discussion as I think based on stuff I've seen here that INN 2.8.0 will add this Path diagnostic feature similar to Diablo.
So the Diablo syntax is backwards?For the "!45.33.28.24.MISMATCH" path diagnostic?
Hi Jesse,
So the Diablo syntax is backwards?For the "!45.33.28.24.MISMATCH" path diagnostic?
It was implemented before the final version of the RFC standardizing it.
The expected standardized one is "!.MISMATCH.45.33.28.24".
It may be worthwhile fixing it in a patch... If Miquel wishes to add it
to its waiting-to-be-merged list of patches.
I also reported a few years ago that Diablo's answer to LISTGROUP
command was not the right one, but unfortunately there's no longer any
active development for Diablo.
Given the large number of profitable commercial entities using Diablo, I am quite certain that development has occurred, but is not being shared with the rest of us.
sprintf(ipfail, "%s.MISMATCH!", PeerIpName);
Hi Jesse,
Given the large number of profitable commercial entities using Diablo, I am >> quite certain that development has occurred, but is not being shared with the
rest of us.
:-(
sprintf(ipfail, "%s.MISMATCH!", PeerIpName);
This line should just be changed to:
sprintf(ipfail, ".MISMATCH.%s!", PeerIpName);
It will then correctly write "usenet.blueworldhosting.com!.MISMATCH.45.33.28.24!tncsrv06.tnetconsulting.n et".
On Mar 20, 2023 at 4:18:51 PM CDT, "Grant Taylor" <gtaylor@tnetconsulting.net>
wrote:
On 3/20/23 12:26 PM, Julien ÉLIE wrote:
Hi Jesse and Grant,
Hi,
Path: pathcluster!!pathhost!!pathalias!...
Thank you for clarifying that.
From inn.conf documentation:
pathalias
The main purpose of this parameter is to configure all news servers
within a particular organization to add a common identity string to the
Path header field body.
pathcluster
The main purpose of this parameter is to make several news servers
appear as one server.
This way, you tell your peers that they should expect "pathcluster" as
the last and unique name for your outgoing feeds.
Is "pathcluster" a place holder in your statement or are you suggesting
that I use "pathcluster"/
And "pathalias" is used to add another name in the Path (for instance in >>> the case we recently discussed to add a specific server name so that
articles are not fed to this news server by others).
Since my multiple servers are not pretending to be one server I think I
should use "pathalias". Correct?
So that the leftmost path entry is unique for all your outgoing feeds.
ACK
After reading Julien's explanation, I believe you want to use pathcluster on your feeder machine so that the "tnetconsulting.net" element is the first/left-most element in the path when you pass the article to a peer.
Hi Jesse and Grant,
Path: pathcluster!!pathhost!!pathalias!...
From inn.conf documentation:
pathalias
The main purpose of this parameter is to configure all news servers
within a particular organization to add a common identity string to the
Path header field body.
pathcluster
The main purpose of this parameter is to make several news servers
appear as one server.
This way, you tell your peers that they should expect "pathcluster" as
the last and unique name for your outgoing feeds.
And "pathalias" is used to add another name in the Path (for instance in
the case we recently discussed to add a specific server name so that
articles are not fed to this news server by others).
So that the leftmost path entry is unique for all your outgoing feeds.
On 3/20/23 12:26 PM, Julien ÉLIE wrote:
Hi Jesse and Grant,
Hi,
Path: pathcluster!!pathhost!!pathalias!...
Thank you for clarifying that.
From inn.conf documentation:
pathalias
The main purpose of this parameter is to configure all news servers
within a particular organization to add a common identity string to the
Path header field body.
pathcluster
The main purpose of this parameter is to make several news servers
appear as one server.
This way, you tell your peers that they should expect "pathcluster" as
the last and unique name for your outgoing feeds.
Is "pathcluster" a place holder in your statement or are you suggesting
that I use "pathcluster"/
And "pathalias" is used to add another name in the Path (for instance in
the case we recently discussed to add a specific server name so that
articles are not fed to this news server by others).
Since my multiple servers are not pretending to be one server I think I should use "pathalias". Correct?
So that the leftmost path entry is unique for all your outgoing feeds.
ACK
I also fixed my Diablo configuration. The ordering of the '-c' (Common path) and '-p' (Feeder/hostname path) flags matter when you start Diablo, and I had them in the wrong order
Good discussion all, looking forward to INN 2.8.0 adding the Path diagnostic!
Hi Jesse,
I also fixed my Diablo configuration. The ordering of the '-c' (Common path) >> and '-p' (Feeder/hostname path) flags matter when you start Diablo, and I had
them in the wrong order
I am reassured that INN isn't the only news server with trapdoors in its configuration :-)
Good discussion all, looking forward to INN 2.8.0 adding the Path diagnostic!
It will normally be in the 2.7.2 release; we do not necessarily need a
major release for this change. Not before the end of this year though.
Meanwhile, if you have any suggestions, here is what I had in mind.
A new "pathmatch" parameter in incoming.conf expects a wildmat pattern
and has no default value.
If the leftmost path identity of an incoming article from a peer matches
the pattern value of that parameter (in incoming.conf) when set or, when unset, equals the label of the peer, then a double "!!" will be
prepended to the Path header field to show it has been successfully
verified.
If the leftmost path identity does not match the pattern, when set, "!.MISMATCH." is prepended along with the peer IP, and a notice log is written to say there's a path mismatch (the log is written only once
*per connection* from the peer, and will be reported in Usenet daily
reports as unknown lines near the beginning of the report).
In all other cases, "!.SEEN." with the peer IP is added, without any
notice log.
There's a special case to deal with: articles coming from a local Unix
domain socket (like connections to innd by rnews or nnrpd). I would
suggest "!.SEEN.localhost" for them (except of course when the path
identity corresponds to nnrpd's "!.POSTED", in which case we do not add
a path diagnostic).
I don't think "!!" or "!.MISMATCH." is suitable for these articles as
the path identity may be different than the real one of the remote peer,
and I do not see any way to ensure that (when processing rnews batches
coming from an external source, UUCP, etc. we no longer know the source).
This proposal permits not generating a "!.MISMATCH." if the admin does
not set an explicit "pathmatch" entry for a peer. It will therefore not surprise him, and won't introduce spurious "!.MISMATCH." in the wild.
I would also suggest a new "pathdiag" parameter, set to true by default,
that can be used at global scope and also per peer, to disable the
feature. Maybe a "pathdomainsocketdiag" parameter would also be useful
to configure the same thing for local Unix domain sockets (they do not
have a peer configuration in incoming.conf).
Any thoughts about that or other suggestions?
After reading Julien's explanation, I believe you want to use
pathcluster on your feeder machine so that the "tnetconsulting.net"
element is the first/left-most element in the path when you pass the
article to a peer.
pathalias
The main purpose of this parameter is to configure all news servers
within a particular organization to add a common identity string to
the Path header field body.
pathcluster
The main purpose of this parameter is to make several news servers
appear as one server.
On 3/20/23 3:27 PM, Jesse Rehmer wrote:
After reading Julien's explanation, I believe you want to use
pathcluster on your feeder machine so that the "tnetconsulting.net"
element is the first/left-most element in the path when you pass the
article to a peer.
I'm unconvinced.
On 3/20/23 12:26 PM, Julien ÉLIE wrote:
pathalias
The main purpose of this parameter is to configure all news servers
within a particular organization to add a common identity string to
the Path header field body.
This sounds like what I was intending to do by having peers use tnetconsulting.net in their excludes in their newsfeeds file.
pathcluster
The main purpose of this parameter is to make several news servers
appear as one server.
My two servers are decidedly different and in no way or shape trying to appear as one (logical) server.
The more reading that I do, the more that I think I want a pathalias set
to tnetconsulting.net.
This makes me think that articles from my servers would be something
like the following:
Path: ...:tncsrv09.home.tnetconsulting.net:tncsrv06.tnetconsulting.net:tnetconsult ing.net:...
I would then continue asking peers to exclude :tnetconsulting.net: from
their feeds to me.
Hi Jesse and Grant,
Path: pathcluster!!pathhost!!pathalias!...
From inn.conf documentation:
pathalias
The main purpose of this parameter is to configure all news servers
within a particular organization to add a common identity string to the
Path header field body.
pathcluster
The main purpose of this parameter is to make several news servers
appear as one server.
This way, you tell your peers that they should expect "pathcluster" as
the last and unique name for your outgoing feeds.
On Mar 20, 2023 at 6:15:17 PM CDT, "Grant Taylor" <gtaylor@tnetconsulting.net>
wrote:
On 3/20/23 3:27 PM, Jesse Rehmer wrote:
After reading Julien's explanation, I believe you want to use
pathcluster on your feeder machine so that the "tnetconsulting.net"
element is the first/left-most element in the path when you pass the
article to a peer.
I'm unconvinced.
On 3/20/23 12:26 PM, Julien ÉLIE wrote:
pathalias
The main purpose of this parameter is to configure all news servers
within a particular organization to add a common identity string to
the Path header field body.
This sounds like what I was intending to do by having peers use
tnetconsulting.net in their excludes in their newsfeeds file.
pathcluster
The main purpose of this parameter is to make several news servers
appear as one server.
My two servers are decidedly different and in no way or shape trying to
appear as one (logical) server.
The more reading that I do, the more that I think I want a pathalias set
to tnetconsulting.net.
This makes me think that articles from my servers would be something
like the following:
Path:
...:tncsrv09.home.tnetconsulting.net:tncsrv06.tnetconsulting.net:tnetconsult >> ing.net:...
I would then continue asking peers to exclude :tnetconsulting.net: from
their feeds to me.
That is the same MISMATCH I see in your articles today. You want your Path to look like this:
Path: tnetconsulting.net!tncsrv09.home.tnetconsulting.net:tncsrv06.tnetconsulting.n et:...
If tncsrv09.home.tnetconsulting.net is our peering server, that's where you want to set pathcluster.
To me there must be a reason for the difference in pathalias and
pathcluster. If not, why would they exist?
I feel like there is some minutia that is /explicitly/ for the
difference between multiple unrelated news servers in an organization
and multiple interrelated news servers in a cluster.
I should have looked at your headers before replying, I see its tncsrv06.tnetconsulting.net that is your peering box.
So that's where you want pathcluster set to tnetconsulting.
I believe that I want to set /pathalias/ and have you exclude tnetconsulting.net (the organization).
One of the reasons that I'm stuck on /pathalias/ and /organization/ is
that the server at the name will likely change to something other than tncsrv06... at some point in the future.
My current understanding is that /if/ 1) I set a /pathalias/ "tnetconsulting.net" and 2) you exclude "tnetconsulting.net", then the hostname of the actual back end server that you're peering doesn't
matter.
N.B. this is predicated on the software & configuration wanting the
exclude and the pathalias / path / pathcluster to match. -- I'm not
aware of any need to match the exclude / path to the hostname that
you're connecting to / accepting connections from.
This is correct for deciding what messages to send you (in that case, both pathalias and pathcluster are equivalent), but*not* for Path
verification.
No, neither of these are for the case of unrelated news servers.
If you have unrelated news servers, just use different Path entries
for them and don't set either pathalias or pathcluster. Both of
these settings are only for*related* servers.
On Mar 20, 2023 at 9:22:47 PM CDT, "Grant Taylor" <gtaylor@tnetconsulting.net>
wrote:
On 3/20/23 7:25 PM, Russ Allbery wrote:
This is correct for deciding what messages to send you (in that case, both >>> pathalias and pathcluster are equivalent), but*not* for Path
verification.
Okay....
Where can I find out more about how path verification is supposed to
function.
It is becoming evident that I'm thinking about things incorrectly and I
need to read more documentation.
The easiest way to think about it is this (for me at least):
You are telling peers that your site's Path is "tnetconsulting.net". When my server receives an article from yours the first element in the Path: header my
server expects to see to validate a match is exactly tnetconsulting.net. If it
contains any other value, such as your FQDNs as the first element, it is considered a mismatch, no matter if this element appears later in the Path.
You want to make sure the last Path element your news server adds when sending
to other peers is what you've told those peers to expect. It's common to use a
generic name for the Path header (like I do with usenet.blueworldhostig.com), but have the actual feeder or other server names by more unique. Those more unique names don't validate for Path matching if they appear before tnetconsulting.net.
On 3/20/23 7:25 PM, Russ Allbery wrote:
This is correct for deciding what messages to send you (in that case, both >> pathalias and pathcluster are equivalent), but*not* for Path
verification.
Okay....
Where can I find out more about how path verification is supposed to function.
It is becoming evident that I'm thinking about things incorrectly and I
need to read more documentation.
On Mar 20, 2023 at 9:35:41 PM CDT, "Jesse Rehmer" <jesse.rehmer@blueworldhosting.com> wrote:
On Mar 20, 2023 at 9:22:47 PM CDT, "Grant Taylor" <gtaylor@tnetconsulting.net>
wrote:
On 3/20/23 7:25 PM, Russ Allbery wrote:
This is correct for deciding what messages to send you (in that case, both >>>> pathalias and pathcluster are equivalent), but*not* for Path
verification.
Okay....
Where can I find out more about how path verification is supposed to
function.
It is becoming evident that I'm thinking about things incorrectly and I
need to read more documentation.
The easiest way to think about it is this (for me at least):
You are telling peers that your site's Path is "tnetconsulting.net". When my >> server receives an article from yours the first element in the Path: header my
server expects to see to validate a match is exactly tnetconsulting.net. If it
contains any other value, such as your FQDNs as the first element, it is
considered a mismatch, no matter if this element appears later in the Path. >>
You want to make sure the last Path element your news server adds when sending
to other peers is what you've told those peers to expect. It's common to use a
generic name for the Path header (like I do with usenet.blueworldhostig.com),
but have the actual feeder or other server names by more unique. Those more >> unique names don't validate for Path matching if they appear before
tnetconsulting.net.
Forgot to mention, it may help to look at what headers look like originating from your server from another server's perspective. There are a number of ways
to do this, but an easy one is to post an article to alt.test with some valid e-mail address as the sender, and the news.nobody.at reflector will e-mail you
confirmation containing headers from your article.
For validation matching you want to see the ordering of elements like the example below where your advertised Path name your peers are looking for is the left most element before the peer who accepted the article from you.
Path: some-receiving-peer!tnetconsulting.net!tncsrv06.tnetconsulting.net!tncsrv09.h ome.tnetconsulting.net!.POSTED.al
pha.home.tnetconsulting.net!not-for-mail"
You are telling peers that your site's Path is
"tnetconsulting.net". When my server receives an article from yours the
first element in the Path: header my server expects to see to validate
a match is exactly tnetconsulting.net. If it contains any other value,
such as your FQDNs as the first element, it is considered a mismatch,
no matter if this element appears later in the Path.
You are telling peers that your site's Path is
"tnetconsulting.net". When my server receives an article from yours
the *chronologically* *newest* or *left* *most* element in the Path:
header my server expects to see to validate a match is exactly tnetconsulting.net. If it contains any other value, such as your
FQDNs as the *chronologically* *newest* or *left* *most* element, it
is considered a mismatch, no matter if this element appears later in
the Path.
8--
For validation matching you want to see the ordering of elements
like the example below where your advertised Path name your peers
are looking for is the left most element before the peer who accepted
the article from you.
When my server receives an article from yours the first element in
the Path: header my server expects to see to validate a match is
exactly tnetconsulting.net.
8--
I think this is coming down to a discrepancy between "left most" and
"first".
Combine this with the following excerpts from the inn.conf man page.
--8<--
pathalias - If set, this value is prepended to the Path: header of
accepted posts (before pathhost) if it doesn't already appear in the
Path: header.
pathcluster - If set, this value is appended to the Path: header of accepted posts (after pathhost) if it isn't already present as the last element of the Path: header.
8--
Meanwhile, if you have any suggestions, here is what I had in mind.
A new "pathmatch" parameter in incoming.conf expects a wildmat pattern
and has no default value.
If the leftmost path identity of an incoming article from a peer matches
the pattern value of that parameter (in incoming.conf) when set or, when
unset, equals the label of the peer, then a double "!!" will be
prepended to the Path header field to show it has been successfully
verified.
If the leftmost path identity does not match the pattern, when set,
"!.MISMATCH." is prepended along with the peer IP, and a notice log is
written to say there's a path mismatch (the log is written only once
*per connection* from the peer, and will be reported in Usenet daily
reports as unknown lines near the beginning of the report).
This is more or less equivalent to the behavior of Diablo's "alias" parameter in dnewsfeeds that accepts wildmat patterns, though it doesn't implement the verified !! portion.
In all other cases, "!.SEEN." with the peer IP is added, without any
notice log.
Can you explain further what "other cases" this would be applicable to?
There's a special case to deal with: articles coming from a local Unix
domain socket (like connections to innd by rnews or nnrpd). I would
suggest "!.SEEN.localhost" for them (except of course when the path
identity corresponds to nnrpd's "!.POSTED", in which case we do not add
a path diagnostic).
I don't think "!!" or "!.MISMATCH." is suitable for these articles as
the path identity may be different than the real one of the remote peer,
and I do not see any way to ensure that (when processing rnews batches
coming from an external source, UUCP, etc. we no longer know the source).
I'd have to really think more about this, but can see where this might get a little ugly.
This proposal permits not generating a "!.MISMATCH." if the admin does
not set an explicit "pathmatch" entry for a peer. It will therefore not
surprise him, and won't introduce spurious "!.MISMATCH." in the wild.
Nothing that I'm aware of rejects based on MISMATCH at this time, so would it be so bad to have the behavior on by default as is with Diablo? Might encourage more operators to properly tweak their configurations.
I would also suggest a new "pathdiag" parameter, set to true by default,
that can be used at global scope and also per peer, to disable the
feature. Maybe a "pathdomainsocketdiag" parameter would also be useful
to configure the same thing for local Unix domain sockets (they do not
have a peer configuration in incoming.conf).
Sounds reasonable. If pathdiag is enabled by default and you do not add any pathmatch statements to incoming.conf, is the behavior for path diagnostic/matching basically the same as it is now?
Hi Grant,
That's a pretty good point.
I suggest the following improvement in how all that stuff is documented
in inn.conf. (Thanks, Russ, for your great wording I reused.)
*pathalias*
If set, this value is prepended to the Path header field body of
accepted articles (just before *pathhost*, at its right) if it
*pathcluster*
If set, this value is appended to the Path header field body of
accepted articles (just after *pathhost*, at its left) if it isn't
*pathalias*As it's the use of "before" and "after" that cause so much confusion
If set, this value is prepended to the Path header field body of
accepted articles (just before *pathhost*, at its right) if it
*pathcluster* >> If set, this value is appended to the Path header field body of
accepted articles (just after *pathhost*, at its left) if it >
when dealing with the Path header - and which means append or prepend -
I'd suggest rewording the parenthesised part to "immediately to the
right of pathhost", or similar. The current wording still allows room
for ambiguity as to which element, "pathhost" or "pathalias", is
rightmost.
Hi Grant and Tom,
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 58:30:39 |
Calls: | 6,712 |
Files: | 12,243 |
Messages: | 5,355,631 |