1. Forum
  2. Usenet
  3. NEWS.SOFTWARE.NNTP

  • 200 or 201, when auth enabled?

    From Adam W.@21:1/5 to All on Mon Oct 30 01:46:13 2023
    Hi!

    My server currently greets users with:

    200 news.chmurka.net InterNetNews NNRP server INN 2.7.0 ready (no posting)

    So it's 200, but posting is not allowed. It's because authorization is
    needed before user is able to post.

    It seems that Mozilla Thunderbird has several problems with this (it's to
    be confirmed, I think I'll create another port where it greets users with
    201 and experiment; I don't want to break it for other readers). Result is
    that Thunderbird tries to post, gets 480, and doesn't retry with auth, but claims that the post has been posted. At least that's what users report, combined with what I can see in logs (I didn't test it myself yet).

    But is it correct? Should server in this case respond with 200, or with
    201?

    I found this in the RFC 3977:

    https://datatracker.ietf.org/doc/html/rfc3977#section-5.1.2

    But it's still not clear to me -- I just understand that it's a grey area
    (200 is "posting allowed", 201 is "posting not allowed", and there's no
    code for "posting will be allowed after auth") and readers should use CAPABILITIES instead.

    Looking at nnrpd.c it's clear that this behavior (200 when posting will be allowed after auth) is expected:

    #v+
    Reply("%d %s InterNetNews NNRP server %s ready (%s)\r\n",
    (PERMcanpost || (PERMcanauthenticate && PERMcanpostgreeting))
    ? NNTP_OK_BANNER_POST
    : NNTP_OK_BANNER_NOPOST,
    PERMaccessconf->pathhost, INN_VERSION_STRING,
    (!PERMneedauth && PERMcanpost) ? "posting ok" : "no posting");
    #v-

    And (perm.c):

    #v+
    /* We assume that an access or dynamic script will allow
    * the user to post when authenticated, so that a 200 greeting
    * code can be sent. */
    if (auth_realms[i]->access_script != NULL
    || auth_realms[i]->dynamic_script != NULL)
    PERMcanpostgreeting = true;
    #v-

    Did you (other newsadmins) receive similar complaints from Thunderbird
    users?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jesse Rehmer@21:1/5 to All on Mon Oct 30 03:43:30 2023
    On Oct 29, 2023 at 8:46:13 PM CDT, "Adam W." <Adam W.> wrote:

    Did you (other newsadmins) receive similar complaints from Thunderbird
    users?

    With Thunderbird you need to instruct users to check the option "Always
    request authentication when connecting to this server" under the NNTP Server Settings. It's been an annoyance with Thunderbird as long as I can recall.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Russ Allbery@21:1/5 to Adam W. on Sun Oct 29 21:44:40 2023
    gof-cut-this-news@cut-this-chmurka.net.invalid (Adam W.) writes:

    But is it correct? Should server in this case respond with 200, or with
    201?

    I found this in the RFC 3977:

    https://datatracker.ietf.org/doc/html/rfc3977#section-5.1.2

    But it's still not clear to me -- I just understand that it's a grey
    area (200 is "posting allowed", 201 is "posting not allowed", and
    there's no code for "posting will be allowed after auth") and readers
    should use CAPABILITIES instead.

    When we were writing the standard, we discovered that there were some
    clients that, when presented with a 201, will never attempt to POST even
    if you have authentication credentials configured that they might use. Returning 200 made those clients do the right thing: attempt to post, get
    a permission error, realize that maybe they should try to authenticate,
    and end up in the right spot.

    It sounds like you've run into a client with the exact opposite problem.
    This is unfortunately a mess, and as you say the only real solution is for
    the client to use CAPABILITIES.

    --
    Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

    Please post questions rather than mailing me directly.
    <https://www.eyrie.org/~eagle/faqs/questions.html> explains why.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Frank Slootweg@21:1/5 to Jesse Rehmer on Mon Oct 30 11:22:42 2023
    Jesse Rehmer <jesse.rehmer@blueworldhosting.com> wrote:
    On Oct 29, 2023 at 8:46:13?PM CDT, "Adam W." <Adam W.> wrote:

    Did you (other newsadmins) receive similar complaints from Thunderbird users?

    With Thunderbird you need to instruct users to check the option "Always request authentication when connecting to this server" under the NNTP Server Settings. It's been an annoyance with Thunderbird as long as I can recall.

    I don't use Thunderbird as my regular newsreader, only for testing,
    and I have a very old version (60.9.0).

    That said:

    For both my own little server (Hamster) and my real server (News.Individual.Net), I have *not* ticked "Always request
    authentication when connecting to this server" and they both work fine.

    I haven't checked if Thunderbird keeps NNTP logs, but I checked my
    Hamster logs when Thunderbird connects. The sequence is:

    200 NNTP Server Classic Hamster Vr. 2.0 (Build 2.0.2.2) (post ok) says: Hi! MODE READER
    200 ignored
    GROUP comp.mobile.android
    480 Authentication required
    AUTHINFO [redacted]
    381 More authentication information required
    AUTHINFO PASS [...]
    281 Authentication accepted
    GROUP comp.mobile.android
    211 ... ... comp.mobile.android
    XOVER ...-...

    So while my server says "(post ok)", not "(no posting)" as in Adam's
    case, that's AFAIK just a comment and what counts is the 200 response,
    which is the same for both Adam and me.

    So in my case, Thunderbird *does* start a (MODE READER,) AUTHINFO and AUTHINFO PASS sequence after getting a 200 greeting, even while "Always
    request authentication when connecting to this server" is *not* ticked.

    It could be that the difference is in my old Thunderbird version
    versus newer/current ones, but - in the groups I follow - I've not heard
    from Thunderbird users that this changed and that they now have to tick
    this setting.

    So I wonder what the real story is? Perhaps someone - preferably an
    admin who can inspect the server log - with a more current Thunderbird
    could try?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jesse Rehmer@21:1/5 to All on Mon Oct 30 13:13:30 2023
    On Oct 30, 2023 at 6:22:42 AM CDT, "Frank Slootweg" <this@ddress.is.invalid> wrote:

    Jesse Rehmer <jesse.rehmer@blueworldhosting.com> wrote:
    On Oct 29, 2023 at 8:46:13?PM CDT, "Adam W." <Adam W.> wrote:

    Did you (other newsadmins) receive similar complaints from Thunderbird
    users?

    With Thunderbird you need to instruct users to check the option "Always
    request authentication when connecting to this server" under the NNTP Server >> Settings. It's been an annoyance with Thunderbird as long as I can recall.

    I don't use Thunderbird as my regular newsreader, only for testing,
    and I have a very old version (60.9.0).

    That said:

    For both my own little server (Hamster) and my real server (News.Individual.Net), I have *not* ticked "Always request
    authentication when connecting to this server" and they both work fine.

    I haven't checked if Thunderbird keeps NNTP logs, but I checked my
    Hamster logs when Thunderbird connects. The sequence is:

    200 NNTP Server Classic Hamster Vr. 2.0 (Build 2.0.2.2) (post ok) says: Hi! MODE READER
    200 ignored
    GROUP comp.mobile.android
    480 Authentication required
    AUTHINFO [redacted]
    381 More authentication information required
    AUTHINFO PASS [...]
    281 Authentication accepted
    GROUP comp.mobile.android
    211 ... ... comp.mobile.android
    XOVER ...-...

    So while my server says "(post ok)", not "(no posting)" as in Adam's
    case, that's AFAIK just a comment and what counts is the 200 response,
    which is the same for both Adam and me.

    So in my case, Thunderbird *does* start a (MODE READER,) AUTHINFO and AUTHINFO PASS sequence after getting a 200 greeting, even while "Always request authentication when connecting to this server" is *not* ticked.

    It could be that the difference is in my old Thunderbird version
    versus newer/current ones, but - in the groups I follow - I've not heard
    from Thunderbird users that this changed and that they now have to tick
    this setting.

    So I wonder what the real story is? Perhaps someone - preferably an
    admin who can inspect the server log - with a more current Thunderbird
    could try?

    I do not recall what version the behavior changed, but in my experience Thunderbird does not send AUTHINFO unless that option is checked. I do have my own server that is offline, and over time Thunderbird users have reached out due to being unable to post and checking that option is always the solution.

    If I recall correctly, "(post ok)" means the client does not need to authenticate to post and "(no posting)" is presented when additional authentication is required.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Adam W.@21:1/5 to Jesse Rehmer on Mon Oct 30 13:48:04 2023
    Jesse Rehmer <jesse.rehmer@blueworldhosting.com> wrote:

    I do not recall what version the behavior changed, but in my experience Thunderbird does not send AUTHINFO unless that option is checked. I do
    have my own server that is offline, and over time Thunderbird users have reached out due to being unable to post and checking that option is
    always the solution.

    I know that in Thunderbird 102.0 they changed the NNTP handling module to (probably) some JavaScript thing (jsmodule) and disabling it (reverting to
    the old module) helped, at least some users.

    The config setting to disable it is called mailnews.nntp.jsmodule.

    One user who complained that his posts were disappearing had this "always
    auth" checkbox disabled. He enabled it, we'll see if it helps... hopefully
    it does.

    Thanks.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)