Hi!

My server currently greets users with:

200 news.chmurka.net InterNetNews NNRP server INN 2.7.0 ready (no posting)

So it's 200, but posting is not allowed. It's because authorization is
needed before user is able to post.

It seems that Mozilla Thunderbird has several problems with this (it's to
be confirmed, I think I'll create another port where it greets users with
201 and experiment; I don't want to break it for other readers). Result is
that Thunderbird tries to post, gets 480, and doesn't retry with auth, but
claims that the post has been posted. At least that's what users report,
combined with what I can see in logs (I didn't test it myself yet).

But is it correct? Should server in this case respond with 200, or with
201?

I found this in the RFC 3977:

https://datatracker.ietf.org/doc/html/rfc3977#section-5.1.2

But it's still not clear to me -- I just understand that it's a grey area
(200 is "posting allowed", 201 is "posting not allowed", and there's no
code for "posting will be allowed after auth") and readers should use
CAPABILITIES instead.

Looking at nnrpd.c it's clear that this behavior (200 when posting will be
allowed after auth) is expected:

#v+
Reply("%d %s InterNetNews NNRP server %s ready (%s)\r\n",
(PERMcanpost || (PERMcanauthenticate && PERMcanpostgreeting))
? NNTP_OK_BANNER_POST
: NNTP_OK_BANNER_NOPOST,
PERMaccessconf->pathhost, INN_VERSION_STRING,
(!PERMneedauth && PERMcanpost) ? "posting ok" : "no posting");
#v-

And (perm.c):

#v+
/* We assume that an access or dynamic script will allow
* the user to post when authenticated, so that a 200 greeting
* code can be sent. */
if (auth_realms[i]->access_script != NULL
|| auth_realms[i]->dynamic_script != NULL)
PERMcanpostgreeting = true;
#v-

Did you (other newsadmins) receive similar complaints from Thunderbird
users?

On Oct 29, 2023 at 8:46:13 PM CDT, "Adam W." <Adam W.> wrote:

> Did you (other newsadmins) receive similar complaints from Thunderbird
> users?

With Thunderbird you need to instruct users to check the option "Always
request authentication when connecting to this server" under the NNTP Server
Settings. It's been an annoyance with Thunderbird as long as I can recall.

gof-cut-this-news@cut-this-chmurka.net.invalid (Adam W.) writes:

> But is it correct? Should server in this case respond with 200, or with
> 201?

> I found this in the RFC 3977:

> https://datatracker.ietf.org/doc/html/rfc3977#section-5.1.2

> But it's still not clear to me -- I just understand that it's a grey
> area (200 is "posting allowed", 201 is "posting not allowed", and
> there's no code for "posting will be allowed after auth") and readers
> should use CAPABILITIES instead.

When we were writing the standard, we discovered that there were some
clients that, when presented with a 201, will never attempt to POST even
if you have authentication credentials configured that they might use.
Returning 200 made those clients do the right thing: attempt to post, get
a permission error, realize that maybe they should try to authenticate,
and end up in the right spot.

It sounds like you've run into a client with the exact opposite problem.
This is unfortunately a mess, and as you say the only real solution is for
the client to use CAPABILITIES.

--
Russ Allbery (eagle@eyrie.org) <https://www.eyrie.org/~eagle/>

Please post questions rather than mailing me directly.
<https://www.eyrie.org/~eagle/faqs/questions.html> explains why.

Jesse Rehmer <jesse.rehmer@blueworldhosting.com> wrote:
> On Oct 29, 2023 at 8:46:13?PM CDT, "Adam W." <Adam W.> wrote:
>
> > Did you (other newsadmins) receive similar complaints from Thunderbird
> > users?
>
> With Thunderbird you need to instruct users to check the option "Always
> request authentication when connecting to this server" under the NNTP Server
> Settings. It's been an annoyance with Thunderbird as long as I can recall.

I don't use Thunderbird as my regular newsreader, only for testing,
and I have a very old version (60.9.0).

That said:

For both my own little server (Hamster) and my real server
(News.Individual.Net), I have *not* ticked "Always request
authentication when connecting to this server" and they both work fine.

I haven't checked if Thunderbird keeps NNTP logs, but I checked my
Hamster logs when Thunderbird connects. The sequence is:

200 NNTP Server Classic Hamster Vr. 2.0 (Build 2.0.2.2) (post ok) says: Hi!
MODE READER
200 ignored
GROUP comp.mobile.android
480 Authentication required
AUTHINFO [redacted]
381 More authentication information required
AUTHINFO PASS [...]
281 Authentication accepted
GROUP comp.mobile.android
211 ... ... comp.mobile.android
XOVER ...-...

So while my server says "(post ok)", not "(no posting)" as in Adam's
case, that's AFAIK just a comment and what counts is the 200 response,
which is the same for both Adam and me.

So in my case, Thunderbird *does* start a (MODE READER,) AUTHINFO and
AUTHINFO PASS sequence after getting a 200 greeting, even while "Always
request authentication when connecting to this server" is *not* ticked.

It could be that the difference is in my old Thunderbird version
versus newer/current ones, but - in the groups I follow - I've not heard
from Thunderbird users that this changed and that they now have to tick
this setting.

So I wonder what the real story is? Perhaps someone - preferably an
admin who can inspect the server log - with a more current Thunderbird
could try?

On Oct 30, 2023 at 6:22:42 AM CDT, "Frank Slootweg" <this@ddress.is.invalid>
wrote:

> Jesse Rehmer <jesse.rehmer@blueworldhosting.com> wrote:
>> On Oct 29, 2023 at 8:46:13?PM CDT, "Adam W." <Adam W.> wrote:
>>
>>> Did you (other newsadmins) receive similar complaints from Thunderbird
>>> users?
>>
>> With Thunderbird you need to instruct users to check the option "Always
>> request authentication when connecting to this server" under the NNTP Server
>> Settings. It's been an annoyance with Thunderbird as long as I can recall.
>
> I don't use Thunderbird as my regular newsreader, only for testing,
> and I have a very old version (60.9.0).
>
> That said:
>
> For both my own little server (Hamster) and my real server
> (News.Individual.Net), I have *not* ticked "Always request
> authentication when connecting to this server" and they both work fine.
>
> I haven't checked if Thunderbird keeps NNTP logs, but I checked my
> Hamster logs when Thunderbird connects. The sequence is:
>
> 200 NNTP Server Classic Hamster Vr. 2.0 (Build 2.0.2.2) (post ok) says: Hi!
> MODE READER
> 200 ignored
> GROUP comp.mobile.android
> 480 Authentication required
> AUTHINFO [redacted]
> 381 More authentication information required
> AUTHINFO PASS [...]
> 281 Authentication accepted
> GROUP comp.mobile.android
> 211 ... ... comp.mobile.android
> XOVER ...-...
>
> So while my server says "(post ok)", not "(no posting)" as in Adam's
> case, that's AFAIK just a comment and what counts is the 200 response,
> which is the same for both Adam and me.
>
> So in my case, Thunderbird *does* start a (MODE READER,) AUTHINFO and
> AUTHINFO PASS sequence after getting a 200 greeting, even while "Always
> request authentication when connecting to this server" is *not* ticked.
>
> It could be that the difference is in my old Thunderbird version
> versus newer/current ones, but - in the groups I follow - I've not heard
> from Thunderbird users that this changed and that they now have to tick
> this setting.
>
> So I wonder what the real story is? Perhaps someone - preferably an
> admin who can inspect the server log - with a more current Thunderbird
> could try?

I do not recall what version the behavior changed, but in my experience
Thunderbird does not send AUTHINFO unless that option is checked. I do have my
own server that is offline, and over time Thunderbird users have reached out
due to being unable to post and checking that option is always the solution.

If I recall correctly, "(post ok)" means the client does not need to
authenticate to post and "(no posting)" is presented when additional
authentication is required.

Jesse Rehmer <jesse.rehmer@blueworldhosting.com> wrote:

> I do not recall what version the behavior changed, but in my experience
> Thunderbird does not send AUTHINFO unless that option is checked. I do
> have my own server that is offline, and over time Thunderbird users have
> reached out due to being unable to post and checking that option is
> always the solution.

I know that in Thunderbird 102.0 they changed the NNTP handling module to
(probably) some JavaScript thing (jsmodule) and disabling it (reverting to
the old module) helped, at least some users.

The config setting to disable it is called mailnews.nntp.jsmodule.

One user who complained that his posts were disappearing had this "always
auth" checkbox disabled. He enabled it, we'll see if it helps... hopefully
it does.

Thanks.