-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathwendzelnntpd.conf
187 lines (171 loc) · 7.33 KB
/
wendzelnntpd.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
; WendzelNNTPd default configuration file
;
; Please note:
; By default, SQLite instead of MySQL is used; no
; authentication is activated and standard ports are used.
; Also, the server listens only on the localhost interface
; ("listen 127.0.0.1").
;;;;;;; Fundamental setup ;;;;;;;
; Specify a database engine. Currently supported are 'sqlite3'
; and 'mysql' as well as experimental support for 'postgres'.
database-engine sqlite3
;;;;;;; MySQL-specific parameters ;;;;;;;
; Your database hostname (not used in case of sqlite3).
database-server 127.0.0.1
; The database connection port (not used in case of sqlite3).
; Comment out to use the default port of your database engine.
database-port 3306
; Server authentication (not required for sqlite3)
database-username myuser
database-password mypass
;;;;;;; Network settings ;;;;;;;
; You need to specify the port _before_ using the 'listen' command!
; However, a mix like `port xyz, listen abc, port bca, listen zyb'
; should work fine, i.e., assigning different ports to different
; network interfaces.
<connector>
;; enables STARTTLS for this port
;enable-starttls
port 119
listen 127.0.0.1
;; configure SSL server certificate
tls-server-certificate "/usr/local/etc/ssl/server.crt"
;; configure SSL private key
tls-server-key "/usr/local/etc/ssl/server.key"
;; configure SSL CA certificate
tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
;; configure TLS ciphers for TLSv1.3
tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
;; configure TLS ciphers for TLSv1.1 and TLSv1.2
tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
;; configure allowed TLS version (1.0-1.3)
tls-version "1.2-1.3"
;; possibility to force the client to authenticate with client certificate (none | optional | require)
;tls-verify-client "required"
;; define depth for checking client certificate
;tls-verify-client-depth 0
;; possibility to use certificate revocation list (none | leaf | chain)
;tls-crl "none"
;tls-crl-file "/usr/local/etc/ssl/ssl.crl"
</connector>
<connector>
;; enables STARTTLS for this port
;enable-starttls
port 119
listen ::1
;; configure SSL server certificate
tls-server-certificate "/usr/local/etc/ssl/server.crt"
;; configure SSL private key
tls-server-key "/usr/local/etc/ssl/server.key"
;; configure SSL CA certificate
tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
;; configure TLS ciphers for TLSv1.3
tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
;; configure TLS ciphers for TLSv1.1 and TLSv1.2
tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
;; configure allowed TLS version (1.0-1.3)
tls-version "1.2-1.3"
;; possibility to force the client to authenticate with client certificate (none | optional | require)
;tls-verify-client "required"
;; define depth for checking client certificate
;tls-verify-client-depth 0
;; possibility to use certificate revocation list (none | leaf | chain)
;tls-crl "none"
;tls-crl-file "/usr/local/etc/ssl/ssl.crl"
</connector>
<connector>
;; enables TLS for this port
;enable-tls
port 563
listen 127.0.0.1
;; configure SSL server certificate (required)
tls-server-certificate "/usr/local/etc/ssl/server.crt"
;; configure SSL private key (required)
tls-server-key "/usr/local/etc/ssl/server.key"
;; configure SSL CA certificate (required)
tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
;; configure TLS ciphers for TLSv1.3
tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
;; configure TLS ciphers for TLSv1.1 and TLSv1.2
tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
;; configure allowed TLS version (1.0-1.3)
tls-version "1.2-1.3"
;; possibility to force the client to authenticate with client certificate (none | optional | require)
;tls-verify-client "required"
;; define depth for checking client certificate
;tls-verify-client-depth 0
;; possibility to use certificate revocation list (none | leaf | chain)
;tls-crl "none"
;tls-crl-file "/usr/local/etc/ssl/ssl.crl"
</connector>
<connector>
;; enables TLS for this port
;enable-tls
port 563
listen ::1
;; configure SSL server certificate
tls-server-certificate "/usr/local/etc/ssl/server.crt"
;; configure SSL private key
tls-server-key "/usr/local/etc/ssl/server.key"
;; configure SSL CA certificate
tls-ca-certificate "/usr/local/etc/ssl/ca.crt"
;; configure TLS ciphers for TLSv1.3
tls-cipher-suites "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
;; configure TLS ciphers for TLSv1.1 and TLSv1.2
tls-ciphers "ALL:!COMPLEMENTOFDEFAULT:!eNULL"
;; configure allowed TLS version (1.0-1.3)
tls-version "1.2-1.3"
;; possibility to force the client to authenticate with client certificate (none | optional | require)
;tls-verify-client "required"
;; define depth for checking client certificate
;tls-verify-client-depth 0
;; possibility to use certificate revocation list (none | leaf | chain)
;tls-crl "none"
;tls-crl-file "/usr/local/etc/ssl/ssl.crl"
</connector>
; Uncomment 'verbose-mode' if you want to find errors or if you
; have problems with the logging subsystem. All log strings are
; written to STDERR, too, if verbose-mode is activated.
; Additionally all commands sent by clients are written to STDERR
; (but not to the logfile).
;verbose-mode
;;;;;;; Advanced settings ;;;;;;;
; The max. allowed size of a single posting (in bytes). The
; default value is 20 MBytes (20*1024^2=20.971.520 Bytes).
max-size-of-postings 20971520
; Activate authentication.
;use-authentication
; Store the Message Body in the database (only possible
; with postgres!).
; !!! This setting should NOT be changed after initial utilization
; of the server as old message bodies would not be locatable
; anymore!
; Default: store the message body in the filesystem
;message-body-in-db
; Store/load the unique message index within the database
; system. (Only possible with postgres!)
; !!! This should NOT be changed after initial utilization of
; the server as the message counter would be corrupted otherwise!
; Deactivated by default.
;message-count-in-db
; If you activated authentication (above, using the keyword
; `use-authentication'), you can also activate the support for
; access control lists (ACL).
;use-acl
; This keyword prevents that IPs or hostnames will become part of
; the message ID generated by WendzelNNTPd (what is the default
; case). Uncomment `enable-anonym-mids' to enable this feature.
;enable-anonym-mids
; This keyword defines a salt to be used in conjunction with the
; passwords to calculate the cryptographic hashes. The salt must
; be in the form [a-zA-Z0-9.:\/-_]+.
; Please note that the final hash is calculated using
; salt+username+password as an input to prevent simple
; password-identification attacks when an equal password is used
; by >=2 users.
; ATTENTION: If you change the salt after passwords have been
; stored, they will be rendered invalid! If you comment out
; hash-salt, then the default hash salt defined in the source
; code will be used.
; You should change the default hash-salt value before first use!
hash-salt 0.hG4//3baA-::_\