On Mon, 8 Jan 2024 12:09:09 +0100, Marco Moock wrote:

>> Of course sTunnel complains that MITM attacks can happen but I'm not
>> worried about that (as I only use encryption because Neodome requires
>> it).
>
> You can use 119 without STARTTLS.

I don't know what that "without STARTTLS" means, but I already tried 119
with and without the 40Tude Dialog "SSL" button checked & posting failed.

You can _read_ from Neodome servers using this basic newsreader setup.
Dialog Host: news.neodome.net
Dialog Port: 119
Dialog SSL: unchecked
Dialog Username: leave blank
Dialog Password: leave blank
Dialog Allwd. conn.: 2
Dialog Use pipelining (unchecked)

You can post to Neodome using the old deprecated Dialog encryption.
Dialog Host: news.neodome.net
Dialog Port: 563
Dialog SSL: checked
Dialog Username: your_uname
Dialog Password: your_passwd
Dialog Allwd. conn.: 2
Dialog Use pipelining (unchecked)

You _should_ post to Neodome (with an account) using sTunnel encryption
Dialog Host: 127.0.0.1 [You can use "localhost" if you like]
Dialog Port: 60563 [You can choose any unused port you like]
Dialog SSL: unchecked
Dialog Username: your_uname
Dialog Password: your_passwd
Dialog Allwd. conn.: 2
Dialog Use pipelining (unchecked)

[Neodome]
; This skips the check of the expired self-signed certificate
client = yes
accept = 127.0.0.1:60563
connect = news.neodome.net:563
verify = 0
; verifyChain = yes
; CAfile = ca-certs.pem
; checkHost = news.neodome.net
; OCSPaia = yes

This also works to post to Neodome with an account using sTunnel encryption
Dialog Host: 127.0.0.1 [You can use "localhost" if you like]
Dialog Port: 60563 [You can choose any unused port you like]
Dialog SSL: unchecked
Dialog Username: your_uname
Dialog Password: your_passwd
Dialog Allwd. conn.: 2
Dialog Use pipelining (unchecked)

; sTunnel will use the latest encryption standards (Dialog will not)
[Neodome]
; This skips encryption for when the certificate has expired
client = yes
accept = localhost:65555
connect = news.neodome.net:563

If all else fails, apparently you can post using anonymous remailers.
But I don't know how to do that.

>> Even the original email from the Neodome admin only mentions that one
>> line, saying it's needed because it's a self-signed certificate.
>>
>> What must have happened is at some point I uncommented those lines.
>> Silly me. The problem turns out to have been self inflicted.
>>
>> What I learned in this thread is that there are two separate tasks.
>> One is CHECKING the certificate.
>> The other is ENCRYPTING the packets.
>
> And reading/posting is another task.
> If one of that works, the connection is established.

Yes. Reading doesn't need login credentials, but posting does.
Posting needs encryption but it does not need certificate checking.
In fact, checking the certificate turned out to be the problem all along.
The certificate doesn't want to be checked. :->

>
>> By setting "verify = 0" I'm telling sTunnel to NOT check the
>> certificate. So it doesn't matter that it has been expired for over
>> three years.
>
> That will ignore that it is expired.
> But that won't fix the problem that you aren't allowed to post.

I never said I wasn't allowed to post.
The only problem was the socket error.

Turns out that simply meant that the post failed.
But it only failed because the certificate checking failed.

Once I told sTunnel to not check the certificate, posting worked again.
This is the correct setup for sTunnel with Neodome for posting.

;40tude Dialog newsreader setup
Dialog Host: 127.0.0.1 [localhost also works]
Dialog Port: 62563 [use any available unused port]
Dialog SSL: unchecked
Dialog Username: mylogin [login is assigned by Neodome admin]
Dialog Password: mypasswd [passwd is assigned by Neodome admin]
Dialog Allwd. conn.: 2
Dialog Use pipelining (unchecked)

; sTunnel.conf setup
[Neodome]
client = yes
accept = 127.0.0.1:62563 [use whatever was assigned in Dialog]
connect = news.neodome.net:563
verify = 0 [this is required to /skip/ the certificate checks]
;verifyChain = yes
;CAfile = ca-certs.pem
;checkHost = news.neodome.net
;OCSPaia = yes

That works for posting!

On Mon, 8 Jan 2024 12:11:49 +0100, Marco Moock wrote:

>> I don't need encryption for my own sense of security but the Neodome
>> server will not allow any posting without encryption. The server is
>> what needs it.
>
> I am not allowed to post with encryption via 563 (unauthenticated).

I don't think the Neodome admin is giving out credentials anymore, so
(AFAIK) nobody will be allowed to post unless they've been grandfathered.

There are "some" postable newsgroups I'm told by Vanguard though.
Everything below is a paste from a Vanguard post on the newsreader group.

Their web site disappeared (www.neodome.net). Last time
it was found per web.archive.org was Jun 18, 2021:

http://web.archive.org/web/20210618113621/http://neodome.net/

I can still do "telnet news.neodome.net 119" to get a connect.

Their archived web page says:
- 3 of their servers are read only for non-neodome.* newsgroups, and
require login (user=test, pass=test) to post only to their neodome.*
newsgroups.
- 2 of those look to be for onion/Tor connects.
- The 4th server (top of their list) doesn't mention any restriction on
reading or posting for any newsgroup, and no mention of login.

Their web site disappeared a couple years ago, so I have no idea if
their conditions on use have changed since then, but no way to check
since they don't have a web site anymore. Maybe they put announcements
in their own neodome.* newsgroups.

However, from their archived web page, looks like one of their servers
(the most used one since the others look for Onion/Tor access) requires
no login for read/write access.

news.neodome.net:
119 - read/write
119 (STARTTLS) - read/write
563 (SSL) - read/write

For the /other/ servers, a login was specified:

test login: test
test password: test

When I added Neodome to Dialog and tested access (read), I needed no
login credentials to read. I wasn't interested in using Neodome, so I
didn't try submitting an article (write).

I actually have a filter to ignore-flag any posts originating at Neodome
(and also ignore any subthreads to an ignore-flagged article), and use a
default view of Hide Ignored. I don't keep messages very long in the
client (purged after 60 days). A search on "neodome" in headers didn't
find any still left in my Dialog. Not sure anyone still uses Neodome.
Not what they peer, but what gets submitted to them as the injection
node.

Am 08.01.2024 um 06:40:45 Uhr schrieb Ronald:

> On Mon, 8 Jan 2024 12:09:09 +0100, Marco Moock wrote:
>
> >> Of course sTunnel complains that MITM attacks can happen but I'm
> >> not worried about that (as I only use encryption because Neodome
> >> requires it).
> >
> > You can use 119 without STARTTLS.
>
> I don't know what that "without STARTTLS" means,

It is a mechanism to run TLS inside of NNTP (and other protocols).

> but I already tried 119 with and without the 40Tude Dialog "SSL" button checked & posting
> failed.

Does reading work?
If so, the connection is fine.

Posting is DENIED without authentication, regardless of the encryption
mechanism.

Please try posting WITH authentication directly without stunnel in a
current newsreader like Thunderbird.

On Mon, 8 Jan 2024 12:50:08 +0100, Marco Moock wrote:

> Please try posting WITH authentication directly without stunnel in a
> current newsreader like Thunderbird.

I'm pretty sure that will work, but Thunderbird is just about the worst
newsreader that can be written - it thinks news is email last I used it.

I had used Claws for email but Google email just didn't like it when they
removed the password authorization in favor of OAuth2 & then forced 2FV.

I did use Pan as my newsreader for a time before stumbling upon Dialog.
Dialog was love at first sight (but it only works on Windows).

The problem had nothing to do with dialog other than dialog gave
an error which simply said it failed but nothing more than that really.

It was stunnel which erred out on the bad certificate.
It didn't occur to me to just turn off the certificate checks.

Duh!

I never knew they were optional.
It's only when I want to a backup that I realized what probably occurred.

And I didn't go to the backup until you and others convinced me the
certificate has been expired for three years, so it couldn't have been it.

The problem turned out to be likely that I had accidentally unchecked the
lines to tell sTunnel to check the certificate (which all other news
servers which require encryption needed). It was a mistake. I didn't catch
it.

The socket error of 0 apparently just means it failed.
The check for the server certificate expiry is true, but if you don't check
the certificate, it doesn't matte that the self-signed certificate expired.

Is is the best way to run a news server?
I don't know. Probably not.

But it is what it is.

Am 08.01.2024 um 07:28:17 Uhr schrieb Ronald:

> On Mon, 8 Jan 2024 12:50:08 +0100, Marco Moock wrote:
>
> > Please try posting WITH authentication directly without stunnel in a
> > current newsreader like Thunderbird.
>
> I'm pretty sure that will work, but Thunderbird is just about the
> worst newsreader that can be written - it thinks news is email last I
> used it.

I agree that TB has some disadvantages, but ancient software creates
other problems.
You can also choose a news server that allows authentication without
encryption.

> I had used Claws for email but Google email just didn't like it when
> they removed the password authorization in favor of OAuth2 & then
> forced 2FV.

IIRC Google still supports PW auth with an App password.
CM also support OAuth in the current version.

> The problem had nothing to do with dialog other than dialog gave
> an error which simply said it failed but nothing more than that
> really.

Doesn't it give more details?

Claws provides the full network log with the NNTP messages.
> Is is the best way to run a news server?
> I don't know. Probably not.

No, but other servers exist. Simply use them.

On Mon, 8 Jan 2024 07:28:17 -0500, Ronald <ronald@nospam.me> wrote:
>On Mon, 8 Jan 2024 12:50:08 +0100, Marco Moock wrote:
>> Please try posting WITH authentication directly without stunnel in a
>> current newsreader like Thunderbird.
>
>I'm pretty sure that will work, but Thunderbird is just about the worst
>newsreader that can be written - it thinks news is email last I used it.
>I had used Claws for email but Google email just didn't like it when they
>removed the password authorization in favor of OAuth2 & then forced 2FV.
>I did use Pan as my newsreader for a time before stumbling upon Dialog.
>Dialog was love at first sight (but it only works on Windows).

some say that 40tude dialog can also work in linux with some tweaking;
for windows, i'm still using using version 2.0.15.1 (build 1 beta 38);
for posting, i've always used the old free agent (version 1.93/32.576)
because of its simplicity; "tbird" seems deliberately too complicated;
current omnimix (2.7.2) and current tor browser (13.0.8) are essential
for everyday newsgroup interactions and also for browsing the internet
(using other web browsers only when necessary); also the "neodome.net"
will open on occasion (albeit slowly) in tor browser with meek bridge;
learning how to use remailers isn't that hard to do, but remailers do
have limitations so they're not for everyone; it's a jungle out there

On Mon, 8 Jan 2024 14:39:32 +0100, Marco Moock wrote:

>> I'm pretty sure that will work, but Thunderbird is just about the
>> worst newsreader that can be written - it thinks news is email last I
>> used it.
>
> I agree that TB has some disadvantages, but ancient software creates
> other problems.

I agree that TB works for many people but it tries to be both email and
newsreader and that doesn't work for me but I'm sure it works for others.

> You can also choose a news server that allows authentication without
> encryption.

I agree that there are other news servers to choose from.
I was merely trying to debug the one that I had an account already for.
It's all fixed now. User error combined with a strange nntp server setup.

>
>> I had used Claws for email but Google email just didn't like it when
>> they removed the password authorization in favor of OAuth2 & then
>> forced 2FV.
>
> IIRC Google still supports PW auth with an App password.
> CM also support OAuth in the current version.

IIRC, the app password requires 2FA (but it has been a while for me).

It's good the Claws supports OAuth as all the MUAs had to scramble to
repair the damage Google caused by being unfriendly to competition.

For about a month or two all the good MUAs failed to work (not TB, but
others) until they were able to catch up and implement the OAuth after
Google changed their rules on the auditing needs (which cost > $15K).

Paying for an audit is easy for Mozilla but not so easy for others.

Most people caved in and set up 2FA but I just didn't do mail for a month
until the developers had it all sorted out with Google changing rules.

I went through that hell when Google started this mess and I do NOT want to
go through it again now that I got OAuth2 to work with Google Mail.

>> The problem had nothing to do with dialog other than dialog gave
>> an error which simply said it failed but nothing more than that
>> really.
>
> Doesn't it give more details?

I set Dialog to a full level-0 log (which is everything), and it still
didn't say anything other than the connection failed (socket 0).

0 25674390: Creating worker thread: Sending message to news.software.readers neodome Username ok1
0 25674390: FDATA: Opening 1
0 25674390: FDATA: Reading itemcount 3
0 25674390: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2572
3 25674390: Sending message to news.software.readers (Started) [$0000250C]
1 25674390: NNTP slot used by this thread: neodome Username ok1 [$0000250C]
3 25674390: Connecting to NNTP 127.0.0.1:55555 [$0000250C]
1 25675500: Reindexing (Order: 3, no filtering) of group 1 with 2574 articles took 16 ms
0 25675500: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2572
0 25675500: FDATA: Regular update PAK - ChangeCount: 0
0 25675500: FDATA: adding GroupKey: 1 ArticleKey: 2573
0 25675500: FDATA: Regular update PAK - ChangeCount: 1
0 25675515: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675515: FontFB: No non-ASCII characters found; Using default font
0 25675515: FontFB: Using font "Arial" which is missing 0 glyphs.
0 25675515: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675515: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675531: FontFB: No non-ASCII characters found; Using default font
0 25675531: FontFB: Using font "Arial" which is missing 0 glyphs.
0 25675531: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675531: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675531: FontFB: No non-ASCII characters found; Using default font
0 25675531: FontFB: Using font "Arial" which is missing 0 glyphs.
0 25675546: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675484: !Quit (Finished) [$0000250C]
5 25675484: Socket Error # 0; (neodome Username ok) (Finished) [$0000250C]
0 25675484: KillNNTP entered for: neodome Username ok1 (Finished) [$0000250C]
0 25675484: KillNNTP left for: neodome Username ok1 (Finished) [$0000250C]
0 25675484: KillNNTP entered for: neodome Username ok1 (Finished) [$0000250C]
0 25675484: KillNNTP left for: neodome Username ok1 (Finished) [$0000250C]
5 25675484: Posting article failed: Socket Error # 0; (neodome Username ok) (Finished) [$0000250C]
1 25675500: Sending message to news.software.readers (Finished) (Finished) [$0000250C]
0 25676328: TFlushBodiesThread started with ThreadID: $16A0
1 25678328: Flushing body db
0 25678328: FDATA: Updating PAK, number of subfiles: 29
0 25678328: FDATA: Writing itemcount 3
0 25678328: FDATA: Closing 1
1 25679687: Main window close query
1 25679750: Main window destroy called - Goodbye
0 25679765: FDATA: destroying; Changecount: 0
1 25679765: Flushing group and server list

> Claws provides the full network log with the NNTP messages.

To get a clean log out of Stunnel, I killed and restarted it.
This shows it's ready to take connections.
2024.01.07 02:18:11 LOG5[main]: stunnel 5.69 on x64-pc-mingw32-gnu platform
2024.01.07 02:18:11 LOG5[main]: Compiled/running with OpenSSL 3.0.8 7 Feb 2023
2024.01.07 02:18:11 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
2024.01.07 02:18:11 LOG5[main]: Reading configuration from file C:\Program Files\stunnel\config\stunnel.conf
2024.01.07 02:18:11 LOG5[main]: UTF-8 byte order mark detected
2024.01.07 02:18:11 LOG5[main]: FIPS mode disabled
2024.01.07 02:18:32 LOG5[main]: Configuration successful

This is what happens when I post to another server (not neodome).
2024.01.07 02:34:17 LOG5[0]: Service [eternal] accepted connection from 127.0.0.1:55554
2024.01.07 02:34:20 LOG5[0]: s_connect: connected 135.181.20.170:563
2024.01.07 02:34:20 LOG5[0]: Service [eternal] connected remote server from 10.212.1.145:60382
2024.01.07 02:34:24 LOG5[0]: OCSP: Connecting the AIA responder "http://r3.o.lencr.org"
2024.01.07 02:34:27 LOG5[0]: s_connect: connected 23.2.16.105:80
2024.01.07 02:34:30 LOG5[0]: OCSP: Certificate accepted
2024.01.07 02:34:30 LOG5[0]: Certificate accepted at depth=0: CN=news.eternal-september.org
2024.01.07 02:34:44 LOG3[0]: SSL_read: ssl/record/rec_layer_s3.c:321: error:0A000126:SSL routines::unexpected eof while reading
2024.01.07 02:34:44 LOG5[0]: Connection reset: 358 byte(s) sent to TLS, 388 byte(s) sent to socket

This is what happens when I post to the neodome server.
2024.01.07 02:18:55 LOG5[0]: Service [neodome] accepted connection from 127.0.0.1:55555
2024.01.07 02:19:00 LOG5[0]: s_connect: connected 95.216.243.224:563
2024.01.07 02:19:00 LOG5[0]: Service [neodome] connected remote server from 10.212.1.145:60371
2024.01.07 02:19:01 LOG4[0]: CERT: Pre-verification error: self-signed certificate
2024.01.07 02:19:01 LOG4[0]: Rejected by CERT at depth=0: O=Neodome, CN=neodome.net, emailAddress=admin@neodome.net
2024.01.07 02:19:01 LOG3[0]: SSL_connect: ssl/statem/statem_clnt.c:1889: error:0A000086:SSL routines::certificate verify failed
2024.01.07 02:19:01 LOG5[0]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

This is the Dialog log file when I post using eternal september with Stunnel.
0 43532453: Creating worker thread: Sending message to alt.test username
0 43532453: FDATA: Opening 1
0 43532468: FDATA: Reading itemcount 6
0 43532468: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2579
3 43532453: Sending message to alt.test (Started) [$00002754]
1 43532453: NNTP slot used by this thread: username [$00002754]
3 43532468: Connecting to NNTP 127.0.0.1:55556 [$00002754]
0 43548968: 200 news.eternal-september.org InterNetNews NNRP server INN 2.8.0 (20231205 snapshot) ready (posting ok) [$00002754]
0 43548968: !MODE READER [$00002754]
0 43550859: 200 news.eternal-september.org InterNetNews NNRP server INN 2.8.0 (20231205 snapshot) ready (posting ok) [$00002754]
3 43550859: Connected to NNTP 127.0.0.1:55556 [$00002754]
3 43550859: Logging in to NNTP 127.0.0.1:55556 [$00002754]
0 43550859: !AUTHINFO USER ****** [$00002754]
0 43552218: 381 Enter password [$00002754]
0 43552218: !AUTHINFO PASS ********* [$00002754]
0 43554687: 281 Authentication succeeded [$00002754]
3 43554687: Posting message to NNTP server [$00002754]
0 43554687: !POST [$00002754]

This is the Dialog log file when I post using neodome with Stunnel.
0 25674390: Creating worker thread: Sending message to news.software.readers neodome Username ok1
0 25674390: FDATA: Opening 1
0 25674390: FDATA: Reading itemcount 3
0 25674390: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2572
3 25674390: Sending message to news.software.readers (Started) [$0000250C]
1 25674390: NNTP slot used by this thread: neodome Username ok1 [$0000250C]
3 25674390: Connecting to NNTP 127.0.0.1:55555 [$0000250C]
1 25675500: Reindexing (Order: 3, no filtering) of group 1 with 2574 articles took 16 ms
0 25675500: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2572
0 25675500: FDATA: Regular update PAK - ChangeCount: 0
0 25675500: FDATA: adding GroupKey: 1 ArticleKey: 2573
0 25675500: FDATA: Regular update PAK - ChangeCount: 1
0 25675515: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675515: FontFB: No non-ASCII characters found; Using default font
0 25675515: FontFB: Using font "Arial" which is missing 0 glyphs.
0 25675515: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675515: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675531: FontFB: No non-ASCII characters found; Using default font
0 25675531: FontFB: Using font "Arial" which is missing 0 glyphs.
0 25675531: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675531: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675531: FontFB: No non-ASCII characters found; Using default font
0 25675531: FontFB: Using font "Arial" which is missing 0 glyphs.
0 25675546: FDATA: Extracting body of GroupKey: 1 ArticleKey: 2571
0 25675484: !Quit (Finished) [$0000250C]
5 25675484: Socket Error # 0; (neodome Username ok) (Finished) [$0000250C]
0 25675484: KillNNTP entered for: neodome Username ok1 (Finished) [$0000250C]
0 25675484: KillNNTP left for: neodome Username ok1 (Finished) [$0000250C]
0 25675484: KillNNTP entered for: neodome Username ok1 (Finished) [$0000250C]
0 25675484: KillNNTP left for: neodome Username ok1 (Finished) [$0000250C]
5 25675484: Posting article failed: Socket Error # 0; (neodome Username ok) (Finished) [$0000250C]
1 25675500: Sending message to news.software.readers (Finished) (Finished) [$0000250C]
0 25676328: TFlushBodiesThread started with ThreadID: $16A0
1 25678328: Flushing body db
0 25678328: FDATA: Updating PAK, number of subfiles: 29
0 25678328: FDATA: Writing itemcount 3
0 25678328: FDATA: Closing 1
1 25679687: Main window close query
1 25679750: Main window destroy called - Goodbye
0 25679765: FDATA: destroying; Changecount: 0
1 25679765: Flushing group and server list

Marco Moock <mm+solani@dorfdsl.de> wrote:
>Am 08.01.2024 um 06:40:45 Uhr schrieb Ronald:
>>On Mon, 8 Jan 2024 12:09:09 +0100, Marco Moock wrote:

>>>>Of course sTunnel complains that MITM attacks can happen but I'm
>>>>not worried about that (as I only use encryption because Neodome
>>>>requires it).

>>>You can use 119 without STARTTLS.

>>I don't know what that "without STARTTLS" means,

>It is a mechanism to run TLS inside of NNTP (and other protocols).

>>but I already tried 119 with and without the 40Tude Dialog "SSL" button checked & posting
>>failed.

>Does reading work?
>If so, the connection is fine.

>Posting is DENIED without authentication, regardless of the encryption
>mechanism.

>Please try posting WITH authentication directly without stunnel in a
>current newsreader like Thunderbird.

bonk

Thunderbird has myriad issues that remain unaddressed for years at a
time. The words "current" and "Thunderbird" do not belong in the same
sentence. Mozilla hasn't quite abandoned Thunderbird but they aren't
devoting the necessary resources to it to just make sure issues are
addressed, even without adding features.

No one has any idea what triggers occassional base64 encoding in
Thunderbird, which is quite aggravating. It doesn't always post
unencoded plain text to Usenet. The automatic encoding is undesireable.

Ancient newsreaders require some of us to figure out how to comply with
standards that have been updated since the newsreader last had features
added to it, but at least that's possible to do.

I hope he figures out how to address the issue.

On 2024-01-08 13:28, Ronald wrote:
> On Mon, 8 Jan 2024 12:50:08 +0100, Marco Moock wrote:
>
>> Please try posting WITH authentication directly without stunnel in a
>> current newsreader like Thunderbird.
>
> I'm pretty sure that will work, but Thunderbird is just about the worst
> newsreader that can be written - it thinks news is email last I used it.

It is the best newsreader that can be found, for many thousand of people
out there — but hey, that's only opinions. You use whatever you like :-)

The thing is, with TB you would be able to test the setup and proper
configuration for reading and posting, without having to use the stunnel
hack.

Once you found the configuration, you only had to translate for your
software.

> I had used Claws for email but Google email just didn't like it when they
> removed the password authorization in favor of OAuth2 & then forced 2FV.
>
> I did use Pan as my newsreader for a time before stumbling upon Dialog.
> Dialog was love at first sight (but it only works on Windows).
>
> The problem had nothing to do with dialog other than dialog gave
> an error which simply said it failed but nothing more than that really.
>
> It was stunnel which erred out on the bad certificate.
> It didn't occur to me to just turn off the certificate checks.
>
> Duh!
>
> I never knew they were optional.
> It's only when I want to a backup that I realized what probably occurred.
>
> And I didn't go to the backup until you and others convinced me the
> certificate has been expired for three years, so it couldn't have been it.

Now remember to write your notes inside that configuration file, as
comments, so that you don't fall in this trap again.

>
> The problem turned out to be likely that I had accidentally unchecked the
> lines to tell sTunnel to check the certificate (which all other news
> servers which require encryption needed). It was a mistake. I didn't catch
> it.

Other software, having both the news protocols and certificate
protocols, would (probably) have given more meaningful error messages.

As you had two tools in a chain, you had to check both tools for error
messages. And more difficult to interpret.

> The socket error of 0 apparently just means it failed.
> The check for the server certificate expiry is true, but if you don't check
> the certificate, it doesn't matte that the self-signed certificate expired.
>
> Is is the best way to run a news server?
> I don't know. Probably not.

You are not running a news server.

>
> But it is what it is.

--
Cheers, Carlos.

On 2024-01-08 16:29, Ronald wrote:
> On Mon, 8 Jan 2024 14:39:32 +0100, Marco Moock wrote:

....

>>> The problem had nothing to do with dialog other than dialog gave
>>> an error which simply said it failed but nothing more than that
>>> really.
>>
>> Doesn't it give more details?
>
> I set Dialog to a full level-0 log (which is everything), and it still
> didn't say anything other than the connection failed (socket 0).

Because the failure is outside of Dialog.

....

>> Claws provides the full network log with the NNTP messages.
>
> To get a clean log out of Stunnel, I killed and restarted it.
> This shows it's ready to take connections.
> 2024.01.07 02:18:11 LOG5[main]: stunnel 5.69 on x64-pc-mingw32-gnu platform
> 2024.01.07 02:18:11 LOG5[main]: Compiled/running with OpenSSL 3.0.8 7 Feb 2023
> 2024.01.07 02:18:11 LOG5[main]: Threading:WIN32 Sockets:SELECT,IPv6 TLS:ENGINE,FIPS,OCSP,PSK,SNI
> 2024.01.07 02:18:11 LOG5[main]: Reading configuration from file C:\Program Files\stunnel\config\stunnel.conf
> 2024.01.07 02:18:11 LOG5[main]: UTF-8 byte order mark detected
> 2024.01.07 02:18:11 LOG5[main]: FIPS mode disabled
> 2024.01.07 02:18:32 LOG5[main]: Configuration successful
>
> This is what happens when I post to another server (not neodome).
> 2024.01.07 02:34:17 LOG5[0]: Service [eternal] accepted connection from 127.0.0.1:55554
> 2024.01.07 02:34:20 LOG5[0]: s_connect: connected 135.181.20.170:563
> 2024.01.07 02:34:20 LOG5[0]: Service [eternal] connected remote server from 10.212.1.145:60382
> 2024.01.07 02:34:24 LOG5[0]: OCSP: Connecting the AIA responder "http://r3.o.lencr.org"
> 2024.01.07 02:34:27 LOG5[0]: s_connect: connected 23.2.16.105:80
> 2024.01.07 02:34:30 LOG5[0]: OCSP: Certificate accepted
> 2024.01.07 02:34:30 LOG5[0]: Certificate accepted at depth=0: CN=news.eternal-september.org
> 2024.01.07 02:34:44 LOG3[0]: SSL_read: ssl/record/rec_layer_s3.c:321: error:0A000126:SSL routines::unexpected eof while reading
> 2024.01.07 02:34:44 LOG5[0]: Connection reset: 358 byte(s) sent to TLS, 388 byte(s) sent to socket
>
> This is what happens when I post to the neodome server.
> 2024.01.07 02:18:55 LOG5[0]: Service [neodome] accepted connection from 127.0.0.1:55555
> 2024.01.07 02:19:00 LOG5[0]: s_connect: connected 95.216.243.224:563
> 2024.01.07 02:19:00 LOG5[0]: Service [neodome] connected remote server from 10.212.1.145:60371
> 2024.01.07 02:19:01 LOG4[0]: CERT: Pre-verification error: self-signed certificate
> 2024.01.07 02:19:01 LOG4[0]: Rejected by CERT at depth=0: O=Neodome, CN=neodome.net, emailAddress=admin@neodome.net
> 2024.01.07 02:19:01 LOG3[0]: SSL_connect: ssl/statem/statem_clnt.c:1889: error:0A000086:SSL routines::certificate verify failed
> 2024.01.07 02:19:01 LOG5[0]: Connection closed/reset: 0 byte(s) sent to TLS, 0 byte(s) sent to socket

stunnel is correctly identifying the problem.

....

> The two errors (one in Dialog's log and the other in Stunnel's log) are:
>
> Dialog error:
> 5 25675484: Socket Error # 0; (neodome Username ok) (Finished) [$0000250C]
> 0 25675484: KillNNTP entered for: neodome Username ok1 (Finished) [$0000250C]
>
> Stunnel error:
> 2024.01.07 02:19:01 LOG4[0]: CERT: Pre-verification error: self-signed certificate
> 2024.01.07 02:19:01 LOG4[0]: Rejected by CERT at depth=0: O=Neodome, CN=neodome.net, emailAddress=admin@neodome.net
> 2024.01.07 02:19:01 LOG3[0]: SSL_connect: ssl/statem/statem_clnt.c:1889: error:0A000086:SSL routines::certificate verify failed

Yes.

>
> Anyway, the problem wasn't really any of that, in reality.
> The problem was the server doesn't want its certificate checked.

NO!

The server people are doing things easy and cheap, for them, and causing
problems for people. What they do is "wrong": A private certificate, and
not renewed.

This is done between private individuals, but is not fine when going public.

Configuring your side to not verifying the certificate and ignoring it
has expired is a hack. It is also a security risk (mild in this case).
You decide to play along or choose a different server.

>
>>> Is is the best way to run a news server?
>>> I don't know. Probably not.
>>
>> No, but other servers exist. Simply use them.
>
> I agree with your advice but you have to take into account that the
> Neodome account was working fine for me, until it wasn't.
>
> So there's really nothing wrong with it even though it's using a
> faulty certificate. I just had to learn how to deal with it.
>
> It's kind of like a car that you like and you're comfortable with,
> but which has a balky clutch until it heats up a bit in use.
>
> Thanks for all your help and encouragement.

--
Cheers, Carlos.

On 08 Jan 2024, Marco Moock <mm+solani@dorfdsl.de> posted some
news:ungabi$5hkb$3@solani.org:

> Am 08.01.2024 um 01:37:48 Uhr schrieb Ronald:
>
>> On Sun, 7 Jan 2024 20:51:16 +0100, Marco Moock wrote:
>>
>> >> But Neodome uses a self-signed certificate.
>> >> So it's never supposed to expire, right?
>> >
>> > That is not related to self-signed.
>>
>> Thanks. It's crazy that I was able to post for years with nothing
>> changing on my side, but then a few weeks ago I got the certificate
>> expiry error.
>>
>> But when I debugged as suggested, the certificate expired three years
>> ago. That sounds crazy. Even to me. And I've been posting to Neodome
>> for years.
>
> That is crazy, but maybe someone installed that cert (maybe an
> automatic mechanism like Ansible).

Good thing you work for government because you wouldn't last long in the
private sector.

On 08 Jan 2024, Ivan Fjellstad <ifjellstad7@gmail.com> posted some
news:unge7d$16lla$1@paganini.bofh.team:

> On 07 Jan 2024, Ronald <ronald@nospam.me> posted some
> news:undqeu$tpek$1@paganini.bofh.team:
>
>> On Windows, I ran this command just now.
>> echo q | openssl s_client -connect news.neodome.net:563 | openssl
>> x509 -noout -enddate | findstr "notAfter"
>>
>> It reported this result:
>> depth=0 O = Neodome, CN = neodome.net, emailAddress =
>> admin@neodome.net verify error:num=18:self signed certificate
>> verify return:1
>> depth=0 O = Neodome, CN = neodome.net, emailAddress =
>> admin@neodome.net verify error:num=10:certificate has expired
>> notAfter=Dec 31 21:59:46 2020 GMT
>> verify return:1
>> depth=0 O = Neodome, CN = neodome.net, emailAddress =
>> admin@neodome.net notAfter=Dec 31 21:59:46 2020 GMT
>> verify return:1
>> notAfter=Dec 31 21:59:46 2020 GMT
>> DONE
>>
>> Then I ran this command.
>> openssl s_client -ign_eof -connect news.neodome.net:563
>>
>> Which reported a long output but I cut out the non errors to result
>> in this.
>> verify error:num=10:certificate has expired
>> Verification error: certificate has expired
>> Verify return code: 10 (certificate has expired)
>>
>> But Neodome uses a self-signed certificate.
>> So it's never supposed to expire, right?
>>
>> I don't know what the output is SUPPOSED to be for a self-signed
>> certificate. I don't even know what a self-signed certificate even
>> means.
>>
>> Can you help me make better sense of the output and how to fix it?
>
> Sikker!
>
> Slik fikser du en 40tude-socket-feil.
>
> https://www.youtube.com/watch?v=g2r9I2-LMNo

That is funny and would solve his problem!

> Path: paganini.bofh.team!not-for-mail
> From: rocco portelli <roccoportelli@nospam.it>
> Newsgroups:
> news.software.nntp,alt.free.newsservers,news.software.readers Subject:
> Posting article failed. Socket error # 0 Date: Wed, 29 Nov 2023
> 06:55:38 -0500 Organization: To protect and to server
> Message-ID: <uk78rq$3gr0h$1@paganini.bofh.team>
> Mime-Version: 1.0
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: 8bit
> Injection-Date: Wed, 29 Nov 2023 11:55:38 -0000 (UTC)
> Injection-Info: paganini.bofh.team; logging-data="3697681"; posting-
> host="fk6g7LKM0w/hRp9aKdhgAQ.user.paganini.bofh.team";
> mail-complaints- to="usenet@bofh.team";
> posting-account="9dIQLXBM7WM9KzA+yjdR4A"; User-Agent:
> 40tude_Dialog/2.0.15.41 (Beta 38) Cancel-Lock:
> sha256:b/suCo/X4PFdeEm4B4bO6zG6nQHfFqY4azGl9ap9FMQ= X-Notice: Filtered
> by postfilter v. 0.9.3 Xref: paganini.bofh.team
> news.software.nntp:3309 alt.free.newsservers:6105
> news.software.readers:274990
>
> Before I bother the admin of a common free news server (who I promised
> if he gave me a posting account, I wouldn't be any trouble) I would
> like to figure out if the problem is his encrypted news server or if
> it's in mine.
>
> It used to work but stopped working about a week ago with this "socket
> error" of "Posting article failed. Socket error # 0".
>
> I use 40TudeDialog with stunnel on Windows but I don't know what a
> "socket"
> is nor if it's even related to stunnel or to the news server.
>
> Stunnel has been running for years with other news servers and for
> months with this news server (which I can't say what it is as it's not
> known to be
> available for posting unless you ask the news server admin to allow
> it).
>
> How do I debug on my own?
> What are the typical debug steps for testing an encrypted connection?
>
> Thinking something might have used the port, I changed the port in
> both 40Tude Dialog and in the stunnel.conf file, but that arbitrary
> port change made no difference (127.0.0.1:12345 => 127.0.0.1:54321) in
> the error.
>
> [newsserver]
> client = yes
> accept = 127.0.0.1:54321
> connect = news.newsserver.net:563
> verify = 0
> verifyChain = yes
> CAfile = ca-certs.pem
> checkHost = news.newsserver.net
> OCSPaia = yes
>
> How do I debug this error to see at least if the problem is me or him?
>
> What's a "posting article failed socket error # 0" in 40tude dialog
> anyway?

a.f.n regs have been had again by the same torll. Good one, Ivan.

Am 08.01.2024 um 17:12:14 Uhr schrieb Adam H. Kerman:

> No one has any idea what triggers occassional base64 encoding in
> Thunderbird, which is quite aggravating. It doesn't always post
> unencoded plain text to Usenet. The automatic encoding is
> undesireable.
>
> Ancient newsreaders require some of us to figure out how to comply
> with standards that have been updated since the newsreader last had
> features added to it, but at least that's possible to do.

Is that encoding denied by the *current* RFCs?

I am aware that older clients don't support certain stuff, but I do
think the 20+yo clients are the reference here.

Marco Moock <mm+solani@dorfdsl.de> wrote:
>Am 08.01.2024 um 17:12:14 Uhr schrieb Adam H. Kerman:

>>No one has any idea what triggers occassional base64 encoding in
>>Thunderbird, which is quite aggravating. It doesn't always post
>>unencoded plain text to Usenet. The automatic encoding is
>>undesireable.

>>Ancient newsreaders require some of us to figure out how to comply
>>with standards that have been updated since the newsreader last had
>>features added to it, but at least that's possible to do.

>Is that encoding denied by the *current* RFCs?

As always, Marco, you aren't listening. It's unnecessary. It's
undesireable. It's not plain text. There is no benefit to Usenet. It
should not be done.

>I am aware that older clients don't support certain stuff, but I do
>think the 20+yo clients are the reference here.

My newsreader does not support certain stuff. It calls outside processes
for encoding and decoding and for anything any functions that are not
built in. The issue isn't with newsreaders that were written in the '80s
and '90s and never has been.

The problem is with newer newsreaders in which more processes are built
in that are no longer maintained and not compliant with standards, or
just do things that serve no purpose, or truly failed to implement
standards at the time they were written.

On Mon, 8 Jan 2024 20:23:26 +0100, Carlos E.R. wrote:

>> I set Dialog to a full level-0 log (which is everything), and it still
>> didn't say anything other than the connection failed (socket 0).
>
> Because the failure is outside of Dialog.

You were right all along. A socket is apparently just a connection, so a
socket error just means a connection error. The error is outside of Dialog.

>> This is what happens when I post to the neodome server.
> stunnel is correctly identifying the problem.

The Dialog log said the host:port connection (which is a socket) failed.

What's good is I asked how to debug this problem and people said to look
inside the sTunnel log - and that's where the real error is found by gosh.

CERT: Pre-verification error: self-signed certificate
certificate verify failed

> The server people are doing things easy and cheap, for them, and causing
> problems for people. What they do is "wrong": A private certificate, and
> not renewed.

I'm learning more about this as I look up how to resolve this myself.
https://www.stunnel.org/howto.html
How does stunnel check certificates?
https://ftp.icm.edu.pl/packages/replay.old/ssl/stunnel/faq/certs.html
Problems with a self-signed certificate

> This is done between private individuals, but is not fine when going public.
>
> Configuring your side to not verifying the certificate and ignoring it
> has expired is a hack. It is also a security risk (mild in this case).
> You decide to play along or choose a different server.

It turns out that sTunnel has a capability to "Save Peer Certificate".
https://easynews.support.narkive.com/Voh2l6t6/stunnel-on-windows-7-64bit

This is what it says at that ten year old thread about saving the cert.

"After connecting to Easynews with verify off (or set to 1) use stunnel's
Save Peer Certificate option. This saves the certificate presented by the
server to your hard drive (in my case as peer-nntps.pem). You can then use
verify option, specifying the saved certificate file."

"The stunnel GUI console has an option "Save Peer Certificate" which saves
a copy of this certificate on your hard drive in PEM format. If you set
verify=3 and CAfile as the saved PEM file, stunnel will additionally check
that the certificate has not changed (it's the same as your local copy)
since the last time you connected. That's generally all you need.

However, if the server certificate changes legitimately (as many have
recently) verify=3
will reject the new one and you have to go through the save process again.

As you know, I recently did this with Easynews and stunnel complained that
the new certificate had "self signed components". Jason, in support,
pointed me at this link -
https://certs.godaddy.com/anonymous/repository.pki - where GoDaddy's root
certs are available in various formats.

Sadly PEM is not one of them but, if you have OpenSSL installed, you can
convert from other formats to PEM. I downloaded the DER format file
(gd-class2-root.cer) and used this command to convert it to PEM format.

openssl x509 -in gd-class2-root.cer -inform der -outform pem -out certs.pem

I concatenated this onto the my new peer-nntps.pem file (they are just
ASCII files), reloaded the stunnel configuration, and verify=1/2/3 were all
happy again.

I only use stunnel for my NNTP client so putting everything in one PEM file
is the easiest option for me. If you use stunnel for other protocols and
clients, look at the documentation for CApath which lets you keep a set of
certs in a directory."

But unfortunately, the certificate is expired. So that won't help me.

I found another way that might work with Neodome port 119 & STARTTLS with
sTunnel (as Dialog doesn't support STARTTLS either). I have to test it.

To post the solution, there were four solutions that worked
for posting using Neodome on a grandfathered account (reading
probably works without any of this sTunnel configuration).

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; stunnel.conf (tested on January 10th, 2024)
; <https://groups.google.com/g/news.software.readers/c/DTYKUX3VwLw>
; <https://groups.google.com/g/news.software.readers/c/sxkkJYuI728>
; Each solution below is a tested workaround thanks mostly to Bernd Rose
; Like it or not, Dialog obfuscates or omits some identify information
; Once you type it in, it's lost forever in an unencrypted visible format
; So you may want to save that identify information here in stunnel.conf
; Or you might want to save that identify information in keepassXC
; Neodome Identity: (archive your real email address here if you like)
; Dialog Identity: (archive your Dialog email address here if you like)
; Dialog Username = (archive your Dialog username here if you like)
; Dialog Password = (archive your Dialog password here if you like)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; Apparently news.neodome.net does not require authentication to read
; However, news.neodome.net requires a login/password to post
; And news.neodome.net requires at least a 10-character password
; Unfortunately, the news.neodome.net certificate is self-signed
; And worse, the news.neodome.net certificate expired in 12/2020
; Even so, news.neodome.net REQUIRES encryption when posting
; With the result that news.neodome.net won't accept Dialog port 119
; Unfortunately, Dialog (circa 2005) uses old encryption standards
; And unfortunately news.neodome.net won't accept Dialog port 119 SSL
; However news.neodome.net will accept Dialog port 563 old encryption
; And news.neodome.net will accept stunnel port 119 STARTTLS encryption
; Also news.neodome.net will accept that the certificate simply exists
; That gave us four working workarounds to the encryption problem set
; 1. news.neodome.net accepts Dialog port 563 SSL encryption
; 2. news.neodome.net accepts sTunnel port 119 protocol=nntp encryption
; 3. news.neodome.net accepts sTunnel port 563 ignoring the certificate
; 4. news.neodome.net accepts sTunnel port 563 acknowledging the cert
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome0}
; The boiler-plate section below "should" work but won't work in 2024
; because Neodome has a self-signed certificate which is also expired
; [Neodome0]
; Dialog Host: 127.0.0.1
; Dialog Port: 65534 (pick an unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required for posting to most text newsgroups)
; Dialog Password: (required for posting to most text newsgroups)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; client = yes
; accept = 127.0.0.1:63534
; connect = news.neodome.net:563
; verifyChain = yes
; CAfile = ca-certs.pem
; checkHost = news.neodome.net
; OCSPaia = yes
; Ports 1191, 1192, 1193, 5631, 5632, 5633 are usually available and
; could be read (as aide-memoire) as 119-1 ... 119-3 (for STARTTLS
; connections to an external port 119) or as 563-1 ... 563-3 for
; connections to an external standard NNTP encryption port 563.
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome1 workaround}
; This method sets Dialog to use Dialog port 563 SSL encryption
; 40Tude Dialog will NOT use the latest encryption standards.
; sTunnel is not involved so the stunnel.conf should be empty
; Dialog Host: news.neodome.net
; Dialog Port: 563
; Dialog SSL: checked
; Dialog Username: (required for posting to most text newsgroups)
; Dialog Password: (required for posting to most text newsgroups)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; No stunnel.conf entries are used for this [Neodome1] workaround
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome2 workaround}
; This method sets Dialog to use sTunnel port 119 STARTTLS.
; It _only_ requires a password when connection is established
; from a client, that explicitly requests STARTTLS.
; It just so happens, that sTunnel can not be configured to connect
; without any encryption (except NULL encryption, which still /is/
; encryption). So, to connect to Neodome port 119 without (STARTTLS)
; encryption one needs to bypass sTunnel and connect directly.
; (In this case from Dialog.) Without encryption, posting isn't
; permitted on Neodome, though.
; Therefore, this would be a read-only setup.
; Like it or not, you'll see these sTunnel warnings with this entry
; LOG3: No trusted certificates found
; LOG4: Service [Neodome2] needs authentication to prevent MITM attacks
; Dialog Host: 127.0.0.1
; Dialog Port: 49152 (pick any unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required for posting to most text newsgroups)
; Dialog Password: (required for posting to most text newsgroups)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; For self-signed certificates that have not expired, a good way to
; deal with them is to download them & they will be checked against
; the existing non-expired self-signed certificate (which has no chain)
; In Stunnel, if you've recently posted, you can do the following:
; Stunnel: Save Peer Certificate -> Peer-Neodome2.pem
; Up comes a box saying:
; Stunnel 5.69 on Win64
; Peer certificate change has been saved.
; Add the following lines to section [Neodome2]:
; CAfile = peer-Neodome2.pem
; verifyPeer = yes
; to enable cryptographic authentication.
; Then reload stunnel configuration file.
[Neodome2]
client = yes
accept = 127.0.0.1:49152
connect = news.neodome.net:119
protocol = nntp
; CAfile = peer-Neodome2.pem
; verifyPeer = yes
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome3 workaround}
; This method sets Dialog to use sTunnel port 563 encryption
; It's probably the best option because it uses current encryption
; sTunnel uses the certificate but sTunnel just doesn't verify the
; _eligibility_ of the certificate in the described setup.
; Dialog Host: 127.0.0.1
; Dialog Port: 49153 (pick any unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required for posting to most text newsgroups)
; Dialog Password: (required for posting to most text newsgroups)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; Like it or not, you'll see these sTunnel warnings with this entry
; LOG3: No trusted certificates found
; LOG4: Service [Neodome3] needs authentication to prevent MITM attacks
[Neodome3]
client = yes
accept = 127.0.0.1:49153
connect = news.neodome.net:563
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;{Neodome4 workaround}
; This is a very minor variation on the method #3 tested above
; which is included _only_ because the Neodome admin suggested it
; This method sets Dialog to use sTunnel port 563 encryption
; Where this method uses a deprecated sTunnel "verify = 0" setting
; The "verify = 0" was initially suggested by the Neodome admin
; The "verify = 0" requests a certificate but does not check it
; Dialog Host: 127.0.0.1
; Dialog Port: 49154 (pick any unused port between 49152 & 65535)
; Dialog SSL: unchecked
; Dialog Username: (required for posting to most text newsgroups)
; Dialog Password: (required for posting to most text newsgroups)
; Dialog Allwd. conn.: 2
; Dialog Use pipelining (unchecked)
; Like it or not, you'll see these sTunnel warnings with this entry
; LOG3: No trusted certificates found
; LOG4: Service [Neodome4] needs authentication to prevent MITM attacks
[Neodome4]
client = yes
accept = 127.0.0.1:49154
connect = news.neodome.net:563
verify = 0
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;