Use this image map or the text links at the bottom of this page for navigation.

INN Notes for ClariNet Subscribers

INN is probably the most common news system used by ClariNet subscribers. It is designed for heavy news environments with multiple incoming feeds. If you don't have multiple incoming feeds, you may find that C news is more suitable in some environments -- it uses a lot less system resources.

If you run INN, we recommend you install the "streaming NNTP" patches found in the "unoff" distribution -- we make use of this and it can improve feed throughput quite a bit.

Incoming NNTP feed (if you have a direct feed from ClariNet)

If you get a direct NNTP feed from ClariNet, or a delayed backup feed, you will need to give us the ability to connect and transfer news to your news server.

Tell us the name of the news server or servers you will be receiving feeds on.
Enable it so that ClariNet's machines can transfer news to your servers, and ideally also read our news from your servers. We encourage use to enable read access, since it lets us check that you are getting your feed properly and that you have the right newsgroup list, as well as debug many other problems. You need not let us read non-ClariNet news.
With care, feed only the unmoderated group clari.net.talk back to news.clari.net, but don't use nntplink.

For all these steps, the control files are usually in the "news library" directory, often /usr/lib/news on most systems.

hosts.nntp.nolimit

To allow us to feed you news, put an entry like this in the file "hosts.nntp.nolimit" for your server. (Use the file "hosts.nntp" if you wish to block our feed when your load gets high. Most sites wish us to get in at all times since our news is time-sensitive.)

	# Allow ClariNet to feed us news
	newsfeeder.clari.net::

This magic site, newsfeeder.clari.net, contains the many IP addresses of our feeding systems. Since we add to this list from time to time, be sure to schedule a "ctlinnd reload hosts.nntp" command. We move feeds around as need be so if you don't do this it could impair your feed. The bad news is that if you start INN or do the reload during a period of network outage or nameserver problems, INN will lose its knowledge of the site. Rumour is they're gong to improve this.

Let us Read News

To allow us to read news (highly encouraged), put lines like this in the file "nnrp.access" (By the way, the comment should also be in your newsfeeds file.)

	# This site receives a ClariNet newsfeed with copyrighted information.
	# In editing this file, take care not to feed the "clari" newsgroups
	# to any outside sites or sites not covered by the licence.
	# Take care not to enable "*" newsgroups to such sites without a
	# "!clari" modifier.
	*.clari.net:R:::clari.*

In addition, you should make sure that nobody else, outside your site, has read access to ClariNet groups, as it says in the comment above. This is the default with INN, but be sure you haven't given explicit access to anybody outside.

Incoming NNTP feed from hub or other feed

Even if you don't get your feed directly from us, it makes sense to enable us for reading, and possibly even for feeding, as described above. It can't hurt.

"newsfeeds" File

The newsfeeds file controls who you feed news to, and also what distributions your own machine accepts on articles.

Make sure that your "newsfeeds" file is not feeding ClariNet news to any outside sites, unless you are one of our explicitly authorized professional hubs. Beware of the fact that the default feed in INN is "*" (all), and that "!clari" is necessary if a feed is of the "feed everything but what we have excluded" type.

The "ME" line of newsfeeds

Make sure the "ME" line in your newsfeeds file is set up to allow the feed to come in. This is particularly important if you have configured the "ME" line to only accept articles with certain distributions. You must make sure the ClariNet distributions you have subscribed to are present on this line, or that your site allows all distributions. newsgroups that start with clari, and you must allow articles with the right distributions in the distribution part of the ME: line.

The "ME" line is the first entry in a newsfeeds file. The second field is the important field. This field is a list of newsgroup patterns, optionally followed by a slash and a list of distributions. The two fields have entirely different purposes, quite unlike the way they work in other lines in the newsfeeds file.

ME:group-pattern,group-pattern,..::

ME:group-pattern,group-pattern,../distribution,distribution,...::

Newsgroup portion

The list of newsgroup patterns becomes the default subscription for all sites you feed. This means this list of patterns is prepended to the explicit list for any site found later in the newsfeeds file. Normally, the default is "*" -- feed all groups -- which can cause trouble.

Since you will not be feeding ClariNet groups to any other non-internal sites (unless you are an official hub) we advise you put "!clari.*" as one of the patterns in this field. This assures that you will not feed ClariNet news to somebody unless you include either "*" or a pattern matching a ClariNet group in their feed list.

We also recommend you explicitly exclude the newsgroups "control" and "junk." There is no reason to feed these groups to another site. Control messages will propagate without an explicit feed of "control." If you do feed the group "control" explicitly, you will leak ClariNet group creation, deletion and checking messages, as well as voluminous cancel messages, out to that site. They will find this very annoying, and if these messages leak back into other customers with a different edition from the one you get, more than annoying.

Thus a typical line might look like:

ME:*,!clari.*,!control,!junk::

This line accepts articles in all distributions.

By the way, if you wish to make the default to not feed any hierarchies that aren't listed in a site's list of group patterns, make the line be:

ME:!*::

instead -- but be sure not to do something to feed Clari groups, "control" or "junk" down below.

Distribution portion of ME: line

You will have to consider if you want a distribution section on your ME: entry. If you have no distribution list, you accept all distributions. However, right now USENET has a terrible problem with distribution leaks, and you can use this feature to assure you only get articles in the distributions you want -- or those which, like most articles, have no distribution tagged.

You can make the distribution list two ways. One is an inclusive list, listing all the distributions you want. The other is an exclusion list, which implies that you want all distributions except the ones you exclude.

An inclusive list is just a list of distribution names. These are not patterns, just names. You need to be fairly detailed, as there will be many distributions you will wish to be a part of, including ones for your company, city, area, state/province, country and so on. And, most importantly for the purpose of this document, the Clarinet distributions for the edition to which you subscribe. If you have an inclusive list, be sure to list those Clarinet distributions.

An exclusion list occurs whenever any distribution named in the distribution list has a "!" in front of it. Generally a list is either a list of distributions without "!" or a list where every distribution named has a "!" in front of it -- it makes no sense to mix. An exclusion list has less risk of losing news -- if a new distribution comes along, you will get it. The bad part of that is this is exactly what causes all the distribution leaks out there -- everybody passing along every distribution they don't know about. However, this is more true in actual feed lines than in the "ME:" line, and an exclusion list is more acceptable in the "ME:" line. We strongly discourage the use of exclusion lists in ordinary feeds that feed ClariNet, because if people use them, they stop us from adding new products with new distributions, since they make everybody get them by default.

So if you select an inclusive list, just list your ClariNet distributions. A list of the current distributions is available. Also list the other distributions you want. If you choose an exclusion list, you may optionally list the ClariNet distributions that you don't get, in case there is a leak of that distribution to you.

Here is a sample inclusive line (Four Star edition):

ME:*,!clari.*,!control*,!junk/cl-4,cl-cbd,company,city,state,country,continent,inet,others,...::

Here is a sample exclusion list

ME:*,!clari.*,!control*,!junk/!cl-1,!cl-2,!cl-3,!cl-edu,!place-i-am-not-in,!...::

Other site's newsfeeds

Now do a scan over your other feeds, and make sure there isn't an explicit (or implicit) "*" in any site's feed without an appropriate "!clari.*" after it. You can also just tag "!clari.*" on the end of any site's list of newsgroup patterns and be sure they won't get ClariNet.

Also check to make sure you don't explicitly feed "control" or "junk" to any site that doesn't really want that.

Also check of course for any site that might somehow have an explcit feed of "clari" in it. At some sites, several people maintain the newsfeeds file and from time to time somebody who doesn't know the groups are not to be fed outside will accidentally start up a feed. That's why we would really appreciate it if you would include a comment in your newsfeeds file to the following effect:

	# This site receives a ClariNet newsfeed with copyrighted information.
	# In editing this file, take care not to feed the "clari" newsgroups
	# to any outside sites or sites not covered by the licence.
	# Take care not to enable "*" newsgroups to such sites without a
	# "!clari" modifier.

The "active" file

The active file contains the list of newsgroups at your site, and their type. ClariNet newsgroups are added to this file when you run the creation script described in the master ClariNet installation guide.

You should make sure the ClariNet groups are there, and that you don't mark them as "excluded" with an "x" tag. If you get articles in which no newsgroup is found on your machine, the articles appear in the "junk" newsgroup.

Newgroup message verification

When ClariNet creates, removes or verifies newsgroups, we send out USENET control messages, such as "newgroup" and "rmgroup". INN contains a basic system to check that such messages claim to come from us. We post them from the user clarinet@clarinet.com currently, but we will be switching to distribution@clari.net on Sept 1, 1996, and you can have it check for that. Prior to that date, you should configure to check for both addresses.

However, anybody can post a message with that ID on it, so we have made use of a new system to digitally sign group control messages so you can be absolutely sure they come from us. You can read a description of how to install this system on the UUNET FTP site.

Once you have installed the system, you need to add the ClariNet Group PGP Public Key to your key ring.

This public key has the userid "ClariNet.Group" -- this is the string you will enter into your "control.ctl" file in the INN library directory for our messages. Some sample entries are shown below. The 2nd set of 3 are for the planned userid for sites that get our 4-star edition.


newgroup:clarinet@clarinet.com:clari.*|biz.clarinet.*:verify-ClariNet.Group
rmgroup:clarinet@clarinet.com:clari.*|biz.clarinet.*:verify-ClariNet.Group
checkgroups:clarinet@clarinet.com:clari.*|biz.clarinet.*:verify-ClariNet.Group

newgroup:cl-4@clari.net:clari.*|biz.clarinet.*:verify-ClariNet.Group
rmgroup:cl-4@clari.net:clari.*|biz.clarinet.*:verify-ClariNet.Group
checkgroups:cl-4@clari.net:clari.*|biz.clarinet.*:verify-ClariNet.Group

This means that any of these three messages (newgroup for group creation, rmgroup for group deletion and checkgroups for group list verification) must come from the user clarinet@clarinet.com or cl-4@clari.net and must be signed by the PGP key for "ClariNet.Group" as stored in your news PGP key ring.

We strongly recommend that you install verification code. While there have not been any significant instances of a malicious user abusing the current lack of security checks in USENET newsgroup creation when it comes to ClariNet groups, this state of affairs won't last forever.

Please note that if you are making business use of PGP, you need to get a copy of the commercial version, ViaCrypt PGP.

INN Checklist

Feed from ClariNet allowed in - hosts.nntp.nolimit (if applicable)
clari.net.talk fed back to feed site, but not rest of hierarchy
ME: line configured for feed and distributions in newsfeeds
"ctlinnd reload hosts.nntp" done every so often (weekly or better)
newsfeeds checked to assure no outgoing ClariNet feeds
nnrp.access checked to bar access to non-covered sites or outsiders
Read access granted to ClariNet in nnrp.access (optional)
Comments in newsfeeds, nnrp.access for future admins
control.ctl file set for ClariNet newgroup messages and digital signature checking code installed

For more details

See:

If you are a hub...

If you are one of our officially contracted hubs, contact us for special details on feeding constraints. In particular, in order for us to be able to add distributions, it is vital that all ClariNet feeds be configured with an inclusive distribution list, not an excluding one.