Merge branch 'running2' of login.chiark.greenend.org.uk:public-git/inn-innduct

[inn-innduct.git] / INSTALL

Welcome to INN 2.4!

    Please read this document thoroughly before trying to install INN. 
    You'll be glad you did.

    If you are upgrading from a major release of INN prior to 2.3, it is
    recommended that you make copies of your old configuration files and use
    them as guides for doing a clean installation and configuration of 2.4. 
    Many config files have changed, some have been added, and some have been
    removed.  You'll find it much easier to start with a fresh install than
    to try to update your old installation.  This is particularly true if
    you're upgrading from a version of INN prior to 2.0.

    If you are upgrading from INN 2.3 or later, you may be able to just
    update the binaries, scripts, and man pages by running:

        make update

    after building INN and then comparing the new sample configuration files
    with your current ones to see if anything has changed.  If you take this
    route, the old binaries, scripts, and man pages will be saved with an
    extension of ".OLD" so that you can easily back out.  Be sure to
    configure INN with the same options that you used previously if you take
    this approach (in particular, INN compiled with --enable-largefiles
    can't read the data structures written by INN compiled without that
    flag, and vice versa).  If you don't remember what options you used but
    you have your old build tree, look at the comments at the beginning of
    config.status.

    If you made ckpasswd setuid root so that you could use system passwords,
    you'll have to do that again after make update.  (It's much better to
    use PAM instead if you can.)

    If you use "make update" to upgrade from INN 2.3, also look at the new
    sample configuration files in samples to see if there are new options of
    interest to you.  In particular, control.ctl has been updated and
    inn.conf has various new options.

    For more information about recent changes, see NEWS.

Supported Systems

    As much as possible, INN is written in portable C and should work on any
    Unix platform.  It does, however, make extensive use of mmap(2) and
    certain other constructs that may be poorly or incompletely implemented,
    particularly on very old operating systems.

    INN has been confirmed to work on the following operating systems:

        AIX 4.3
        FreeBSD 2.2.x and up
        HP-UX 10.20 and up
        Linux 2.x (tested with libc 5.4, glibc 2.0 and up)
        Mac OS X 10.2 and up
        NetBSD 1.6 and up
        OpenBSD 2.8 and up
        SCO 5.0.4 (tested with gcc 2.8.1, cc)
        Solaris 2.5.x and up
        UnixWare 7.1
        UX/4800 R11 and up

    If you have gotten INN working on an operating system other than the
    ones listed above, please let us know at <inn-bugs@isc.org>.

Before You Begin

    INN requires several other packages be installed in order to be fully
    functional (or in some cases, to work at all):

    * In order to build INN, you will need a C compiler that understands
      ANSI C.  If you are trying to install INN on an operating system that
      doesn't have an ANSI C compiler (such as SunOS), installing gcc is
      recommended.  You can get it from <ftp://ftp.gnu.org/gnu/gcc/> or its
      mirrors.  INN is tested with gcc more thoroughly than with any other
      compiler, so even if you have another compiler available, you may wish
      to use gcc instead.

    * Currently, in order to build INN, you will need an implementation of
      yacc.  GNU bison (from <ftp://ftp.gnu.org/gnu/bison/> or its mirrors)
      will work fine.  We hope to remove this requirement in the future.

    * INN requires at least Perl 5.004_03 to build and to run several
      subsystems.  INN is tested primarily with newer versions of Perl, so
      it's generally recommended that you install the latest stable
      distribution of Perl before compiling INN.  For instructions on
      obtaining and installing Perl, see
      <http://www.perl.com/pub/language/info/software.html>.  Note that you
      may need to use the same compiler and options (particularly largefile
      support) for Perl and INN.

      If you're using a version of Perl prior to 5.6.0, you may need to make
      sure that the Perl versions of your system header files have been
      generated in order for Sys::Syslog to work properly (used by various
      utility programs, including controlchan).  To do this, run the
      following two commands:

          # cd /usr/include
          # h2ph * sys/*

      An even better approach is to install Perl 5.6.1 or later, which have
      a fixed version of Sys::Syslog that doesn't require this (as well as
      many other improvements over earlier versions of Perl).

    * The INN Makefiles use the syntax "include FILE", rather than the
      syntax expected by some BSDish systems of ".include <FILE>".  If your
      system expects the latter syntax, the recommended solution is to
      install GNU make from <ftp://ftp.gnu.org/make/>.  You may have GNU
      make already installed as gmake, in which case using gmake rather than
      make to build INN should be sufficient.

    * If you want to enable support for authenticated control messages (this
      is not required, but is highly recommended for systems carrying public
      Usenet hierarchies) then you will need to install some version of PGP.
      The recommended version is GnuPG, since it's actively developed,
      supports OpenPGP, is freely available and free to use for any purpose
      (in the US and elsewhere), and (as of version 1.0.4 at least) supports
      the RSA signatures used by most current control message senders.

      Alternately, you can install PGP from <http://www.pgp.com/> or one of
      the international versions of it.  Be warned, however, that the
      licensing restrictions on PGP inside the United States are extremely
      unclear; it's possible that if you are installing INN for a company in
      the U.S., even if the news server is not part of the business of that
      company, you would need to purchase a commercial license for PGP.  For
      an educational or non-profit organization, this shouldn't be a
      problem.

    * If you want to use either the Python embedded hooks, you'll need to
      have a suitable versions of Python installed.  See doc/hook-python for
      more information.

    * Many of INN's optional features require other packages (primarily
      libraries) be installed.  If you wish to use any of these optional
      features, you will need to install those packages first.  Here is a
      table of configure options enabling optional features and the software
      and versions you'll need:

          --with-perl         Perl 5.004_03 or higher, 5.6.1+ recommended
          --with-python       Python 1.5.2 or higher
          --with-berkeleydb   BerkeleyDB 2.0 or higher, 4.2+ recommended
          --with-openssl      OpenSSL 0.9.6 or higher
          --with-sasl         SASL 2.x or higher
          --with-kerberos     MIT Kerberos v5 1.2.x or higher

      If any of these libraries (other than Perl or Python) are built shared
      and installed in locations where your system doesn't search for shared
      libraries by default, you may need to encode the paths to those shared
      libraries in the INN binaries.  For more information on shared library
      paths, see:

          <http://www.eyrie.org/~eagle/notes/rpath.html>

      For most systems, setting the environment variable LD_RUN_PATH to a
      colon-separated list of additional directories in which to look for
      shared libraries before building INN will be sufficient.

Unpacking the Distribution

    Released versions of INN are available from ftp.isc.org in /isc/inn. 
    New major releases will be announed on <inn-announce@isc.org> (see
    README) when they're made.

    If you want more a more cutting-edge version, you can obtain current
    snapshots from from ftp.isc.org in directory /isc/inn/snapshots.  These
    are snapshots of the INN CVS tree taken daily; there are two snapshots
    made each night (one of the current development branch, and one of the
    stable branch consisting of bug fixes to the previous major release). 
    They are stored in date format; in other words the snapshots from April
    6th, 2000, would be named inn-CURRENT-20000406.tar.gz and
    inn-STABLE-20000406.tar.gz.  Choose the newest file of whichever branch
    you prefer.  (Note that the downloading, configuring, and compiling
    steps can be done while logged in as any user.)

    The distribution is in gzip compressed tar archive format.  To extract
    it, execute:

        gunzip -c <inn-src-file> | tar -xf -

    Extracting the source distribution will create a directory named
    inn-<version> or inn-<BRANCH>-<date> where the source resides.

Installing INN

    Before beginning installation, you should make sure that there is a user
    on your system named "news", and that this user's primary group is set
    to a group called "news".  You can change these with the
    --with-news-user and --with-news-group options to configure (see below).
    The home directory of this user should be set to the directory under
    which you wish to install INN (/usr/local/news is the default and is a
    good choice).  INN will install itself as this user and group.  You can
    change these if you want, but these are the defaults and it's easier to
    stick with them on a new installation.

    By default, INN sends reports to the user "usenet".  This account isn't
    used for any other purposes.  You can change it with the
    --with-news-master option to configure (see below).

    WARNING: By default, INN installs various configuration files as
    group-writeable, and in general INN is not hardened from a security
    standpoint against an attack by someone who is already in the news
    group.  In general, you should consider membership in the news group as
    equivalent to access to the news account.  You should not rely on being
    able to keep anyone with access to the news GID from converting that
    into access to the news UID.  The recommended configuration is to have
    the only member of the group "news" be the user "news".

    Installing INN so that all of its files are under a single directory
    tree, rather than scattering binaries, libraries, and man pages
    throughout the file system, is strongly recommended.  It helps keep
    everything involved in the operation of INN together as a unit and will
    make the installation instructions easier to follow.

    As a side note, whenever doing anything with a running news server,
    first log in as this user.  That way, you can ensure that all files
    created by any commands you run are created with the right ownership to
    be readable by the server.  Particularly avoid doing anything in the
    news spool itself as root, and make sure you fix the ownership of any
    created files if you have to.  INN doesn't like files in the news spool
    owned by a user other than the news user.  However, since certain
    binaries need to be setuid root, indiscriminate use of "chown news" is
    not the solution.  (If you don't like to log in to system accounts,
    careful use of "chmod g+s" on directories and a umask of 002 or 007 may
    suffice.)

    INN uses GNU autoconf and a generated configure script to make
    configuration rather painless.  Unless you have a rather abnormal setup,
    configure should be able to completely configure INN for your system. 
    If you want to change the defaults, you can invoke the configure script
    with one or more command line options.  Type:

        ./configure --help

    for a full list of supported options.  Some of the most commonly used
    options are:

    --prefix=PATH
        Sets the installation prefix for INN.  The default is
        /usr/local/news.  All of INN's programs and support files will be
        installed under this directory.  This should match the home
        directory of your news user (it will make installation and
        maintenance easier).  It is not recommended to set this to /usr; if
        you decide to do that anyway, make sure to point INN's temporary
        directory at a directory that isn't world-writeable (see
        --with-tmp-dir below).

    --with-db-dir=PATH
        Sets the prefix for INN database files.  The default is PREFIX/db,
        where PREFIX is /usr/local/news unless overridden with the option
        above.  The history and active files will be stored in this
        directory, and writes to those files are an appreciable percentage
        of INN's disk activity.  The history file can also be quite large
        (requiring up to 2 GB or more during nightly expire), so this is a
        common portion of INN to move to a different file system.

    --with-spool-dir=PATH
        Sets the prefix for the news spool (when using any storage method
        other than CNFS) and the overview spool.  The default is
        PREFIX/spool.  This is another common portion of INN to move to a
        different file system (often /news).

    --with-tmp-dir=PATH
        Sets the directory in which INN will create temporary files.  This
        should under no circumstances be the same as the system temporary
        directory or otherwise be set to a world-writeable directory, since
        INN doesn't take care to avoid symlink attacks and other security
        problems possible with a world-writeable directory.  This directory
        should be reserved for the exclusive use of INN and only writeable
        by the news user.  Usage is generally light, so this is unlikely to
        need a separate partition.

        It's also possible to set the paths for most other sections of the
        INN installation independently; see "./configure --help" and look
        for the --with-*-dir=PATH options.

    --enable-largefiles
        Enables large file support.  This is not enabled by default, even on
        platforms that support it, because it changes the format of INN's
        on-disk databases (making it difficult to upgrade an earlier INN
        installation) and can significantly increase the size of some of the
        history database files.  Large file support is not necessary unless
        your history database is so large that it exceeds 2 GB or you want
        to use CNFS buffers larger than 2 GB.

        The history, tradindexed and buffindexed overview, CNFS, and timecaf
        databases written by an INN built with this option are incompatible
        with those written by an INN without this option.

    --enable-tagged-hash
        Use tagged hash table for the history database.  The tagged hash
        format uses much less memory but is somewhat slower.  This option is
        recommended if you have less than 256 MB of RAM on your news server.
        If you install INN without tagged hash (the default) and expire
        takes an excessive amount of time, you should make sure the RAM in
        your system satisfies the following formula:

            ram > 10 * tablesize

                  ram:  Amount of system RAM (in bytes)
            tablesize:  3rd field on the 1st line of history.dir (bytes)

        If you don't have at least that much RAM, try rebuilding INN with
        tagged hash enabled.

        NOTE: --enable-largefiles cannot be used with --enable-tagged-hash.

    --with-perl
        Enables support for embedded Perl, allowing you to install filter
        scripts written in Perl.  Highly recommended, because many really
        good spam filters are written in Perl.  See doc/hook-perl for all
        the details.

        Even if you do not use this option, INN still requires Perl as
        mentioned above.

    --with-python
        Enables support for Python, allowing you to install filter and
        authentication scripts written in Python.  You will need Python
        1.5.2 or later installed on your system to enable this option.  See
        doc/hook-python for all the details.  Note that there is an
        incompatibility between INN and Python 2.0 when Python is compiled
        with cycle garbage collection; this problem was reported fixed in
        Python 2.1a1.

    --with-innd-port=PORT
        By default, inndstart(8) refuses to bind to any port under 1024
        other than 119 and 433 for security reasons (to prevent attacks on
        rsh(1)-based commands and replacing standard system daemons).  If
        you want to run innd on a different port under 1024, you'll need to
        tell configure what port you intend to use.  (You'll also still need
        to set the port number in inn.conf or give it to inndstart on the
        command line.)

    --with-syslog-facility=FACILITY
        Specifies the syslog facility that INN programs should log to.  The
        default is LOG_NEWS unless configure detects that your system
        doesn't understand that facility, in which case it uses LOG_LOCAL1. 
        This flag overrides the automatic detection.  Be sure to specify a
        facility not used by anything else on your system (one of LOG_LOCAL0
        through LOG_LOCAL7, for example).

    --enable-libtool
        INN has optional support for libtool to generate shared versions of
        INN's libraries.  This can significantly decrease the size of the
        various binaries that come with a complete INN installation.  You
        can also choose to use libtool even when only building static
        libraries; a libtool build may be somewhat more portable on weird
        systems.  libtool builds aren't the default because they take
        somewhat longer.  See "./configure --help" for the various available
        options related to libtool builds.

        Please note that INN's shared library interface is not stable and
        may change drastically in future releases.  For this reason, it's
        also not properly versioned and won't be until some degree of
        stability is guaranteed, and the relevant header files are not
        installed.  Only INN should use INN's shared libraries, and you
        should only use the shared libraries corresponding to the version of
        INN that you're installing.

        Also, when updating an existing version of INN, INN tries to save
        backup copies of all files so that you can revert to the previous
        installed version.  Unfortunately, when using shared libraries, this
        confuses ldconfig on some systems (such as Linux) and the symbolic
        links for the libraries may point to the .OLD versions.  If this
        happens, you can either fix the links by hand or remove the .OLD
        versions and re-run ldconfig.

    --enable-uucp-rnews
        If this option is given to configure, rnews will be installed setuid
        news, owned by group uucp, and mode 4550.  This will allow the UUCP
        subsystem to run rnews to process UUCP batches of news articles. 
        Prior to INN 2.3, installing rnews setuid news was standard; since
        most sites no longer use UUCP, it is no longer the default as of INN
        2.3 and must be requested at configure time.  You probably don't
        want to use this option unless your server accepts UUCP news
        batches.

    --enable-setgid-inews
        If this option is given to configure, inews will be installed setgid
        news and world-executable so that non-privileged users on the news
        server machine can use inews to post articles locally (somewhat
        faster than opening a new network connection).  For standalone news
        servers, by far the most common configuration now, there's no need
        to use this option; even if you have regular login accounts on your
        news server, INN's inews can post fine via a network connection to
        your running news server and doesn't need to use the local socket
        (which is what setgid enables it to do).  Installing inews setgid
        was the default prior to INN 2.3.

    --with-berkeleydb=PATH
        Enables support for Berkeley DB (2.x or 3.x), which means that it
        will then be possible to use the ovdb overview method if you wish. 
        Enabling this configure option doesn't mean you'll be required to
        use ovdb, but it does require that Berkeley DB be installed on your
        system (including the header files, not just the runtime libraries).
        If a path is given, it sets the installed directory of Berkeley DB
        (configure will search for it in some standard locations, but if you
        have it installed elsewhere, you may need this option).

    --with-openssl=PATH
        Enables support for SSL for news reading, which means it will be
        possible to have SSL or TLS encrypted NNTP connections between your
        server and newsreaders.  This option requires OpenSSL be installed
        on your system (including the header files, not just the runtime
        libraries).  If a path is given, it sets the installed directory of
        OpenSSL.  After compiling and installing INN with this option,
        you'll still need to make a certificate and private key to use SSL. 
        See below for details on how to do that.

    --enable-ipv6
        Enables support for IPv6 in innd, innfeed, nnrpd, and several of the
        supporting programs.  This option should be considered developmental
        at present.  For more information see doc/IPv6-info (and if you have
        any particularly good or bad news to report, please let us know at
        <inn-bugs@isc.org>).

    For the most common installation, a standalone news server, a suggested
    set of options is:

        ./configure --with-perl

    provided that you have the necessary version of Perl installed. 
    (Compiling with an embedded Perl interpretor will allow you to use one
    of the available excellent spam filters if you so choose.)

    If the configure program runs successfully, then you are ready to build
    the distribution.  From the root of the INN source tree, type:

        make

    At this point you can step away from the computer for a little while and
    have a quick snack while INN compiles.  On a decently fast system it
    should only take five or ten minutes at the most to build.

    Once the build has completed successfully, you are ready to install INN
    into its final home.  Type:

        make install

    You will need to run this command as root so that INN can create the
    directories it needs, change ownerships (if you did not compile as the
    news user) and install a couple of setuid wrapper programs needed to
    raise resource limits and allow innd to bind to ports under 1024.  This
    step will install INN under the install directory (/usr/local/news,
    unless you specified something else to the configure script).

    If you are configuring SSL support for newsreaders, you must make a
    certificate and private key at least once.  Type:

        make cert

    as root in order to do this.

    You are now ready for the really fun part:  configuring your copy of
    INN!

Choosing an Article Storage Format

    The first thing to decide is how INN should store articles on your
    system.  There are four different methods for you to choose from, each
    of which has its own advantages and disadvantages.  INN can support all
    four at the same time, so you can store certain newsgroups in one method
    and other newsgroups in another method.

    The supported storage formats are:

    tradspool
        This is the storage method used by all versions of INN previous to
        2.0.  Articles are stored as individual text files whose names are
        the same as the article number.  The articles are divided up into
        directories based on the newsgroup name.  For example, article 12345
        in news.software.nntp would be stored as news/software/nntp/12345
        relative to the root of the article spool.

        Advantages:  Widely used and well-understood storage mechanism, can
        read article spools written by older versions of INN, compatible
        with all third-party INN add-ons, provides easy and direct access to
        the articles stored on your server and makes writing programs that
        fiddle with the news spool very easy, and gives you fine control
        over article retention times.

        Disadvantages:  Takes a very fast file system and I/O system to keep
        up with current Usenet traffic volumes due to file system overhead. 
        Groups with heavy traffic tend to create a bottleneck because of
        inefficiencies in storing large numbers of article files in a single
        directory.  Requires a nightly expire program to delete old articles
        out of the news spool, a process that can slow down the server for
        several hours or more.

    timehash
        Articles are stored as individual files as in tradspool, but are
        divided into directories based on the arrival time to ensure that no
        single directory contains so many files as to cause a bottleneck.

        Advantages:  Heavy traffic groups do not cause bottlenecks, and fine
        control of article retention time is still possible.

        Disadvantages:  The ability to easily find all articles in a given
        newsgroup and manually fiddle with the article spool is lost, and
        INN still suffers from speed degredation due to file system overhead
        (creating and deleting individual files is a slow operation).

    timecaf
        Similar to timehash, articles are stored by arrival time, but
        instead of writing a separate file for each article, multiple
        articles are put in the same file.

        Advantages:  Roughly four times faster than timehash for article
        writes, since much of the file system overhead is bypassed, while
        still retaining the same fine control over article retention time.

        Disadvantages:  Even worse than timehash, and similar to cnfs
        (below), using this method means giving up all but the most careful
        manually fiddling with your article spool.  As one of the newer and
        least widely used storage types, timecaf has not been as thoroughly
        tested as the other methods.

    cnfs
        CNFS stores articles sequentially in pre-configured buffer files. 
        When the end of the buffer is reached, new articles are stored from
        the beginning of the buffer, overwriting older articles.

        Advantages:  Blazingly fast because no file creations or deletions
        are necessary to store an article.  Unlike all other storage
        methods, does not require manual article expiration; old articles
        are deleted to make room for new ones when the buffers get too full.
        Also, with CNFS your server will never throttle itself due to a full
        spool disk, and groups are restricted to just the buffer files you
        give them so that they can never use more than the amount of disk
        space you allocate to them.

        Disadvantages:  Article retention times are more difficult to
        control because old articles are overwritten automatically.  Attacks
        on Usenet, such as flooding or massive amounts of spam, can result
        in wanted articles expiring much faster than you intended (with no
        warning).

    Some general recommendations:  If you are installing a transit news
    server (one that just accepts news and sends it out again to other
    servers and doesn't support any readers), use CNFS exclusively and don't
    worry about any of the other storage methods.  Otherwise, put
    high-volume groups and groups whose articles you don't need to keep
    around very long (binaries groups, *.jobs*, news.lists.filters, etc.) in
    CNFS buffers, and use timehash, timecaf, or tradspool (if you have a
    fast I/O subsystem or need to be able to go through the spool manually)
    for everything else.  You'll probably find it most convenient to keep
    special hierarchies like local hierarchies and hierarchies that should
    never expire in tradspool.

    If your news server will be supporting readers, you'll also need to
    choose an overview storage mechanism (by setting *ovmethod* in
    inn.conf).  There are three overview mechanisms to choose from: 
    tradindexed, buffindexed, and ovdb.  tradindexed is very fast for
    readers, but it has to update two files for each incoming article and
    can be quite slow to write.  buffindexed can keep up with a large feed
    more easily, since it uses large buffers to store all overview
    information, but it's somewhat slower for readers (although not as slow
    as the unified overview in INN 2.2).  ovdb stores overview data in a
    Berkeley DB database; it's fast and very robust, but requires more disk
    space.  See the ovdb(5) man page for more information on it.

    Note that ovdb has not been as widely tested as the other overview
    mechanisms and should be considered experimental.  tradindexed is the
    best tested and most widely used of the overview implementations.

    If buffindexed is chosen, you will need to create the buffers for it to
    use (very similar to creating CNFS buffers) and list the available
    buffers in buffindexed.conf.  See buffindexed.conf(5) for more
    information.

Configuring INN

    All documentation from this point on assumes that you have set up the
    news user on your system as suggested in "Installing INN" so that the
    root of your INN installation is ~news/.  If you've moved things around
    by using options with "configure", you'll need to adjust the
    instructions to account for that.

    All of INN's configuration files are located in ~news/etc.  Unless noted
    otherwise, any files referred to below are in this directory.  When you
    first install INN, a sample of each file (containing lots of comments)
    is installed in ~news/etc; refer to these for concrete examples of
    everything discussed in this section.

    All of INN's configuration files, all of the programs that come with it,
    and some of its library routines have documentation in the form of man
    pages.  These man pages were installed in ~news/man as part of the INN
    installation process and are the most complete reference to how INN
    works.  You're strongly encouraged to refer to the man pages frequently
    while configuring INN, and for quick reference afterwards.  Any detailed
    questions about individual configuration files or the behavior of
    specific programs should be answered in them.  You may want to add
    ~news/man to your MANPATH environment variable; otherwise, you may have
    to use a command like:

        man -M ~news/man inn.conf

    to see the inn.conf(5) man page (for example).

    Before we begin, it is worth mentioning the wildmat pattern matching
    syntax used in many configuration files.  These are simple wildcard
    matches using the asterisk ("*") as the wildcard character, much like
    the simple wildcard expansion used by Unix shells.

    In many cases, wildmat patterns can be specified in a comma-separated
    list to indicate a list of newsgroups.  When used in this fashion, each
    pattern is checked in turn to see if it matches, and the last pattern in
    the line that matches the group name is used.  Patterns beginning with
    "!" mean to exclude groups matching that pattern.  For example:

        *, !comp.*, comp.os.*

    In this case, we're saying we match everything ("*"), except that we
    don't match anything under comp ("!comp.*"), unless it is actually under
    the comp.os hierarchy ("comp.os.*").  This is because non-comp groups
    will match only the first pattern (so we want them), comp.os groups will
    match all three patterns (so we want them too, because the third pattern
    counts in this case), and all other comp groups will match the first and
    second patterns and will be excluded by the second pattern.

    Some uses of wildmat patterns also support "poison" patterns (patterns
    starting with "@").  These patterns behave just like "!" patterns when
    checked against a single newsgroup name.  Where they become special is
    for articles crossposted to multiple newsgroups; normally, such an
    article will be considered to match a pattern if any of the newsgroups
    it is posted to matches the pattern.  If any newsgroup the article is
    posted to matches an expression beginning with "@", however, that
    article will not match the pattern even if other newsgroups to which it
    was posted match other expressions.

    See uwildmat(3) for full details on wildmat patterns.

    In all INN configuration files, blank lines and lines beginning with a
    "#" symbol are considered comments and are ignored.  Be careful, not all
    files permit comments to begin in the middle of the line.

  inn.conf

    The first, and most important file is inn.conf.  This file is organized
    as a series of parameter-value pairs, one per line.  The parameter is
    first, followed by a colon and one or more whitespace characters, and
    then the value itself.  For some parameters the value is a string or a
    number; for others it is true or false.  (True values can be written as
    "yes", "true", or "on", whichever you prefer.  Similarly, false values
    can be written as "no", "false", or "off".)

    inn.conf contains dozens of changeable parameters (see inn.conf(5) for
    full details), but only a few really need to be edited during normal
    operation:

    allownewnews
        If set to true then INN will support the NEWNEWS command for news
        readers.  While this can be an expensive operation, its speed has
        been improved considerably as of INN 2.3 and it's probably safe to
        turn on without risking excessive server load.  The default is true.
        (Note that the *access:* setting in readers.conf overrides this
        value; see readers.conf(5) for more details.)

    complaints
        Used to set the value of the X-Complaints-To: header, which is added
        to all articles posted locally.  The usual value would be something
        like "abuse@example.com" or "postmaster@example.com".  If not
        specified, the newsmaster email address will be used.

    hiscachesize
        The amount of memory (in kilobytes) to allocate for a cache of
        recently used history file entries.  Setting this to 0 disables
        history caching.  History caching can greatly increase the number of
        articles per second that your server is capable of processing.  A
        value of 256 is a good default choice.

    logipaddr
        If set to true (the default), INN will log the IP address (or
        hostname, if the host is listed in incoming.conf with a hostname) of
        the remote host from which it received an article.  If set to false,
        the trailing Path: header entry is logged instead.  If you are using
        controlchan (see below) and need to process ihave/sendme control
        messages (this is very, very unlikely, so if you don't know what
        this means, don't worry about it), make sure you set this to false,
        since controlchan needs a site name, not an IP address.

    organization
        Set this to the name of your organization as you want it to appear
        in the Organization: header of all articles posted locally and not
        already containing that header.  This will be overridden by the
        value of the ORGANIZATION environment variable (if it exists).  If
        neither this parameter nor the environment variable or set, no
        Organization: header will be added to posts which lack one.

    pathhost
        This is the name of your news server as you wish it to appear in the
        Path: header of all postings which travel through your server (this
        includes local posts and incoming posts that you forward out to
        other sites).  If this parameter is unspecified, the fully-qualified
        domain name (FQDN) of the machine will be used instead.  Please use
        the FQDN of your server or an alias for your server unless you have
        a very good reason not to; a future version of the news RFCs may
        require this.

    rlimitnofile
        If set to a non-negative value (the default is -1), INN (both innd
        and innfeed) will try to raise the maximum number of open file
        descriptors to this value when it starts.  This may be needed if you
        have lots of incoming and outgoing feeds.  Note that the maximum
        value for this setting is very operating-system-dependent, and you
        may have to reconfigure your system (possibly even recompile your
        kernel) to increase it.  See "File Descriptor Limits" for complete
        details.

    There are tons of other possible settings; you may want to read through
    inn.conf(5) to get a feel for your options.  Don't worry if you don't
    understand the purpose of most of them right now.  Some of the settings
    are only needed for very obscure things, and with more experience
    running your news server the rest will make more sense.

  newsfeeds

    newsfeeds determines how incoming articles are redistributed to your
    peers and to other INN processes.  newsfeeds is very versatile and
    contains dozens of options; we will touch on just the basics here.  The
    manpage contains more detailed information.

    newsfeeds is organized as a series of feed entries.  Each feed entry is
    composed of four fields separated by colons.  Entries may span multiple
    lines by using a backslash ("\") to indicate that the next line is a
    continuation of the current line.  (Note that comments don't interact
    with backslashes in the way you might expect.  A commented-out line
    ending in a backslash will still be considered continued on the next
    line, possibly resulting in more commented out than you intended or
    bizarre syntax errors.  In general, it's best to avoid commenting out
    lines in the middle of continuation lines.)

    The first field in an entry is the name of the feed.  It must be unique,
    and for feeds to other news servers it is usually set to the actual
    hostname of the remote server (this makes things easier).  The name can
    optionally be followed by a slash and a comma-separated exclude list. 
    If the feed name or any of the names in the exclude list appear in the
    Path line of an article, then that article will not be forwarded to the
    feed as it is assumed that it has passed through that site once already.
    The exclude list is useful when a news server's hostname is not the same
    as what it puts in the Path header of its articles, or when you don't
    want a feed to receive articles from a certain source.

    The second field specifies a set of desired newsgroups and distribution
    lists, given as newsgroup-pattern/distribution-list.  The distribution
    list is not described here; see newsfeeds(5) for information (it's not
    used that frequently in practice).  The newsgroup pattern is a
    wildmat-style pattern list as described above (supporting "@").

    The third field is a comma-separated list of flags that determine both
    the type of feed entry and sets certain parameters for the entry.  See
    newsfeeds(5) for information on the flag settings; you can do a
    surprising amount with them.  The three most common patterns, and the
    ones mainly used for outgoing news feeds to other sites, are "Tf,Wnm"
    (to write out a batch file of articles to be sent, suitable for
    processing by nntpsend and innxmit), "Tm" (to send the article to a
    funnel feed, used with innfeed), and "Tc,Wnm*" (to collect a funnel feed
    and send it via a channel feed to an external program, used to send
    articles to innfeed).

    The fourth field is a multi-purpose parameter whose meaning depends on
    the settings of the flags in the third field.  To get a feel for it
    using the examples above, for file feeds ("Tf") it's the name of the
    file to write, for funnel feeds ("Tm") it's the name of the feed entry
    to funnel into, and for channel feeds ("Tc") it's the name of the
    program to run and feed references to articles.

    Now that you have a rough idea of the file layout, we'll begin to add
    the actual feed entries.  First, we'll set up the special ME entry. 
    This entry is required and serves two purposes:  the newsgroup pattern
    specified here is prepended to the newsgroup list of all other feeds,
    and the distribution pattern for this entry determines what
    distributions (from the Distribution: header of incoming articles) are
    accepted from remote sites by your server.  The example in the sample
    newsfeeds file is a good starting point.  If you are going to create a
    local hierarchy that should not be distributed off of your system, it
    may be useful to exclude it from the default subscription pattern, but
    default subscription patterns are somewhat difficult to use right so you
    may want to just exclude it specifically from every feed instead.

    The ME entry tends to confuse a lot of people, so this point is worth
    repeating:  the newsgroup patterns set the default subscription for
    *outgoing* feeds, and the distribution patterns set the acceptable
    Distribution: header entries for *incoming* articles.  This is confusing
    enough that it may change in later versions of INN.

    There are two basic ways to feed articles to remote sites.  The most
    common for large sites and particularly for transit news servers is
    innfeed(8), which sends articles to remote sites in real time (the
    article goes out to all peers that are supposed to receive it
    immediately after your server accepts it).  For smaller sites,
    particularly sites where the only outgoing messages will be locally
    posted articles, it's more common to batch outgoing articles and send
    them every ten minutes or so from cron using nntpsend(8) and innxmit(8).
    Batching gives you more control and tends to be extremely stable and
    reliable, but it's much slower and can't handle high volume very well.

    Batching outgoing posts is easy to set up; for each peer, add an entry
    to newsfeeds that looks like:

        remote.example.com/news.example.com\
            :<newsgroups>\
            :Tf,Wnm:

    where <newsgroups> is the wildmat pattern for the newsgroups that site
    wants.  In this example, the actual name of the remote site is
    "remote.example.com", but it puts "news.example.com" in the Path:
    header.  If the remote site puts its actual hostname in the Path:
    header, you won't need the "/news.example.com" part.

    This entry will cause innd to write out a file in ~news/spool/outgoing
    named remote.example.com and containing the Message-ID and storage token
    of each message to send to that site.  (The storage token is INN's
    internal pointer to where an article is stored; to retrieve an article
    given its storage token, use sm(8)).  innxmit knows how to read files of
    this format and send those articles to the remote site.  For information
    on setting it up to run periodically, see "Setting Up the Cron Jobs"
    below.  You will also need to set up a config file for nntpsend; see the
    man page for nntpsend.ctl(5) for more information.

    If instead you want to use innfeed to send outgoing messages
    (recommended for sites with more than a couple of peers), you need some
    slightly more complex magic.  You still set up a separate entry for each
    of your peers, but rather than writing out batch files, they all
    "funnel" into a special innfeed entry.  That special entry collects all
    of the separate funnel feeds and sends the data through a special sort
    of feed to an external program (innfeed in this case); this is a
    "channel" feed.

    First, the special channel feed entry for innfeed that will collect all
    the funnel feeds:

        innfeed!\
            :!*\
            :Tc,Wnm*:/usr/local/news/bin/startinnfeed -y

    (adjust the path to startinnfeed(1) if you installed it elsewhere). 
    Note that we don't feed this entry any articles directly (its newsgroup
    pattern is "!*").  Note also that the name of this entry ends in an
    exclamation point.  This is a standard convention for all special feeds;
    since the delimiter for the Path: header is "!", no site name containing
    that character can ever match the name of a real site.

    Next, set up entries for each remote site to which you will be feeding
    articles.  All of these entries should be of the form:

        remote.example.com/news.example.com\
            :<newsgroups>\
            :Tm:innfeed!

    specifying that they funnel into the "innfeed!" feed.  As in the
    previous example for batching, "remote.example.com" is the actual name
    of the remote peer, "news.example.com" is what it puts in the Path:
    header (if different than the actual name of the server), and
    <newsgroups> is the wildmat pattern of newsgroups to be sent.

    As an alternative to NNTP, INN may also feed news out to an IMAP server,
    by using imapfeed(8), which is almost identical to innfeed.  The
    startinnfeed process can be told to start imapfeed instead of innfeed. 
    The feed entry for this is as follows:

        imapfeed!\
            :!*\
            :Tc,Wnm*,S16384:/usr/local/news/bin/startinnfeed imapfeed

    And set up entries for each remote site like:

        remote.example.com/news.example.com\
            :<newsgroups>\
            :Tm:imapfeed!

    For more information on imapfeed, look at the innfeed/imap_connection.c.
    For more information on IMAP in general, see RFC 2060.

    Finally, there is a special entry for controlchan(8), which processes
    newsgroup control messages, that should always be in newsfeeds unless
    you never want to honor any control messages.  This entry should look
    like:

        controlchan!\
            :!*,control,control.*,!control.cancel\
            :Tc,Wnsm:/usr/local/news/bin/controlchan

    (modified for the actual path to controlchan if you put it somewhere
    else).  See "Processing Control Messages" for more details.

    For those of you upgrading from earlier versions of INN, note that the
    functionality of overchan(8) and crosspost is now incorporated into INN
    and neither of those programs is necessary.  Unfortunately, crosspost
    currently will not work even with the tradspool storage method.  You can
    still use overchan if you make sure to set *useoverchan* to true in
    inn.conf so that innd doesn't write overview data itself, but be
    careful:  innd may accept articles faster than overchan can process the
    data.

  incoming.conf

    incoming.conf file specifies which machines are permitted to connect to
    your host and feed it articles.  Remote servers you peer with should be
    listed here.  Connections from hosts not listed in this file will (if
    you don't allow readers) be rejected or (if you allow readers) be handed
    off to nnrpd and checked against the access restrictions in
    readers.conf.

    Start with the sample incoming.conf and, for each remote peer, add an
    entry like:

        peer remote.example.com { }

    This uses the default parameters for that feed and allows incoming
    connections from a machine named "remote.example.com".  If that peer
    could be connecting from several different machines, instead use an
    entry like:

         peer remote.example.com {
            hostname: "remote.example.com, news.example.com"
         }

    This will allow either "remote.example.com" or "news.example.com" to
    feed articles to you.  (In general, you should add new peer lines for
    each separate remote site you peer with, and list multiple host names
    using the *hostname* key if one particular remote site uses multiple
    servers.)

    You can restrict the newsgroups a remote site is allowed to send you,
    using the same sort of pattern that newsfeeds(5) uses.  For example, if
    you want to prevent "example.com" hosts from sending you any articles in
    the "local.*" hierarchy (even if they're crossposted to other groups),
    change the above to:

        peer remote.example.com {
            patterns: "*, @local.*"
            hostname: "remote.example.com, news.example.com"
        }

    Note, however, that restricting what a remote side can send you will
    *not* reduce your incoming bandwidth usage.  The remote site will still
    send you the entire article; INN will just reject it rather than saving
    it to disk.  To reduce bandwidth, you have to contact your peers and ask
    them not to send you the traffic you don't want.

    There are various other things you can set, including the maximum number
    of connections the remote host will be allowed.  See incoming.conf(5)
    for all the details.

    Note for those familiar with older versions of INN:  this file replaces
    the old hosts.nntp configuration file.

  cycbuff.conf

    cycbuff.conf is only required if CNFS is used.  If you aren't using
    CNFS, skip this section.

    CNFS stores articles in logical objects called *metacycbuffs*.  Each
    metacycbuff is in turn composed of one or more physical buffers called
    *cycbuffs*.  As articles are written to the metacycbuff, each article is
    written to the next cycbuff in the list in a round-robin fashion (unless
    "sequential" mode is specified, in which case each cycbuff is filled
    before moving on to the next).  This is so that you can distribute the
    individual cycbuffs across multiple physical disks and balance the load
    between them.

    There are two ways to create your cycbuffs:

    1.  Use a block device directly.  This will probably give you the most
        speed since it avoids the file system overhead of large files, but
        it requires your OS support mmap(2) on a block device.  Solaris
        supports this, as do late Linux 2.4 kernels.  FreeBSD does not at
        last report.  Also on many PC-based Unixes it is difficult to create
        more than eight partitions, which may limit your options.

    2.  Use a real file on a filesystem.  This will probably be a bit slower
        than using a block device directly, but it should work on any Unix
        system.

    If you're having doubts, use option #2; it's easier to set up and should
    work regardless of your operating system.

    Now you need to decide on the sizes of your cycbuffs and metacycbuffs. 
    You'll probably want to separate the heavy-traffic groups
    ("alt.binaries.*" and maybe a few other things like "*.jobs*" and
    "news.lists.filters") into their own metacycbuff so that they don't
    overrun the server and push out articles on the more useful groups.  If
    you have any local groups that you want to stay around for a while then
    you should put them in their own metacycbuff as well, so that they don't
    get pushed out by other traffic.  (Or you might store them in one of the
    other storage methods, such as tradspool.)

    For each metacycbuff, you now need to determine how many cycbuffs will
    make up the metacycbuff, the size of those cycbuffs, and where they will
    be stored.  Some OSes do not support files larger than 2 GB, which will
    limit the size you can make a single cycbuff, but you can still combine
    many cycbuffs into each metacycbuff.  Older versions of Linux are known
    to have this limitation; FreeBSD does not.  Some OSes that support large
    files don't support direct access to block devices for large partitions
    (Solaris prior to Solaris 7, or not running in 64-bit mode, is in this
    category); on those OSes, if you want cycbuffs over 2 GB, you'll have to
    use regular files.  If in doubt, keep your cycbuffs smaller than 2 GB. 
    Also, when laying out your cycbuffs, you will want to try to arrange
    them across as many physical disks as possible (or use a striped disk
    array and put them all on that).

    In order to use any cycbuff larger than 2 GB, you need to build INN with
    the --enable-largefiles option.  See "Installing INN" for more
    information and some caveats.

    For each cycbuff you will be creating, add a line to cycbuff.conf like
    the following:

        cycbuff:NAME:/path/to/buffer:SIZE

    NAME must be unique and must be at most seven characters long. 
    Something simple like "BUFF00", "BUFF01", etc. is a decent choice, or
    you may want to use something that includes the SCSI target and slice
    number of the partition.  SIZE is the buffer size in kilobytes (if
    you're trying to stay under 2 GB, keep your sizes below 2097152).

    Now, you need to tell INN how to group your cycbuffs into metacycbuffs. 
    This is similar to creating cycbuff entries:

        metacycbuff:BUFFNAME:CYCBUFF,CYCBUFF,CYCBUFF

    BUFFNAME is the name of the metacycbuff and must be unique and at most
    eight characters long.  These should be a bit more meaningful than the
    cycbuff names since they will be used in other config files as well. 
    Try to name them after what will be stored in them; for example, if this
    metacycbuff will hold alt.binaries postings, "BINARIES" would be a good
    choice.  The last part of the entry is a comma-separated list of all of
    the cycbuffs that should be used to build this metacycbuff.  Each
    cycbuff should only appear in one metacycbuff line, and all metacycbuff
    lines must occur after all cycbuff lines in the file.

    If you want INN to fill each cycbuff before moving on to the next one
    rather than writing to them round-robin, add ":SEQUENTIAL" to the end of
    the metacycbuff line.  This may give noticeably better performance when
    using multiple cycbuffs on the same spindle (such as partitions or
    slices of a larger disk), but will probably give worse performance if
    your cycbuffs are spread out across a lot of spindles.

    By default, CNFS data is flushed to disk every 25 articles.  If you're
    running a small server with a light article load, this could mean losing
    quite a few articles in a crash.  You can change this interval by adding
    a cycbuffupdate line to your cycbuff.conf file; see cycbuff.conf(5) for
    more details.

    Finally, you have to create the cycbuffs.  See "Creating the Article
    Spool" for more information on how to do that.

  storage.conf

    storage.conf determines where incoming articles will be stored (what
    storage method, and in the case of CNFS, what metacycbuff).  Each entry
    in the file defines a storage class for articles.  The first matching
    storage class is used to store the article; if no storage class matches,
    INN will reject that article.  (This is almost never what you want, so
    make sure this file ends in a catch-all entry that will match
    everything.)

    A storage class definition looks like this:

        method <methodname> {
            newsgroups: <wildmat>
            class: <storage_class>
            size: <minsize>[,<maxsize>]
            expires: <mintime>[,<maxtime>]
            options: <options>
        }

    <methodname> is the name of the storage method to use to store articles
    in this class ("cnfs", "timehash", "timecaf", "tradspool", or the
    special method "trash" that accepts the article and throws it away).

    The first parameter is a wildmat pattern in the same format used by the
    newsfeeds(5) file, and determines what newsgroups are accepted by this
    storage class.

    The second parameter is a unique number identifying this storage class
    and should be between 0 and 255.  It can be used to control article
    expiration, and for timehash and timecaf will set the top-level
    directory in which articles accepted by this storage class are stored. 
    The easiest way to deal with this parameter is to just number all
    storage classes in storage.conf sequentially.  The assignment of a
    particular number to a storage class is arbitrary but *permanent* (since
    it is used in storage tokens).

    The third parameter can be used to accept only articles in a certain
    size range into this storage class.  A <maxsize> of 0 (or a missing
    <maxsize>) means no upper limit (and of course a <minsize> of 0 would
    mean no lower limit, because all articles are more than zero bytes
    long).  If you don't want to limit the size of articles accepted by this
    storage class, leave this parameter out entirely.

    The fourth parameter you probably don't want to use; it lets you assign
    storage classes based on the Expires: header of incoming articles.  The
    exact details are in storage.conf(5).  It's very easy to use this
    parameter incorrectly; leave it out entirely unless you've read the man
    page and know what you're doing.

    The fifth parameter is the options parameter.  Currently only CNFS uses
    this field; it should contain the name of the metacycbuff used to store
    articles in this storage class.

    If you're using CNFS exclusively, just create one storage class for each
    metacycbuff that you have defined in cycbuff.conf and set the newsgroups
    pattern according to what newsgroups should be stored in that buffer.

    If you're using timehash or timecaf, the storage class IDs are used to
    store articles in separate directory trees, which you can take advantage
    of to put particular storage classes on different disks.  Also,
    currently storage class is the only way to specify expiration time, so
    you will need to divide up your newsgroups based on how long you want to
    retain articles in those groups and create a storage class for each such
    collection of newsgroups.  Make note of the storage class IDs you assign
    as they will be needed when you edit expire.ctl a bit later.

  expire.ctl

    expire.ctl sets the expiration policy for articles stored on the server.
    Be careful, since the default configuration will expire most articles
    after 10 days; in most circumstances this deletion is *permanent*, so
    read this whole section carefully if you want to keep local hierarchies
    forever.  (See archive(8) for a way to automate backups of important
    articles.)

    Only one entry is required for all storage classes; it looks like:

        /remember/:10

    This entry says how long to keep the Message-IDs for articles that have
    already expired in the history file so that the server doesn't accept
    them again.  Occasionally, fairly old articles will get regurgitated
    somewhere and offered to you again, so even after you've expired
    articles from your spool, you want to keep them around in your history
    file for a little while to ensure you don't get duplicates.

    INN will reject any articles more than a certain number of days old (the
    *artcutoff* parameter in inn.conf, defaulting to 10); the number on the
    "/remember/" line should match that.

    CNFS makes no further use of expire.ctl, since articles stored in CNFS
    buffers expire automatically when the buffer runs out of free space (but
    see the "-N" option in expireover(8) if you really want to expire them
    earlier).  For other storage methods, there are two different syntaxes
    of this file, depending on *groupbaseexpiry* in inn.conf.  If it is set
    to false, expire.ctl takes entries of the form:

        <storage_class>:<keep>:<default>:<purge>

    <storage_class> is the number assigned to a storage class in
    storage.conf.  <default> is the number of days to keep normal articles
    in that storage class (decimal values are allowed).  For articles that
    don't have an Expires: header, those are the only two values that
    matter.  For articles with an Expires: header, the other two values come
    into play; the date given in the Expires: header of an article will be
    honored, subject to the contraints set by <keep> and <purge>.  All
    articles in this storage class will be kept for at least <keep> days,
    regardless of their Expires: headers, and all articles in this storage
    class will be expired after <purge> days, even if their Expires: headers
    specify a longer life.

    All three of these fields can also contain the special keyword "never". 
    If <default> is "never", only articles with explicit Expires: headers
    will ever be expired.  If <keep> is "never", articles with explicit
    Expires: headers will be kept forever.  Setting <purge> to "never" says
    to honor Expires: headers even if they specify dates far into the
    future.  (Note that if <keep> is set to "never", all articles with
    Expires: headers are kept forever and the value of <purge> is not used.)

    If the value of "groupbaseexpiry" is true, expire.ctl takes entries of
    the form:

        <wildmat>:<flag>:<keep>:<default>:<purge>

    <wildmat> is a wildmat expression ("!" and "@" not permitted, and only a
    single expression, not a comma-separated set of them).  Each expiration
    line applies to groups matching the wildmat expression.  <flag> is "M"
    for moderated groups, "U" for unmoderated groups, and "A" for groups
    with any moderation status; the line only matches groups with the
    indicated expiration status.  All of the other fields have the same
    meaning as above.

  readers.conf

    Provided that *noreader* is set to false in inn.conf, any connection
    from a host that doesn't match an entry in incoming.conf (as well as any
    connection from a host that does match such an entry, but has issued a
    MODE READER command) will be handed off to nnrpd(8), the part of INN
    that supports newsreading clients.  nnrpd uses readers.conf to determine
    whether a given connection is allowed to read news, and if so what
    newsgroups the client can read and post to.

    There are a variety of fairly complicated things that one can do with
    readers.conf, things like run external authentication programs that can
    query RADIUS servers.  See readers.conf(5) and the example file for all
    the gory details.  Here's an example of probably the simplest reasonable
    configuration, one that only allows clients in the example.com domain to
    read from the server and allows any host in that domain to read and post
    to all groups:

        auth "example.com" {
            hosts: "example.com, *.example.com"
            default: "<user>"
            default-domain: "example.com"
        }

        access "all" {
            users: "*@example.com"
            newsgroups: "*"
        }

    If you're running a server for one particular domain, want to allow all
    hosts within that domain to read and post to any group on the server,
    and want to deny access to anyone outside that domain, just use the
    above and change "example.com" in the above to your domain and you're
    all set.  Lots of examples of more complicated things are in the sample
    file.

Creating the Article Spool (CNFS only)

    If you are using actual files as your CNFS buffers, you will need to
    pre-create those files, ensuring they're the right size.  The easiest
    way to do this is with dd.  For each cycbuff in cycbuff.conf, create the
    buffer with the following commands (as the news user):

        dd if=/dev/zero of=/path/to/buffer bs=1k count=BUFFERSIZE
        chmod 664 /path/to/buffer

    Substitute the correct path to the buffer and the size of the buffer as
    specified in cycbuff.conf.  This will create a zero-filled file of the
    correct size; it may take a while, so be prepared to wait.

    Here's a command that will print out the dd(1) commands that you should
    run:

        awk -F: \
        '/^cy/ { printf "dd if=/dev/zero of=%s bs=1k count=%s\n", $3, $4 }' \
        ~news/etc/cycbuff.conf

    If you are using block devices, you don't technically have to do
    anything at all (since INN is capable of using the devices in /dev), but
    you probably want to create special device files for those devices
    somewhere for INN's private use.  It s more convenient to keep all of
    INN's stuff together, but more importantly, the device files used by INN
    really should be owned by the news user and group, and you may not want
    to do that with the files in /dev.

    To create the device files for INN, use mknod(8) with a type of "b",
    getting the major and minor device numbers from the existing devices in
    /dev.  There's a small shell script in cycbuff.conf(5) that may help
    with this.  Make sure to create the device files in the location INN
    expects them (specified in cycbuff.conf).

    Solaris users please note:  on Solaris, do not use block devices that
    include the first cylinder of the disk.  Solaris doesn't protect the
    superblock from being overwritten by an application writing to block
    devices and includes it in the first cylinder of the disk, so unless you
    use a slice that starts with cylinder 1 instead of 0, INN will
    invalidate the partition table when it tries to initialize the cycbuff
    and all further accesses will fail until you repartition.

Creating the Database Files

    At this point, you need to set up the news database directory
    (~news/db).  This directory will hold the active(5) file (the list of
    newsgroups you carry), the active.times(5) file (the creator and
    creation time of newsgroups created since the server was initialized),
    the newsgroups(5) file (descriptions for all the newsgroups you carry),
    and the history(5) file (a record of every article the server currently
    has or has seen in the past few days, used to decide whether to accept
    or refuse new incoming messages).

    Before starting to work on this, make sure you're logged on as the news
    user, since all of these files need to be owned by that user.  This is a
    good policy to always follow; if you are doing any maintenance work on
    your news server, log on as the news user.  Don't do maintenance work as
    root.  Also make sure that ~news/bin is in the default path of the news
    user (and while you're at it, make sure ~news/man is in the default
    MANPATH) so that you can run INN maintenance commands without having to
    type the full path.

    If you already have a server set up (if you're upgrading, or setting up
    a new server based on an existing server), copy active and newsgroups
    from that server into ~news/db.  Otherwise, you'll need to figure out
    what newsgroups you want to carry and create new active and newsgroups
    files for them.  If you plan to carry a full feed, or something close to
    that, go to <ftp://ftp.isc.org/pub/usenet/CONFIG/> and download active
    and newsgroups from there; that will start you off with reasonably
    complete files.  If you plan to only carry a small set of groups, the
    default minimal active file installed by INN is a good place to start;
    you can create additional groups after the server is running by using
    "ctlinnd newgroup".  (Another option is to use actsync(8) to synchronize
    your newsgroup list to that of another server.)

    "control" and "junk" must exist as newsgroups in your active file for
    INN to start, and creating pseudogroups for the major types of control
    messages is strongly encouraged for all servers that aren't standalone. 
    If you don't want these groups to be visible to clients, do *not* delete
    them; simply hide them in readers.conf.  "to" must also exist as a
    newsgroup if you have mergetogroups set in inn.conf.

    Next, you need to create an empty history database.  To do this, type:

        cd ~news/db
        touch history
        makedbz -i

    When it finishes, rename the files it created to remove the ".n" in the
    file names and then make sure the file permissions are correct on all
    the files you've just created:

        chmod 644 *

    Your news database files are now ready to go.

Configuring syslog

    While some logs are handled internally, INN also logs a wide variety of
    information via syslog.  INN's nightly report programs know how to roll
    and summarize those syslog log files, but when you first install INN you
    need to set them up.

    If your system understands the "news" syslog facility, INN will use it;
    otherwise, it will log to "local1".  Nearly every modern system has a
    "news" syslog facility so you can safely assume that yours does, but if
    in doubt take a look at the output from running "configure".  You should
    see a line that looks like:

        checking log level for news... LOG_NEWS

    If that says LOG_LOCAL1 instead, change the below instructions to use
    "local1" instead of "news".

    Edit /etc/syslog.conf on your system and add lines that look like the
    following:

        news.crit           /usr/local/news/log/news.crit
        news.err            /usr/local/news/log/news.err
        news.notice         /usr/local/news/log/news.notice

    (Change the path names as necessary if you installed INN in a different
    location than /usr/local/news.)  These lines *must* be tab-delimited, so
    don't copy and paste from these instructions.  Type it in by hand and
    make sure you use a tab, or you'll get mysterious failures.  You'll also
    want to make sure that news log messages don't fill your other log files
    (INN generates a lot of log traffic); so for every entry in
    /etc/syslog.conf that starts with "*", add ";news.none" to the end of
    the first column.  For example, if you have a line like:

        *.err               /dev/console

    change it to:

        *.err;news.none     /dev/console

    (You can choose not to do this for the higher priority log messages, if
    you want to make sure they go to your normal high-priority log files as
    well as INN's.  Don't bother with anything lower priority than "crit",
    though.  "news.err" isn't interesting enough to want to see all the
    time.)  Now, make sure that the news log files exist; syslog generally
    won't create files automatically.  Enter the following commands:

        touch /usr/local/news/log/news.crit
        touch /usr/local/news/log/news.err
        touch /usr/local/news/log/news.notice
        chown news /usr/local/news/log/news.*
        chgrp news /usr/local/news/log/news.*

    (again adjusting the paths if necessary for your installation). 
    Finally, send a HUP signal to syslogd to make it re-read its
    configuration file.

Setting Up the Cron Jobs

    INN requires a special cron job to be set up on your system to run
    news.daily(8) which performs daily server maintenance tasks such as
    article expiration and the processing and rotation of the server logs. 
    Since it will slow the server down while it is running, it should be run
    during periods of low server usage, such as in the middle of the night. 
    To run it at 3am, for example, add the following entry to the news
    user's crontab file:

        0 3 * * * /usr/local/news/bin/news.daily expireover lowmark

    or, if your system does not have per-user crontabs, put the following
    line into your system crontab instead:

        0 3 * * * su -c "/usr/local/news/bin/news.daily expireover lowmark" news

    If you're using any non-CNFS storage methods, add "delayrm" to the above
    option list for news.daily.

    The news user obviously must be able to run cron jobs.  On Solaris, this
    means that it must have a valid /etc/shadow entry and must not be locked
    (although it may be a non-login account).  There may be similar
    restrictions with other operating systems.

    If you use the batching method to send news, also set up a cron job to
    run nntpsend(8) every ten minutes.  nntpsend will run innxmit for all
    non-empty pending batch files to send pending news to your peers.  That
    cron entry should look something like:

        0,10,20,30,40,50 * * * * /usr/local/news/bin/nntpsend

    The pathnames and user ID used above are the installation defaults;
    change them to match your installation if you used something other than
    the defaults.

    The parameters passed to news.daily in the above example are the most
    common (and usually the most efficient) ones to use.  More information
    on what these parameters do can be found in the news.daily(8) man page.

File Descriptor Limits

    INN likes to use a lot of file descriptors, particularly if you have a
    lot of peers.  Depending on what your system defaults are, you may need
    to make sure the default limit is increased for INN (particularly for
    innd and innfeed).  This is vital on Solaris, which defaults (at least
    as of 2.6) to an absurdly low limit of 64 file descriptors per process.

    One way to increase the number of file descriptors is to set
    *rlimitnofile* in inn.conf to a higher value.  This will cause both
    startinnfeed and inndstart (the setuid root wrapper scripts that start
    innfeed and innd, respectively) to increase the file descriptor limits
    before they run the regular INN programs.  Note, however, that INN won't
    be able to increase the limits above the hard limits set by your
    operating system; on some systems, that hard limit is normally 256 file
    descriptors (Linux, for example).  On others, like Solaris, it's 1024. 
    Increasing the limit beyond that value may require serious system
    configuration work.  (On some operating systems, it requires patching
    and recompiling the kernel.  On Solaris it can be changed in
    /etc/system, but for 2.6 or earlier the limit cannot be increased beyond
    1024 without breaking select(2) and thereby breaking all of INN.  For
    current versions of Linux, you may be able to change the maximum by
    writing to /proc/sys/fs/file-max.)

    256 file descriptors will probably be enough for all but the largest
    sites.  There is no harm in setting the limits higher than you actually
    need (provided they're set to something lower than or equal to your
    system hard limit).  256 is therefore a reasonable value to try.

    If you're installing INN on a Solaris system, particularly if you're
    installing it on a dedicated news server machine, it may be easier to
    just increase the default file descriptor limit across the board for all
    processes.  You can do that by putting the line:

        set rlim_fd_cur = 256

    in /etc/system and rebooting.  You can increase it all the way to 1024
    (and may need to if you have a particularly large site), but that can
    cause RPC and some stdio applications to break.  It therefore probably
    isn't a good idea on a machine that isn't dedicated to INN.

Starting and Stopping the System

    INN is started via the shell script rc.news.  This must be run as the
    news user and not as root.  To start INN on system boot, you therefore
    want to put something like:

        su - news -c /usr/local/news/bin/rc.news

    in the system boot scripts.  If innd is stopped or killed, you can
    restart it by running rc.news by hand as the news user.

    The rc.news script may also be used to shut down INN, with the "stop"
    option:

        su - news -c '/usr/local/news/bin/rc.news stop'

    In the contrib directory of this source tree is a sample init script for
    people using System V-style init.d directories.

Processing Newsgroup Control Messages

    Control messages are specially-formatted messages that tell news servers
    to take various actions.  Cancels (commands to delete messages) are
    handled internally by INN, and all other control messages are processed
    by controlchan.  controlchan should be run out of newsfeeds if you want
    your news server to process any control messages; see "Configuring INN"
    for specific instructions.

    The actions of controlchan are determined by control.ctl, which lists
    who can perform what actions.  The primary control messages to be
    concerned with are "newgroup" (to create a newsgroup), "rmgroup" (to
    remove a newsgroup), and "checkgroups" (to compare the list of groups
    carried in a hierarchy to a canonical list).  INN comes with a
    control.ctl file that processes control messages in most major public
    hierarchies; if you don't want to act on all those control messages, you
    should remove from that file all entries for hierarchies you don't want
    to carry.

    You can tell INN to just authenticate control messages based on the From
    header of the message, but this is obviously perilous and control
    messages are widely forged.  Many hierarchies sign all of their control
    messages with PGP, allowing news servers to verify their authenticity,
    and checking those signatures for hierarchies that use them is highly
    recommended.  controlchan knows how to do this (using pgpverify) without
    additional configuration, but you do have to provide it with a public
    key ring containing the public keys of all of the hierarchy
    administrators whose control messages you want to check.

    INN expects the public key ring to either be in the default location for
    a PGP public key ring for the news user (generally ~news/.gnupg for
    GnuPG and ~news/.pgp for old PGP implementations), or in pathetc/pgp
    (/usr/local/news/etc/pgp by default).  The latter is the recommended
    path.  To add a key to that key ring, use:

        gpg --import --homedir=/usr/local/news/etc/pgp <file>

    where <file> is a file containing the hierarchy key.  Change the homedir
    setting to point to pathetc/pgp if you have INN installed in a
    non-default location.  If you're using the old-style PGP program, an
    equivalent command is:

        env PGPPATH=/usr/local/news/etc/pgp pgp <file>

    You can safely answer "no" to questions about whether you want to sign,
    trust, or certify keys.

    The URLs from which you can get hierarchy keys are noted in comments in
    control.ctl.  <ftp://ftp.isc.org/pub/pgpcontrol/PGPKEYS> tries to
    collect the major hierarchy keys.

    If you are using GnuPG, please note that the first user ID on the key
    will be the one that's used by INN for verification and must match the
    key listed in control.ctl.  If a hierarchy key has multiple user IDs,
    you may have to remove all the user IDs except the one that matches the
    control.ctl entry using "gpg --edit-key" and the "delkey" command.