The NNTP Service

The NNTP service is included as a component of IIS for the purpose of hosting discussion groups similar to USENET newsgroups. These discussion groups can be used by companies for internal use on corporate intranets, for customer help and support, and other purposes. Authentication can be required for users to read and post items to newsgroups, or the service can be configured to allow anyone access.

Note

The NNTP component of IIS is a lightweight implementation intended mainly for the uses just described. For a fuller implementation of this protocol, including the ability to create and configure newsfeeds with USENET servers, you can use Microsoft Exchange.

Installing the NNTP Service

To use IIS as an NNTP host, you need to install the NNTP service component of IIS first; it is not installed by default on any edition of Windows Server 2003. If you haven’t done this yet, follow the procedure outlined earlier in the section entitled “Installing the SMTP and NNTP Services” before proceeding further in this chapter.

To verify your installation, open IIS Manager and make sure you have a node called Default NNTP Virtual Server in the console tree (see Figure 15-1, earlier). You can use IIS Manager to perform the following NNTP administration tasks:

• Create and configure NNTP virtual servers and start, stop, and pause them independent of each other.

• Configure authentication, security, connection, posting, and newsgroup settings for NNTP virtual servers.

• Create and configure new newsgroups (including moderated ones), and post and reply to messages on them.

• Display current sessions and terminate selected (or all) connections.

• Rebuild an NNTP virtual server.

NNTP Directory Structure

When the NNTP service is installed on IIS, a directory structure is created with root folder \Inetpub\nntpfile on the local machine (Figure 15-18). This directory structure represents the article store for the service and consists of the following folders:

Figure 15-18: Directory structure associated with NNTP service

• _temp.files_ A temporary folder used by the NNTP service while processing postings.

• Drop All incoming postings are “dropped” into this folder, regardless of the newsgroup they are being posted to, until the NNTP service can process them and post them to the appropriate newsgroup.

• Failedpickup Postings that are improperly formatted for NNTP are moved to this directory so they can be examined by the administrator.

• Pickup Text files placed manually or programmatically into this file will be “picked up” and moved to the \drop folder, from which they will be posted to the appropriate newsgroup (if properly formatted) or moved to the \failedpickup (if improperly formatted).

• Root This is the parent folder for all newsgroup folders in which articles reside; it is discussed in the next two sections.

Default Newsgroups

There are four newsgroups created by default when the NNTP service is installed (Figure 15-19):

• Control.cancel

• Control.newgroup

• Control.rmgroup

• Microsoft.public.ins

  
  Figure 15-19: Default newsgroups of the Default NNTP Virtual Server

The control.* newsgroups are used for control messages sent by NNTP clients and other NNTP servers for communicating with the NNTP service on IIS. Do not delete any of these newsgroups or the NNTP service may fail. Also, do not delete any messages posted to them unless you have thorough knowledge of how the NNTP protocol works and you are troubleshooting communication between your server and other NNTP clients or hosts.

The Microsoft.public.ins newsgroup is a sample newsgroup containing a welcome message that you can use for posting test messages to your NNTP server to see if they are displayed by your NNTP client. You’ll learn how to post to newsgroups later in this chapter.

Newsgroup Directory Structure

Associated with the newsgroups described in the preceding section is a directory structure beneath the \Inetpub\nntpfile\root folder (see Figure 15-18 again). The first two folders (_slavegroup and _temp.files_) are used internally for the operation of the NNTP service. The remaining folders map to the four default newsgroups of the Default NNTP Virtual Server.

As an example of how newsgroups map to file system folders on IIS, consider the Microsoft.public.ins newsgroup, whose content folder is \root\microsoft\public\ins under \Inetpub\nntpfile. Note that the DNS structure of the newsgroup maps piece by piece to the hierarchy of folders starting with \microsoft. If you create a new newsgroup called mtit.public.buysell, the associated folder structure would be \root\mtit\public\buysell, and messages posted to this group would be stored in the \buysell folder. I’ll show you how to test this later in the chapter.

Configuring the Default NNTP Virtual Server

When you install the NNTP service on IIS, a Default NNTP Virtual Server is created that can immediately create new newsgroups and receive articles posted by NNTP clients like the Outlook Newsreader. You can create additional NNTP virtual servers if needed—for example, if you want to host discussion groups for more than one company. You can also rename the Default NNTP Virtual Server to something friendlier like Help Desk News Server. As you’ll see later in this chapter, there are many similarities between configuring NNTP and SMTP virtual servers in IIS.

General Tasks

General tasks for NNTP virtual server (or NNTP server) configuration (Figure 15-20) include:

Figure 15-20: Configuring general settings of an NNTP virtual server

• IP Address Each NNTP server must be assigned a unique identity in the form of a combination of IP address and TCP port number. As usual, the default server has All Unassigned for its IP address, but you can change this to a specific address. You can also add additional IP addresses to assign multiple identities to your server so it can listen to several addresses in the same way as SMTP servers discussed previously. By default, NNTP uses port 119 for ordinary connections and 563 for encrypted SSL connections, and you should generally leave the default ports as assigned.

• Connection limits and timeout values These settings are configured similar to those for SMTP servers and apply to inbound connections from both NNTP clients and other NNTP servers. There are no configurable settings for outbound connections with other NNTP servers.

• Logging You can enable logging and specify a logging format in the same way as for SMTP discussed previously.

• Path Header This is the only setting on the General tab for NNTP servers that is different from those on the General tab for SMTP servers. You can specify a string here for the path line in each news posting. Path statements are generated by NNTP to record the path a news message takes to reach its destination. The string specified here will be added to the path line generated by the NNTP server in the message header.

  Note

  Do not use periods in the path header string you specify. For more information on how NNTP path statements are generated, refer to RFC 1036.

Security and Authentication Settings

The settings for authentication, secure SSL communication, connection control, and operator permissions are essentially identical for NNTP as for SMTP discussed previously. The only differences are for authentication (Figure 15-21):

Figure 15-21: NNTP server authentication methods

• When you enable anonymous access on NNTP, you can specify which user account on your Windows machine (for stand-alone NNTP servers) or domain account (when using Active Directory) will control access by anonymous users to newsgroup content. By default, the Everyone built-in group and ANONYMOUS LOGON system identity has Full Control permission on the \Inetpub\nntpfile\root folder and all its subfolders—in other words, on all newsgroup content. If no user account is specified here, the ANONYMOUS LOGON identity is used by default.

• Unlike SMTP servers, no domain needs to be specified when enabling Basic Authentication for NNTP servers.

• While SSL (specifically TLS) can only be enabled for Basic Authentication for SMTP servers, you can enable SSL for any authentication method (anonymous, Basic, or Integrated Windows) for NNTP servers. Additionally, if NNTP client computers have SSL client certificates installed and mapped to user accounts, you can configure NNTP servers to use client certificates for authenticating the NNTP clients.

Posting and Newsfeed Settings

The Settings tab of an NNTP server properties sheet configures settings for message posting and newsfeeds (Figure 15-22). The various configuration options include:

Figure 15-22: Configuring posting and newsfeed settings

• Allow Client Posting You can enable or disable posting of articles by NNTP clients to your server (enabled by default), limit the size of posted messages to prevent your server from being overwhelmed (1MB per message, by default), and limit the amount of data posted during a client session (20MB, by default).

• Allow Feed Posting You can enable or disable downloading of newsfeeds pulled from other NNTP hosts (such as USENET hosts) and limit the message size and total size of the feeds.

• Allow Servers To Pull Articles From This Server You can allow other NNTP hosts to pull newsfeeds from your NNTP server (disabled by default).

• Allow Control Messages Checking this causes your NNTP server to automatically process any NNTP control messages sent to it from another NNTP server and also to log these messages in the transaction log. Leaving it unchecked prevents control messages from being processed but logs them regardless. Note that enabling control messages can pose a threat to your newsgroups and should be done only by experienced NNTP administrators.

• SMTP Server for Moderated Groups If you have moderated newsgroups on your server, you must specify the FQDN of an SMTP server that the NNTP server can use for sending messages to the moderator you’ve designated for that server. Or, instead of an FQDN, you can specify a local directory on your server to deliver such messages to.

• Default Moderator Domain Specify the DNS name of the domain to which moderator messages will be sent for moderated newsgroups. For example, if you specify mtit.com here, moderator messages for the moderated newsgroup mtit.private.accounting will be sent to the e-mail address mtit.private.accounting@mtit.com.

• Administrator E-mail Account If a message is sent to the moderator of a moderated newsgroup but can’t be delivered, an NDR will be generated and sent to the e-mail address specified here. Note, however, that such NDRs are only generated if you create the following DWORD Registry key on your IIS machine and assign it a value of 1:

  HKLM\System\CurrentControlSet\Services\NntpSvc\Parameters\MailFromHeader 

Note on Newsfeeds

At the time of writing this book, it is unclear if the newsfeeds feature of NNTP in IIS 6 actually works or not. Newsfeeds are the flow of information from one NNTP server to another and are used in USENET to replicate content among Internet NNTP hosts located around the world. Newsfeeds can either be outbound (pulled from your server to a remote NNTP host) or inbound (pulled from a remote host to your server). The options Allow Feed Posting and Allow Servers to Pull News Articles from This Server were included on the Settings tab of NNTP server properties in the earlier IIS 5 platform, but they didn't work, and there's currently no documentation on how to make this work in IIS 6, so it may not work in this platform either. Consult the latest documentation for Windows Server 2003 to determine the status of this feature.

Administering NNTP Servers

In addition to the usual tasks of stopping, starting, and pausing NNTP servers, administrators can perform the following tasks:

• Create new newsgroups and configure them.

• Create and configure expiration policies for newsgroups.

• Create and configure new virtual directories for newsgroup content.

• Restrict access to newsgroups for groups of users.

• Create additional NNTP virtual servers.

• Rebuild NNTP virtual servers.

• Limit which type and how many newsgroups are displayed in IIS Manager.

IIS also has several admin scripts included for managing different aspects of NNTP servers.

Creating and Configuring Newsgroups

You can use the New Newsgroup Wizard to create a new newsgroup on your NNTP server and then configure it by opening the properties sheet for the newsgroup. To create a newsgroup called mtit.public.buysell on the Default NNTP Virtual Server:

1. Open IIS Manager and expand the Default NNTP Virtual Server node in the console tree to expose the Newsgroups node beneath it.

2. Right-click Newsgroups and select New | Newsgroup to open the wizard.

3. Type mtit.public.buysell and click Next.

4. Type a description and a Pretty Name (short description displayed by some NNTP clients) and click Finish.

Refresh the view in IIS Manager by pressing F5, and you should see your new newsgroup listed in the details pane. You’ll test posting to this newsgroup in a moment, but first I’ll go over what other configuration tasks you can perform. Right-click mtit.public.buysell to open the properties sheet for the newsgroup (Figure 15-23).

Figure 15-23: Configuring settings for a newsgroup

In addition to the Description and Pretty Name fields specified previously, there are two other settings that are specifically related to moderating the newsgroup:

• Read Only Select this check box to allow only the moderator for the newsgroup to post articles to the group. This is useful for newsgroups that publish information such as product updates or the latest sales figures.

• Moderated Select this check box and specify the moderator’s e-mail address if you want this to be a moderated newsgroup. A moderated newsgroup is one where articles that are posted are first sent to the moderator, who then decides whether each article should be accepted or not. Moderation is generally based on the relevance of the content and proper newsgroup etiquette. To use moderating, you need to also specify the relevant settings on the Settings tab of the NNTP server properties sheet, as discussed earlier.

You can also rename or delete newsgroups in the usual way.

Creating and Configuring Expiration Policies

An expiration policy defines how long posted articles remain in newsgroups before they are automatically deleted by the server. Expiration policies can apply to individual newsgroups, several newsgroups, or all newsgroups on the server. You can create as many expiration policies as you desire, and none are created by default. If you fail to create expiration policies for heavily used newsgroups, your server’s disk may become full and the NNTP service may shut down until you delete some of the articles manually.

To create an expiration policy for the mtit.public.buysell newsgroup you created earlier follow these steps:

1. Open IIS Manager and expand the Default NNTP Virtual Server node in the console tree to expose the Expiration Policies node beneath it.

2. Right-click Expiration Policies and select New | Expiration Policy.

3. Type Expiration Policy for mtit.public.* newsgroups and click Next.

4. By default, the expiration policy applies to * (an asterisk), meaning all newsgroups on the server. Click the Remove button to remove this setting, and click Add to open the Add Newsgroup dialog box (Figure 15-24).

   
   Figure 15-24: Creating an expiration policy

5. Leave the Include option selected, type mtit.public.* in the Newsgroup text box, and click OK to close the dialogbox.

6. Click Next, and specify how long news articles should remain on the server before being deleted (the default is 168 hours or 1 week).

7. Click Finish, and verify that your new expiration policy is displayed in the details pane.

You can further configure your new policy by opening its properties sheet and changing the time interval or which newsgroups it applies to. You can also rename or delete the policy.

Creating and Configuring Virtual Directories

NNTP virtual directories specify where content for newsgroups is located, and like WWW virtual directories, this can be either a folder on the local machine or a shared folder on a network file server. Select the Virtual Directories node under the Default NNTP Virtual Server node to see what virtual directories are defined on your server (Figure 15-25).

Figure 15-25: Displaying the virtual directories for the Default NNTP virtual server

By default, IIS creates two virtual directories for hosting the content of the Default NNTP Virtual Server:

• Default This alias maps to the C:\Inetpub\nntpfile\root folder. New newsgroups you create will have their content folder subtrees located within this folder.

• Control This alias maps to the C:\Inetpub\nntpfile\root\control folder. This is used for the control.* newsgroups utilized internally by the NNTP service.

You can configure several aspects of these virtual directories by opening their properties sheets. Look at the settings for the Default virtual directory (Figure 15-26):

Figure 15-26: Configuring the Default virtual directory

• Contents Click this button to specify a different folder on the local machine to map to the virtual directory alias, or to specify the UNC path to a remote network share and the credentials needed to access this share.

• Secure Click this button to enable or disable SSL for newsgroups associated with this virtual directory and whether to use 40- or 128-bit encryption.

• Allow Posting Configure this setting to allow or deny users to post articles to newsgroups using the virtual directory.

• Restrict Newsgroup Visibility If this is checked, only users who are authenticated by the NNTP server will be able to see the newsgroups using the virtual directory when they try to list (enumerate) the newsgroups on the server. This feature makes it possible for administrators to “hide” some or all of their newsgroups from anonymous users. Don’t select this option unless you require it; it adds processing overhead to the server and can slow performance.

• Log Access Lets you enable or disable IIS logging for newsgroups using the virtual directory. Logging must still be turned on globally on the General tab of the NNTP virtual server’s properties sheets for it to work, however.

• Index News Content Like the WWW Service discussed in Chapter 7, “Creating and Configuring Websites,” the NNTP service automatically enables content indexing on all newsgroup content. However, the Indexing service is not started by default on Windows Server 2003, and no indexing will take place unless the Indexing service is started using Services in Control Panel.

You can also create new virtual directories to host your newsgroup content. For example, to create a new virtual directory for mtit.private.* newsgroups, which you could create later for the company intranet, do this:

1. Right-click the Virtual Directories node, and select New | Virtual Directory to open the New NNTP Virtual Directory Wizard.

2. Start the wizard, type mtit.private as the newsgroup subtree that will use this virtual directory, and click Next.

3. Select either File System or Remote to specify the location for the virtual directory’s contents, and complete the wizard.

Now create a new newsgroup called mtit.private.accounts and verify that a folder called “accounts” has been created in your virtual directory’s location as the content location for this newsgroup. Your new virtual directory may be in a disable state, and you may need to restart your NNTP virtual server after you create your first newsgroup for this virtual directory to make it work.

Creating New Virtual Servers

You can create additional NNTP virtual servers similar to the way you created SMTP virtual servers earlier in this chapter. When you create a new NNTP virtual server, however, you are prompted to specify two paths—one for the NNTP server’s internal files and the other for the newsgroup content. The folder for internal files must be local to the server, while the newsgroup content can be located either locally or on a remote network share. For comparison, the location of the internal files for the Default NNTP Virtual Server is \Inetpub\nntpfile, and the content directory is \Inetpub\nntpfile\root.

Restricting Access to Newsgroups

In addition to hiding newsgroups as discussed previously, you can also control access to newsgroups by configuring suitable permissions on the content folders for your newsgroups. Setting permissions at the \root folder level will apply to all newsgroups that use this folder. Alternatively, you can set permissions at sublevels to control access to specific subtrees of newsgroups or individual newsgroups. If you restrict access to newsgroups this way, you should also disable anonymous access to your NNTP server. The LocalSystem account should always have Full Control permission on all newsgroup folders.

Limiting Newsgroup Enumeration

You can filter which newsgroups will be displayed when you select the Newsgroups node in IIS Manager. This is useful if you have thousands of newsgroups hosted on your machine. To do this, right-click Newsgroups and select Limit Groups Enumeration.

By default, all newsgroups (indicated by an asterisk) are enumerated on the server (Figure 15-27). To change this so that only newsgroups such as mtit.public.buysell and mtit.public.announcements are displayed, type mtit.public.* in the text box. You can also specify the maximum number of newsgroups displayed in the results pane; the default is 100. Note that hiding newsgroups here in IIS Manager does not hide them from NNTP clients!

Figure 15-27: Limiting newsgroup enumeration

Rebuilding an NNTP Virtual Server

If files become corrupted on your NNTP server and newsgroups or messages are not displayed, you can rebuild your server to correct the problem. This action will update the indexes and hash tables that keep track of the articles posted to your server. To rebuild a server, follow these steps:

1. Stop the NNTP virtual server you want to rebuild by right-clicking it and selecting Stop.

2. Right-click the virtual server again, and select All Tasks | Rebuild Server (Figure 15-28).

   
   Figure 15-28: Rebuilding an NNTP virtual server

3. Try a Standard rebuild first, restart your virtual server, and test. If the problem has not been resolved, repeat the process and try a Thorough rebuild.

4. If a rebuild fails to correct the problem, consult the Knowledge Base on the Microsoft Product Support Services (PSS) website at support.microsoft.com for further information on troubleshooting NNTP service problems on IIS.

NNTP Admin Scripts

IIS 6 also includes several admin scripts for managing certain aspects of the NNTP service:

• Rexpire.vbs Adds, deletes, or modifies expiration policies. For example, to enumerate the expiration policies on the Default NNTP Virtual Server (whose ID is 1), do this:

  C:\>cd C:\Windows\system32\inetsrv C:\WINDOWS\system32\inetsrv>rexpire -t e -v 1 Expire ID: 1 Name: Expiration policy for mtit.public.* newsgroups Time horizon: 168 Newsgroups: mtit.public.*

• Rgroup.vbs Creates, deletes, or modifies newsgroups. For example, to create the newsgroup mtit.public.announcements, do this:

  C:\WINDOWS\system32\inetsrv>rgroup -t a -g mtit.public.announcements Newsgroup: mtit.public.announcements Description: Moderator: Read only: False Prettyname: Creation time: 1/24/2003 4:46:00 PM

• Rsess.vbs Enumerates and terminates NNTP client sessions with your server. For example, to enumerate all active sessions, do this:

  C:\WINDOWS\system32\inetsrv>rsess -t e Number of sessions: 0

• Rfeed.vbs Configures newsfeeds with other NNTP hosts. This feature is still not documented at the time of writing, apart from that you type rfeed /? at the command prompt. Consult the latest Windows Server 2003 documentation for more information on this feature.

Testing the NNTP Service

I’ll end this chapter by performing a simple test to see if you can post a message to a newsgroup on your NNTP server. You can use any NNTP client you are familiar with; I’ll use the newsreader included with Microsoft Outlook 2000 for illustration.

Posting Messages with Outlook Newsreader

Post a message to the mtit.public.announcements group you created earlier using the Rgroup.vbs script or to any other newsgroup on your server:

1. Open Microsoft Outlook and select View | Go To | News to open the Outlook Newsreader.

2. Select Tools | Accounts to open the Internet Accounts box.

3. Click the Add button, and select News to open the Internet Connection Wizard.

4. Follow the wizard, and specify the IP address of the Default NNTP Virtual Server on your IIS machine until the wizard completes.

5. Close the Internet Accounts dialog box, and click OK when a message displays asking if you would like to download a list of newsgroups from the server.

6. A dialog box called Newsgroup Subscripts should display the newsgroups on your IIS machine. Double-click the mtit.public.announcements group to subscribe to the group, and click the Go To button to display the messages in that group in the Outlook Newsreader (there won’t be any yet).

7. Click the New Post button on the newsreader and try posting a test message to the group. Click the Send/Recv button to ensure the message has been sent, and then click the Headers button to download headers for new messages on the server.

   Note

   You can also use Telnet to test NNTP servers. This is similar to what you did earlier in this chapter to test SMTP with Telnet. To learn about the various Telnet commands used for NNTP, see RFC 997.

Challenge

Use the Help and Support Center on Windows Server 2003 to find out more about the new POP3 service included in this platform. Now that Windows server platforms include both SMTP and POP3 services, why would you need to deploy Microsoft Exchange for your company? What messaging and collaboration features does Microsoft Exchange include that the default SMTP and POP3 services can't provide? In what circumstances would the SMTP and POP3 services be sufficient, and when would Exchange be needed instead? If you are not familiar with the features of Microsoft Exchange, see www.microsoft.com/exchange for more information.

The message you posted should be displayed in Outlook Newsreader. The NNTP service on IIS stores messages as text files with the extension *.nws in the folder mapped to the name of the newsgroup. For example, the test message you posted to mtit.public.announcements is in the folder \Inetpub\nntpfile\root\mtit\public\announcements.

Because this is the first message posted to this group, the name of the message will be 1000000.nws. If you open this file in Notepad, it should look something like this (depending on how you’ve configured your account for the NNTP server):

From: "Mitch Tulloch" <info@NOSPAMmtit.com> Subject: test Date: Fri, 24 Jan 2003 17:04:31 -0600 Lines: 8 X-Priority: 3 X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 5.50.4920.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 Message-ID: <4TiXbz$wCHA.2096@esrv220b> Newsgroups: mtit.public.announcements Path: esrv220b Xref: esrv220b mtit.public.announcements:1 NNTP-Posting-Host: 172.16.11.44 This is just a test.