CITADEL Admininistration Manual

Copyright ©1987-2012 by the Citadel development team:

• Clint Adams
• Steven M. Bellovin
• Nathan Bryant
• Art Cancro
• Brian Costello
• Edward Flick
• Nick Georbit
• David Given
• Dave West
• Wilfried Goesgens
• Michael Hampton
• Andru Luvisi
• Daniel Malament
• Stu Mark
• Edward S. Marshall
• Ben Mehlman
• Matt Pfleger
• Ari Samson
• Trey Van Riper
• John Walker
• Steve Williams
• Ethan Young

The entire package is open source software. You may redistribute and/or modify it under the terms of the GNU General Public License, version 3, which is included in this manual.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

For more information, visit either of these locations on the web:

• The Citadel home page: http://www.citadel.org
• UNCENSORED! BBS, the home of Citadel: http://uncensored.citadel.org

                    GNU GENERAL PUBLIC LICENSE
                     Version 3,  29 June 2007

 Copyright (C) 2007 Free Software Foundation, Inc. [http://fsf.org]

                            Preamble

  The GNU General Public License is an open source license for software.

  The licenses for most software and other practical works are designed
to take away your freedom to share and change the works.  By contrast,
the GNU General Public License is intended to guarantee your freedom to
share and change all versions of a program--to make sure it remains free
software for all its users.  We, the Free Software Foundation, use the
GNU General Public License for most of our software; it applies also to
any other work released this way by its authors.  You can apply it to
your programs, too.

  When we speak of free software, we are referring to freedom, not
price.  Our General Public Licenses are designed to make sure that you
have the freedom to distribute copies of free software (and charge for
them if you wish), that you receive source code or can get it if you
want it, that you can change the software or use pieces of it in new
free programs, and that you know you can do these things.

  To protect your rights, we need to prevent others from denying you
these rights or asking you to surrender the rights.  Therefore, you have
certain responsibilities if you distribute copies of the software, or if
you modify it: responsibilities to respect the freedom of others.

  For example, if you distribute copies of such a program, whether
gratis or for a fee, you must pass on to the recipients the same
freedoms that you received.  You must make sure that they, too, receive
or can get the source code.  And you must show them these terms so they
know their rights.

  Developers that use the GNU GPL protect your rights with two steps:
(1) assert copyright on the software, and (2) offer you this License
giving you legal permission to copy, distribute and/or modify it.

  For the developers' and authors' protection, the GPL clearly explains
that there is no warranty for this free software.  For both users' and
authors' sake, the GPL requires that modified versions be marked as
changed, so that their problems will not be attributed erroneously to
authors of previous versions.

  Some devices are designed to deny users access to install or run
modified versions of the software inside them, although the manufacturer
can do so.  This is fundamentally incompatible with the aim of
protecting users' freedom to change the software.  The systematic
pattern of such abuse occurs in the area of products for individuals to
use, which is precisely where it is most unacceptable.  Therefore, we
have designed this version of the GPL to prohibit the practice for those
products.  If such problems arise substantially in other domains, we
stand ready to extend this provision to those domains in future versions
of the GPL, as needed to protect the freedom of users.

  Finally, every program is threatened constantly by software patents.
States should not allow patents to restrict development and use of
software on general-purpose computers, but in those that do, we wish to
avoid the special danger that patents applied to a free program could
make it effectively proprietary.  To prevent this, the GPL assures that
patents cannot be used to render the program non-free.

  The precise terms and conditions for copying, distribution and
modification follow.

                       TERMS AND CONDITIONS

  0. Definitions.

  "This License" refers to version 3 of the GNU General Public License.

  "Copyright" also means copyright-like laws that apply to other kinds of
works, such as semiconductor masks.

  "The Program" refers to any copyrightable work licensed under this
License.  Each licensee is addressed as "you".  "Licensees" and
"recipients" may be individuals or organizations.

  To "modify" a work means to copy from or adapt all or part of the work
in a fashion requiring copyright permission, other than the making of an
exact copy.  The resulting work is called a "modified version" of the
earlier work or a work "based on" the earlier work.

  A "covered work" means either the unmodified Program or a work based
on the Program.

  To "propagate" a work means to do anything with it that, without
permission, would make you directly or secondarily liable for
infringement under applicable copyright law, except executing it on a
computer or modifying a private copy.  Propagation includes copying,
distribution (with or without modification), making available to the
public, and in some countries other activities as well.

  To "convey" a work means any kind of propagation that enables other
parties to make or receive copies.  Mere interaction with a user through
a computer network, with no transfer of a copy, is not conveying.

  An interactive user interface displays "Appropriate Legal Notices"
to the extent that it includes a convenient and prominently visible
feature that (1) displays an appropriate copyright notice, and (2)
tells the user that there is no warranty for the work (except to the
extent that warranties are provided), that licensees may convey the
work under this License, and how to view a copy of this License.  If
the interface presents a list of user commands or options, such as a
menu, a prominent item in the list meets this criterion.

  1. Source Code.

  The "source code" for a work means the preferred form of the work
for making modifications to it.  "Object code" means any non-source
form of a work.

  A "Standard Interface" means an interface that either is an official
standard defined by a recognized standards body, or, in the case of
interfaces specified for a particular programming language, one that
is widely used among developers working in that language.

  The "System Libraries" of an executable work include anything, other
than the work as a whole, that (a) is included in the normal form of
packaging a Major Component, but which is not part of that Major
Component, and (b) serves only to enable use of the work with that
Major Component, or to implement a Standard Interface for which an
implementation is available to the public in source code form.  A
"Major Component", in this context, means a major essential component
(kernel, window system, and so on) of the specific operating system
(if any) on which the executable work runs, or a compiler used to
produce the work, or an object code interpreter used to run it.

  The "Corresponding Source" for a work in object code form means all
the source code needed to generate, install, and (for an executable
work) run the object code and to modify the work, including scripts to
control those activities.  However, it does not include the work's
System Libraries, or general-purpose tools or generally available free
programs which are used unmodified in performing those activities but
which are not part of the work.  For example, Corresponding Source
includes interface definition files associated with source files for
the work, and the source code for shared libraries and dynamically
linked subprograms that the work is specifically designed to require,
such as by intimate data communication or control flow between those
subprograms and other parts of the work.

  The Corresponding Source need not include anything that users
can regenerate automatically from other parts of the Corresponding
Source.

  The Corresponding Source for a work in source code form is that
same work.

  2. Basic Permissions.

  All rights granted under this License are granted for the term of
copyright on the Program, and are irrevocable provided the stated
conditions are met.  This License explicitly affirms your unlimited
permission to run the unmodified Program.  The output from running a
covered work is covered by this License only if the output, given its
content, constitutes a covered work.  This License acknowledges your
rights of fair use or other equivalent, as provided by copyright law.

  You may make, run and propagate covered works that you do not
convey, without conditions so long as your license otherwise remains
in force.  You may convey covered works to others for the sole purpose
of having them make modifications exclusively for you, or provide you
with facilities for running those works, provided that you comply with
the terms of this License in conveying all material for which you do
not control copyright.  Those thus making or running the covered works
for you must do so exclusively on your behalf, under your direction
and control, on terms that prohibit them from making any copies of
your copyrighted material outside their relationship with you.

  Conveying under any other circumstances is permitted solely under
the conditions stated below.  Sublicensing is not allowed; section 10
makes it unnecessary.

  3. Protecting Users' Legal Rights From Anti-Circumvention Law.

  No covered work shall be deemed part of an effective technological
measure under any applicable law fulfilling obligations under article
11 of the WIPO copyright treaty adopted on 20 December 1996, or
similar laws prohibiting or restricting circumvention of such
measures.

  When you convey a covered work, you waive any legal power to forbid
circumvention of technological measures to the extent such circumvention
is effected by exercising rights under this License with respect to
the covered work, and you disclaim any intention to limit operation or
modification of the work as a means of enforcing, against the work's
users, your or third parties' legal rights to forbid circumvention of
technological measures.

  4. Conveying Verbatim Copies.

  You may convey verbatim copies of the Program's source code as you
receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice;
keep intact all notices stating that this License and any
non-permissive terms added in accord with section 7 apply to the code;
keep intact all notices of the absence of any warranty; and give all
recipients a copy of this License along with the Program.

  You may charge any price or no price for each copy that you convey,
and you may offer support or warranty protection for a fee.

  5. Conveying Modified Source Versions.

  You may convey a work based on the Program, or the modifications to
produce it from the Program, in the form of source code under the
terms of section 4, provided that you also meet all of these conditions:

    a) The work must carry prominent notices stating that you modified
    it, and giving a relevant date.

    b) The work must carry prominent notices stating that it is
    released under this License and any conditions added under section
    7.  This requirement modifies the requirement in section 4 to
    "keep intact all notices".

    c) You must license the entire work, as a whole, under this
    License to anyone who comes into possession of a copy.  This
    License will therefore apply, along with any applicable section 7
    additional terms, to the whole of the work, and all its parts,
    regardless of how they are packaged.  This License gives no
    permission to license the work in any other way, but it does not
    invalidate such permission if you have separately received it.

    d) If the work has interactive user interfaces, each must display
    Appropriate Legal Notices; however, if the Program has interactive
    interfaces that do not display Appropriate Legal Notices, your
    work need not make them do so.

  A compilation of a covered work with other separate and independent
works, which are not by their nature extensions of the covered work,
and which are not combined with it such as to form a larger program,
in or on a volume of a storage or distribution medium, is called an
"aggregate" if the compilation and its resulting copyright are not
used to limit the access or legal rights of the compilation's users
beyond what the individual works permit.  Inclusion of a covered work
in an aggregate does not cause this License to apply to the other
parts of the aggregate.

  6. Conveying Non-Source Forms.

  You may convey a covered work in object code form under the terms
of sections 4 and 5, provided that you also convey the
machine-readable Corresponding Source under the terms of this License,
in one of these ways:

    a) Convey the object code in, or embodied in, a physical product
    (including a physical distribution medium), accompanied by the
    Corresponding Source fixed on a durable physical medium
    customarily used for software interchange.

    b) Convey the object code in, or embodied in, a physical product
    (including a physical distribution medium), accompanied by a
    written offer, valid for at least three years and valid for as
    long as you offer spare parts or customer support for that product
    model, to give anyone who possesses the object code either (1) a
    copy of the Corresponding Source for all the software in the
    product that is covered by this License, on a durable physical
    medium customarily used for software interchange, for a price no
    more than your reasonable cost of physically performing this
    conveying of source, or (2) access to copy the
    Corresponding Source from a network server at no charge.

    c) Convey individual copies of the object code with a copy of the
    written offer to provide the Corresponding Source.  This
    alternative is allowed only occasionally and noncommercially, and
    only if you received the object code with such an offer, in accord
    with subsection 6b.

    d) Convey the object code by offering access from a designated
    place (gratis or for a charge), and offer equivalent access to the
    Corresponding Source in the same way through the same place at no
    further charge.  You need not require recipients to copy the
    Corresponding Source along with the object code.  If the place to
    copy the object code is a network server, the Corresponding Source
    may be on a different server (operated by you or a third party)
    that supports equivalent copying facilities, provided you maintain
    clear directions next to the object code saying where to find the
    Corresponding Source.  Regardless of what server hosts the
    Corresponding Source, you remain obligated to ensure that it is
    available for as long as needed to satisfy these requirements.

    e) Convey the object code using peer-to-peer transmission, provided
    you inform other peers where the object code and Corresponding
    Source of the work are being offered to the general public at no
    charge under subsection 6d.

  A separable portion of the object code, whose source code is excluded
from the Corresponding Source as a System Library, need not be
included in conveying the object code work.

  A "User Product" is either (1) a "consumer product", which means any
tangible personal property which is normally used for personal, family,
or household purposes, or (2) anything designed or sold for incorporation
into a dwelling.  In determining whether a product is a consumer product,
doubtful cases shall be resolved in favor of coverage.  For a particular
product received by a particular user, "normally used" refers to a
typical or common use of that class of product, regardless of the status
of the particular user or of the way in which the particular user
actually uses, or expects or is expected to use, the product.  A product
is a consumer product regardless of whether the product has substantial
commercial, industrial or non-consumer uses, unless such uses represent
the only significant mode of use of the product.

  "Installation Information" for a User Product means any methods,
procedures, authorization keys, or other information required to install
and execute modified versions of a covered work in that User Product from
a modified version of its Corresponding Source.  The information must
suffice to ensure that the continued functioning of the modified object
code is in no case prevented or interfered with solely because
modification has been made.

  If you convey an object code work under this section in, or with, or
specifically for use in, a User Product, and the conveying occurs as
part of a transaction in which the right of possession and use of the
User Product is transferred to the recipient in perpetuity or for a
fixed term (regardless of how the transaction is characterized), the
Corresponding Source conveyed under this section must be accompanied
by the Installation Information.  But this requirement does not apply
if neither you nor any third party retains the ability to install
modified object code on the User Product (for example, the work has
been installed in ROM).

  The requirement to provide Installation Information does not include a
requirement to continue to provide support service, warranty, or updates
for a work that has been modified or installed by the recipient, or for
the User Product in which it has been modified or installed.  Access to a
network may be denied when the modification itself materially and
adversely affects the operation of the network or violates the rules and
protocols for communication across the network.

  Corresponding Source conveyed, and Installation Information provided,
in accord with this section must be in a format that is publicly
documented (and with an implementation available to the public in
source code form), and must require no special password or key for
unpacking, reading or copying.

  7. Additional Terms.

  "Additional permissions" are terms that supplement the terms of this
License by making exceptions from one or more of its conditions.
Additional permissions that are applicable to the entire Program shall
be treated as though they were included in this License, to the extent
that they are valid under applicable law.  If additional permissions
apply only to part of the Program, that part may be used separately
under those permissions, but the entire Program remains governed by
this License without regard to the additional permissions.

  When you convey a copy of a covered work, you may at your option
remove any additional permissions from that copy, or from any part of
it.  (Additional permissions may be written to require their own
removal in certain cases when you modify the work.)  You may place
additional permissions on material, added by you to a covered work,
for which you have or can give appropriate copyright permission.

  Notwithstanding any other provision of this License, for material you
add to a covered work, you may (if authorized by the copyright holders of
that material) supplement the terms of this License with terms:

    a) Disclaiming warranty or limiting liability differently from the
    terms of sections 15 and 16 of this License; or

    b) Requiring preservation of specified reasonable legal notices or
    author attributions in that material or in the Appropriate Legal
    Notices displayed by works containing it; or

    c) Prohibiting misrepresentation of the origin of that material, or
    requiring that modified versions of such material be marked in
    reasonable ways as different from the original version; or

    d) Limiting the use for publicity purposes of names of licensors or
    authors of the material; or

    e) Declining to grant rights under trademark law for use of some
    trade names, trademarks, or service marks; or

    f) Requiring indemnification of licensors and authors of that
    material by anyone who conveys the material (or modified versions of
    it) with contractual assumptions of liability to the recipient, for
    any liability that these contractual assumptions directly impose on
    those licensors and authors.

  All other non-permissive additional terms are considered "further
restrictions" within the meaning of section 10.  If the Program as you
received it, or any part of it, contains a notice stating that it is
governed by this License along with a term that is a further
restriction, you may remove that term.  If a license document contains
a further restriction but permits relicensing or conveying under this
License, you may add to a covered work material governed by the terms
of that license document, provided that the further restriction does
not survive such relicensing or conveying.

  If you add terms to a covered work in accord with this section, you
must place, in the relevant source files, a statement of the
additional terms that apply to those files, or a notice indicating
where to find the applicable terms.

  Additional terms, permissive or non-permissive, may be stated in the
form of a separately written license, or stated as exceptions;
the above requirements apply either way.

  8. Termination.

  You may not propagate or modify a covered work except as expressly
provided under this License.  Any attempt otherwise to propagate or
modify it is void, and will automatically terminate your rights under
this License (including any patent licenses granted under the third
paragraph of section 11).

  However, if you cease all violation of this License, then your
license from a particular copyright holder is reinstated (a)
provisionally, unless and until the copyright holder explicitly and
finally terminates your license, and (b) permanently, if the copyright
holder fails to notify you of the violation by some reasonable means
prior to 60 days after the cessation.

  Moreover, your license from a particular copyright holder is
reinstated permanently if the copyright holder notifies you of the
violation by some reasonable means, this is the first time you have
received notice of violation of this License (for any work) from that
copyright holder, and you cure the violation prior to 30 days after
your receipt of the notice.

  Termination of your rights under this section does not terminate the
licenses of parties who have received copies or rights from you under
this License.  If your rights have been terminated and not permanently
reinstated, you do not qualify to receive new licenses for the same
material under section 10.

  9. Acceptance Not Required for Having Copies.

  You are not required to accept this License in order to receive or
run a copy of the Program.  Ancillary propagation of a covered work
occurring solely as a consequence of using peer-to-peer transmission
to receive a copy likewise does not require acceptance.  However,
nothing other than this License grants you permission to propagate or
modify any covered work.  These actions infringe copyright if you do
not accept this License.  Therefore, by modifying or propagating a
covered work, you indicate your acceptance of this License to do so.

  10. Automatic Licensing of Downstream Recipients.

  Each time you convey a covered work, the recipient automatically
receives a license from the original licensors, to run, modify and
propagate that work, subject to this License.  You are not responsible
for enforcing compliance by third parties with this License.

  An "entity transaction" is a transaction transferring control of an
organization, or substantially all assets of one, or subdividing an
organization, or merging organizations.  If propagation of a covered
work results from an entity transaction, each party to that
transaction who receives a copy of the work also receives whatever
licenses to the work the party's predecessor in interest had or could
give under the previous paragraph, plus a right to possession of the
Corresponding Source of the work from the predecessor in interest, if
the predecessor has it or can get it with reasonable efforts.

  You may not impose any further restrictions on the exercise of the
rights granted or affirmed under this License.  For example, you may
not impose a license fee, royalty, or other charge for exercise of
rights granted under this License, and you may not initiate litigation
(including a cross-claim or counterclaim in a lawsuit) alleging that
any patent claim is infringed by making, using, selling, offering for
sale, or importing the Program or any portion of it.

  11. Patents.

  A "contributor" is a copyright holder who authorizes use under this
License of the Program or a work on which the Program is based.  The
work thus licensed is called the contributor's "contributor version".

  A contributor's "essential patent claims" are all patent claims
owned or controlled by the contributor, whether already acquired or
hereafter acquired, that would be infringed by some manner, permitted
by this License, of making, using, or selling its contributor version,
but do not include claims that would be infringed only as a
consequence of further modification of the contributor version.  For
purposes of this definition, "control" includes the right to grant
patent sublicenses in a manner consistent with the requirements of
this License.

  Each contributor grants you a non-exclusive, worldwide, royalty-free
patent license under the contributor's essential patent claims, to
make, use, sell, offer for sale, import and otherwise run, modify and
propagate the contents of its contributor version.

  In the following three paragraphs, a "patent license" is any express
agreement or commitment, however denominated, not to enforce a patent
(such as an express permission to practice a patent or covenant not to
sue for patent infringement).  To "grant" such a patent license to a
party means to make such an agreement or commitment not to enforce a
patent against the party.

  If you convey a covered work, knowingly relying on a patent license,
and the Corresponding Source of the work is not available for anyone
to copy, free of charge and under the terms of this License, through a
publicly available network server or other readily accessible means,
then you must either (1) cause the Corresponding Source to be so
available, or (2) arrange to deprive yourself of the benefit of the
patent license for this particular work, or (3) arrange, in a manner
consistent with the requirements of this License, to extend the patent
license to downstream recipients.  "Knowingly relying" means you have
actual knowledge that, but for the patent license, your conveying the
covered work in a country, or your recipient's use of the covered work
in a country, would infringe one or more identifiable patents in that
country that you have reason to believe are valid.

  If, pursuant to or in connection with a single transaction or
arrangement, you convey, or propagate by procuring conveyance of, a
covered work, and grant a patent license to some of the parties
receiving the covered work authorizing them to use, propagate, modify
or convey a specific copy of the covered work, then the patent license
you grant is automatically extended to all recipients of the covered
work and works based on it.

  A patent license is "discriminatory" if it does not include within
the scope of its coverage, prohibits the exercise of, or is
conditioned on the non-exercise of one or more of the rights that are
specifically granted under this License.  You may not convey a covered
work if you are a party to an arrangement with a third party that is
in the business of distributing software, under which you make payment
to the third party based on the extent of your activity of conveying
the work, and under which the third party grants, to any of the
parties who would receive the covered work from you, a discriminatory
patent license (a) in connection with copies of the covered work
conveyed by you (or copies made from those copies), or (b) primarily
for and in connection with specific products or compilations that
contain the covered work, unless you entered into that arrangement,
or that patent license was granted, prior to 28 March 2007.

  Nothing in this License shall be construed as excluding or limiting
any implied license or other defenses to infringement that may
otherwise be available to you under applicable patent law.

  12. No Surrender of Others' Freedom.

  If conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License.  If you cannot convey a
covered work so as to satisfy simultaneously your obligations under this
License and any other pertinent obligations, then as a consequence you may
not convey it at all.  For example, if you agree to terms that obligate you
to collect a royalty for further conveying from those to whom you convey
the Program, the only way you could satisfy both those terms and this
License would be to refrain entirely from conveying the Program.

  13. Use with the GNU Affero General Public License.

  Notwithstanding any other provision of this License, you have
permission to link or combine any covered work with a work licensed
under version 3 of the GNU Affero General Public License into a single
combined work, and to convey the resulting work.  The terms of this
License will continue to apply to the part which is the covered work,
but the special requirements of the GNU Affero General Public License,
section 13, concerning interaction through a network will apply to the
combination as such.

  14. Revised Versions of this License.

  The Free Software Foundation may publish revised and/or new versions of
the GNU General Public License from time to time.  Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns.

  Each version is given a distinguishing version number.  If the
Program specifies that a certain numbered version of the GNU General
Public License "or any later version" applies to it, you have the
option of following the terms and conditions either of that numbered
version or of any later version published by the Free Software
Foundation.  If the Program does not specify a version number of the
GNU General Public License, you may choose any version ever published
by the Free Software Foundation.

  If the Program specifies that a proxy can decide which future
versions of the GNU General Public License can be used, that proxy's
public statement of acceptance of a version permanently authorizes you
to choose that version for the Program.

  Later license versions may give you additional or different
permissions.  However, no additional obligations are imposed on any
author or copyright holder as a result of your choosing to follow a
later version.

  15. Disclaimer of Warranty.

  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
ALL NECESSARY SERVICING, REPAIR OR CORRECTION.

  16. Limitation of Liability.

  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
SUCH DAMAGES.

  17. Interpretation of Sections 15 and 16.

  If the disclaimer of warranty and limitation of liability provided
above cannot be given local legal effect according to their terms,
reviewing courts shall apply local law that most closely approximates
an absolute waiver of all civil liability in connection with the
Program, unless a warranty or assumption of liability accompanies a
copy of the Program in return for a fee.

                     END OF TERMS AND CONDITIONS

Citadel is an advanced, multiuser, client/server messaging system suitable for BBS, e-mail, and groupware applications. It is designed to handle the needs of both small dialup systems and large-scale Internet-connected systems. It was originally developed on an Altos system running Xenix, and has been installed and tested on various Unix and Unix-like platforms. The current development environment (and public BBS) is an ordinary Linux system. The current distribution includes:

• The Citadel server (this is the back end that does all processing)
• A text-based client program designed with the traditional Citadel “look and feel” (room prompts, dot commands, and the like)
• Setup programs
• A set of utilities for system administration and maintenance
• Documentation

Some knowledge of the Unix system is necessary to install and manage the system. It is mandatory that the sysop have “root” access to the operating system. The following are required to install Citadel:

• A unix-like operating system (Linux, FreeBSD, Solaris, etc.)
• The GNU build tools (GCC with gmake is the recommended build environment)
• Berkeley DB v4.1 or newer
• libical v0.26 or newer (if you want the calendar service to work)
• libSieve v2.2.3 or newer (if you want mail filtering/scripting to work)
• Enough disk space to hold all of the programs and data

It is STRONGLY recommended that you run it on a recent Linux distribution. Many of the prerequisite tools and libraries will either be preinstalled for you or will be readily available in the repositories.

• “WebCit”, a gateway program to allow full access to Citadel via the World Wide Web. Interactive access through any Web browser.
• Access to Citadel via any standards-compliant e-mail program, thanks to Citadel's built-in SMTP, POP, and IMAP services. You can use Mozilla, Netscape, Evolution, Eudora, Pine, Outlook, etc. with Citadel.
• Access to Citadel's calendar and address book functions using any PIM client that supports Webcal or GroupDAV (requires WebCit).

• More integration with third-party software.

Hopefully you've unpacked the distribution archive into its own directory. This is the directory in which all Citadel files are located and in which all activity will take place. Several subdirectories have already been created during the unpacking process, and others may be created by the software if needed. Make sure you have Berkeley DB installed on your system, and that you have all the development libraries and headers in place so that you can compile against them. If you don't, you can get the latest Berkeley DB at http://www.oracle.com/technetwork/database/berkeleydb/downloads/index.html

As with many Unix programs, Citadel wants to run under its own user ID. Unlike other programs, however, this user ID will do double-duty as a guest login if you are running a public system. This account is typically called “bbs” or “citadel” or something to that effect. You will tell Citadel what the user-id of that account is, and when someone logs in under that account, Citadel will prompt for a user name.

The Citadel user should have a unique uid. The home directory should be the one your Citadel installation resides in (in this example we will use ”/usr/local/citadel”) and the shell should be either “citadel” in that directory, or a script that will start up the citadel client. Example:

citadel::100:1:Citadel Login:/usr/local/citadel:/usr/local/citadel/citadel

When you run setup later, you will be required to tell it the username or user ID of the account you created is, so it knows what user to run as. If you create an account called “citadel, bbs”, or “guest”, the setup program will automatically pick up the user ID by default.

For all other users in ”/etc/passwd” (or in some other name service such as NIS), Citadel can automatically set up such as NIS), Citadel can automatically set up an account using the full name (or 'gecos' in Unixspeak) of the user. It'll also ignore any password you supply, because it uses the user's password on the host system. This allows a 'single sign on' type of environment. Note that this does have to be enabled at setup time – it's the option called “host based authentication mode”. Keep in mind that these users can use *either* their Citadel login name or their login name on the host computer, and their password on the host computer.

If you normally log in to your host system using some method other than telnet (such as ssh), you might want the telnet service to go straight into Citadel, instead of displaying the “login:” prompt first. You can do this by having telnetd start citadel directly instead of ”/bin/login”. The “setup” program will offer to configure this automatically for you if it sees a configuration it understands. If you would prefer to configure it manually, all you need to do is make a simple change to your “inetd” or “xinetd” configuration. Here are some configuration examples.

An example for “inetd” (put the following line in ”/etc/inetd.conf”, replacing any existing telnet configuration line already there):

telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd -L /usr/local/citadel/citadel

An example for “xinetd” (if you have a file called ”/etc/xinetd.d/telnet” then simply replace that file with this one):

service telnet
{
  flags           = REUSE
  socket_type     = stream
  wait            = no
  user            = root
  server          = /usr/sbin/in.telnetd
  server_args     = -L /usr/local/citadel/citadel
  log_on_failure  += USERID
  disable         = no
}

Please make sure you know what you're doing before you install this! If you are going to put Citadel somewhere other than ”/usr/local/citadel” then change the directory name accordingly. If you know of any other local peculiarities which need to be observed, edit the above configuration accordingly as well. And, of course, if you're working remotely, make sure you can successfully log in using SSH before you start making changes to telnet, because if you accidentally break telnet and don't have SSH running, you'll have effectively locked yourself out of your system until you can get physical access to the console.

You can easily compile the Citadel system with the following commands:

./configure
make
make install

The 'configure' script will generate a Makefile from the Makefile.in, and it will also write the file “sysdep.h” to your Citadel directory. Please do not edit sysdep.h or Makefile.in yourself. The configure script will figure out your system dependencies and set everything correctly.

Mac OS X 10.1 and later are now supported. (Sorry, 10.0 cannot be supported, now or in the future.) You need to install the Developer Tools CD, which you can purchase or download for free from http://developer.apple.com. Then run configure like this:

env CC=/usr/bin/cc ./configure (options - see below)

By default, the Citadel system will install in ”/usr/local/citadel”. If you wish to place it in a different directory, you can instead do:

./configure --prefix=/export/home/citadel      (or whatever)

If you've got Berkeley DB installed in a non-standard location, you can help the configure script find it by doing something like this:

./configure --with-db=/usr/local/BerkeleyDB-4.1

Keep in mind that if you're using Berkeley DB from a non-standard location, you'll have to make sure that location is available at runtime.

File permissions are always a bother to work with. You don't want Citadel to crash because someone couldn't access a file, but you also don't want shell users peeking into the binaries to do things like reading others' mail, finding private rooms, etc. The Citadel server needs to be started as root in order to bind to privileged ports, but as soon as its initialization is finished, it changes its user ID to your Citadel user in order to avoid security holes.

Any existing Citadel installation which is at version 5.50 or newer may be upgraded in place without the need to discard your existing data files.

Upgrading to a new version uses the same build procedure as compiling the program for a fresh install, except that you want to do “make upgrade” instead of “make install”. This will overwrite the programs but not your data. Be sure to shut down citserver during this process! If Citadel is running while you upgrade, you may face data corruption issues.

After doing “make upgrade”, you should run “setup” again to bring your data files up to date. Please see the setup section below for more information on this.

The text-based client included with Citadel is suitable for BBS applications. Much of its command set and other behavior is configurable through a Run Control (RC) file. The standard client looks for this file in the following locations:

• “$HOME/.citadelrc”
• your-Citadel-directory”/citadel.rc”
• ”/etc/citadel.rc”
• current-directory”/citadel.rc”

The next couple of sections deal with client-side configuration.

Citadel has a built-in message editor. However, you can also use your favorite text editor to write messages. To do this you simply put a line in your citadel.rc file like this:

editor=/usr/bin/vi

The above example would make Citadel call the vi editor when using the “.Enter Editor” command, or when a user selects the “Always compose messages with the full-screen editor” option. You can also make it the default editor for the “Enter” command by editing the “citadel.rc” file. But be warned: external editors on public systems can be a security hole, because they usually provide users with the ability to drop into a shell on the host system, or save files using names other than the name of the temporary file they are editing. If you intend to use an external editor on a public BBS, make sure you use one that has been hardened for such a purpose – one which has had the 'shell' and 'save as' commands disabled, as well as any other functions which a destructive user could use to gain unauthorized access to your host system.

Citadel can send messages to a printer, or just about anywhere else in your system. The variable “PRINTCMD” in “citadel.rc” specifies what command you use to print. Text is sent to the standard input (stdin) of the print command.

So if you did this:

printcmd="a2ps -o - |lpr -Plocal"

…that would convert the printed text to PostScript, then print on the printer named “local”. There's tons of stuff you can do with this feature. For example, you could use a command like “cat «$HOME/archive” to save copies of important messages in a textfile. Again, this is probably something you don't want to configure for a public BBS host – most system administrators don't want remote users sending arbitrary things to local printers.

This is one more feature which is appropriate for local users. While reading a message that has Internet URL's in it, you can select the “URL-view” command, and it will perform some pre-defined action (usually, this is to open up the URL in a web browser). For example:

urlcmd=netscape -remote "openURL(%s)"

In the above example, it would open up the URL in an open Netscape window.

Before logging in for the first time, you must run the setup program. To begin this procedure, enter the following commands:

cd /usr/local/citadel
./setup

The setup program will guide you through a simple configuration procedure. It will ask you what directory to place your data files in – the default is the current directory, which is usually the sensible thing to select. If you want to run more than one instance of Citadel on the same host, however, you can specify a different directory here – just remember to specify the directory name again when you start up the server later on.

“setup” will then shut down the Citadel service if it is found to be running.

You will then be prompted for the name of the system administrator. This is not merely a cosmetic option – when you log in to your system a little while from now, you'll log in with this name, and it will automatically assign your account the highest access level.

Next, you will be prompted for the User ID of the Citadel account on your host system. If you have an account called “bbs”, “guest”, or “citadel”, that account's UID will be the default. If you are upgrading or reconfiguring an existing system, the existing value will be preserved.

Then you will be prompted for a server port number. This is the TCP port which Citadel clients use to connect to your Citadel server. In almost all cases, you want to use the default – port 504, which is the official port number assigned by the IANA for Citadel implementations.

“setup” will then ask you about authentication mode. Please understand this question thoroughly before answering it. You have a choice of two authentication modes:

• Native authentication - Citadel maintains its own user database. This is the normal mode of authentication. Citadel operates as a “black box” and your users do not have to have accounts or home directories on the host server.
• Host based authentication - access to Citadel is authenticated against the user database (”/etc/passwd” or perhaps NIS, etc.).

You will be asked if you wish to use host based authentication. If you wish to do so, answer “Yes” at the prompt. For most installations, “No” is the appropriate answer.

The Citadel service will then be started, and you will see the following message:

Setup is finished.  You may now log in.

Setup is now complete, on most systems, anyway. Please see below to find out if you need to do anything else:

Please note: this topic involves modifications made to system configuration files in order to configure your host system to automatically start the Citadel service. setup will automatically perform these steps if it can, and if you allow it to – just answer 'Yes' when prompted, and everything will be taken care of for you. If you answer 'No' – or if your system is a little bit odd (for example, BSD systems don't have SysV style init files) – read this section and do what you need to in order to get things configured.

Before you can use Citadel, you must define the “citadel” service to your system. This is accomplished by adding a line to your /etc/services file that looks something like this:

citadel		504/tcp			# Citadel Server

504 is the port number officially designated by the IANA for use by Citadel. There should not be any need to use a different port number, unless you are running multiple Citadels on the same computer and therefore need a different port for each one.

The next step is to arrange for the server to start. The “citserver” program is the main Citadel server. Before we cover the recommended method of starting the server, let's examine its usage options:

citserver [-hHomeDir] [-xDebugLevel] [-tTraceFile] [-lLogFacility] [-d] [-f]

The options are as follows:

”-hHomeDir” - the directory your Citadel data files live in. This should, of course, be a directory that you've run the “setup” program against to set up some data files. If a directory is not specified, the directory name which was specified in the “Makefile” will be used.

”-xDebugLevel” - Set the verbosity of trace messages printed. When -x is used, it will suppress messages sent to syslog (see below). In other words, syslog will never see certain messages if -x is used. Normally you should configure logging through syslog, but -x may still be useful in some circumstances. The available debugging levels are:

• 0 - Emergency condition; Citadel will exit immediately
• 1 - Severe errors; Citadel may be unable to continue without attention
• 2 - Critical errors; Citadel will continue with degraded functionality
• 3 - Error conditions; Citadel will recover and continue normally
• 4 - Warning messages; Citadel will continue normally
• 5 - Normal operational messages
• 6 - Informational messages, progress reports, etc.
• 7 - Debugging messages; extremely verbose

”-tTraceFile” - Tell the server where to send its debug/trace output. Normally it is sent to stdout.

”-lLogFacility” - Tell the server to send its debug/trace output to the “syslog” service on the host system instead of to a trace file. “LogFacility” must be one of: ”kern, user, mail, daemon, auth, syslog, lpr, news, uucp, local0, local1, local2, local3, local4, local5, local6, local7”. Please note that use of the ”-l” option will cancel any use of the ”-t” option; that is, if you specify a trace file and a syslog facility, log output will only go to the syslog facility.

”-d” - Run as a daemon; i.e. in the background.

”-f” - Defragment all the databases upon startup. (No longer used; this is still here only for backwards compatibility.)

The preferred method of starting the Citadel server is to use the init scripts that are generated when you run the setup program.

At this point, your system is ready to run. Run the “citadel” program from the shell and log in as a new user. NOTE: the first user account to be created will automatically be set to access level 6 (Aide). This overcomes some obvious logistical problems - normally, Aide access is given by another Aide, but since there aren't any on your system yet, this isn't possible.

Sometimes you might decide that you want a welcome message (or several different messages) automatically mailed to new users upon their first login. Now there is a way to do this. If you create a room called “New User Greetings”, and it is a private room (invitation-only probably makes the most sense), any messages you enter into that room will automatically be delivered to all new users upon registration.

You can put anything you want there: a welcome message, system policies, special information, etc. You can also put as many messages there as you want to (although it really doesn't make sense to clutter new users' mailboxes with lots of junk).

Don't worry about wasting disk space, either. Citadel has a single-instance message store, so all the new users are actually looking at the same copy of the message on disk.

That's just about all the information you need to install the system. But if you get stuck, you can visit UNCENSORED! BBS and report a problem or ask for help. But if you intend to report a problem getting the Citadel server to run, please double-check the following things first:

• Did you do ”./configure && make && make install” ??
• Did you run setup?
• Did you start the server?

To report a problem, you can log on to UNCENSORED! or any other BBS on the Citadel network which carries the “Citadel/UX>” room. Please DO NOT e-mail the developers directly. Post a request for help on the BBS, with all of the following information:

• The exact nature of your difficulty (remember stderr; do >/tmp/logfile 2>&1 at the end of easy install / configure etc.)
• A transcript of the error message(s) if possible
• The version of Citadel you are running
• The version of Berkeley DB present on your system
• Which operating system you are running, and what version
• If you are running a Linux system, we need to know which distribution, and the version of the kernel, libc, and pthreads you are using (it would help to post the output of a “ldd ./citserver” command).

Citadel, when installed properly, will do most of its maintenance by itself. It is intended to be run unattended for extended periods of time, and most installations do just that without any software failures.

The system has seven access levels. Most users are at the bottom and have no special privileges. Aides are selected people who have special access within the Citadel program. Room Aides only have this access in a certain room. Preferred users can be selected by Aides for access to preferred only rooms. A sysop is anyone who has access to the various sysop utilities - these are in their own executable files, which should have their permissions set to allow only sysops to run them. You should either create a sysops group in /etc/group, or use some other existing group for this purpose.

Aides have access to EVERY room on the system, public and private (all types). They also have access to commands starting with ”.Aide” in addition to being able to delete and move messages. The system room, “Aide>”, is accessible only by those users designated as Aides.

Aides have the following commands available to them that are not available to normal users. They are:

This command allows any aide to change the parameters of a room. Go to the room you wish to edit and enter the “.Aide Edit room” command. A series of prompts will be displayed. The existing parameters will be displayed in brackets; simply press return if you want to leave any or all of them unchanged.

Room name [IG's Fun Room]:

…the name of the room.

Private room [Yes]? 

…enter Yes if you wish to restrict access to the room, or no if the room is to be accessible by all users. Note that Citadel doesn't bother users about access to rooms every time they need to access the room. Once a user gains access to a private room, it then behaves like a public room to them. The following four questions will only be asked if you selected Private…

Accessible by guessing room name [No]?

…if you enter Yes, the room will not show up in users' “Known rooms” listing, but if they “.Goto” the room (typing the room's full name), they will gain access to the room.

Accessible by entering a password [No]?
Room password [mypasswd]:  

…this adds an additional layer of security to the room, prompting users for a password before they can gain access to the room.

If you did not select guessname or passworded, then the only way users can access the room is if an Aide explicitly invites them to the room using the “.Aide Room Invite user” command.

Cause current users to forget room [No] ? No

Enter Yes if you wish to kick out anyone who currently has access to the room.

Preferred users only [No]? No

Enter Yes if you wish to restrict the room to only users who have level 5 (Preferred User) status (and Aides too, of course). You should make the room public if you intend to do this, otherwise the two restrictions will be COMBINED.

Read-only room [No]? No

If you set a room to Read-Only, then normal users will not be allowed to post messages in it. Messages may only be posted by Aides, and by utility programs such as the networker and the “aidepost” utility. This is useful in situations where a room is used exclusively for important announcements, or if you've set up a room to receive an Internet mailing list and posting wouldn't make sense. Other uses will, of course, become apparent as the need arises.

Now for a few other attributes…

Directory room [Yes]? Yes

…enter Yes if you wish to associate a directory with this room. This can be used as a small file repository for files relevant to the topic of the room. If you enter Yes, you will also be prompted with the following four questions:

Directory name [mydirname]: 

…the name of the subdirectory to put this room's files in. The name of the directory created will be ”<your Citadel directory>/files/<room dir name>”.

Uploading allowed [Yes]? Yes

…enter Yes if users are allowed to upload to this room.

Downloading allowed [Yes]? Yes

…enter Yes if users are allowed to download from this room.

Visible directory [Yes]? Yes

…enter Yes if users can read the directory of this room.

Network shared room [No]? No

…you can share a room over a network without setting this flag, and vice versa, but what this flag does is twofold:

• It prevents people with no network access from entering messages here
• Messages are displayed with the name of their originating system in the header.

Permanent room [No]? No

Citadel contains an 'auto purger' which is capable of removing rooms which have not been posted in for a pre-defined period of time (by default this is set to two weeks). If you wish to keep this from happening to a particular room, you can set this option. (Keep in mind that “Lobby>”, “Aide>”, any private mailbox rooms, any network shared rooms, and any rooms with a file directory are automatically permanent.)

Anonymous messages [No]? No
Ask users whether to make messages anonymous [No]? No

…you can have rooms in which all messages are automatically anonymous, and you can have rooms in which users are prompted whether to make a message anonymous when they enter it. The real identity of the author of each message is still revealed to the Room Aide for this room, as well as any system-wide Aides.

Room aide [Joe Responsible]: 

…on larger systems, it helps to designate a person to be responsible for a room. Room Aides have access to a restricted set of Aide commands, ONLY when they are in the room in which they have this privilege. They can edit the room, delete the room, delete and move messages, and invite or kick out users (if it is a private room), but they cannot perform aide commands that are not room-related (such as changing users access levels).

Listing order [64]: 

This is just a simple way to try to control the order rooms are listed in when users call up a “Known Rooms” listing. Rooms with a lower listing order are displayed prior to rooms with a higher listing order. It has no other effect. For users who list rooms in floor order, the display will sort first by floor, then by listing order.

Message expire policy (? for list) [0]:

This provides you with the opportunity to select how long each message will remain in a room before automatically being deleted. Press “?” for a list of options. You can choose to keep messages around forever (or until they are manually deleted), until they become a certain number of days old, or until a certain number of additional messages are posted in the room, at which time the oldest ones will scroll out.

When a new Citadel system is first installed, the default system-wide expire policy is set to 'manual' – no automatic purging of messages takes place anywhere. For public message boards, you will probably want to set some sort of automatic expire policy, in order to prevent your message base from growing forever.

You will notice that you can also fall back to the default expire policy for the floor upon which the room resides. This is the default setting. You can change the floor's default with the “;Aide Edit floor” command. The default setting for the floor default, in turn, is the system default setting, which can be changed using the “.Aide System configuration General” command.

Save changes (y/n)? Yes

…this gives you an opportunity to back out, if you feel you really messed things up while editing.

If you have created any directory rooms, you can attach file descriptions to the filenames through a special file called “filedir”. Each line contains the name of a file in the directory, followed by a space and then a description of the file, such as:

myfile.txt This is a description of my file.
phluff A phile phull of phluff!

…this would create file descriptions for the files “myfile.txt” and “phluff” which would be displayed along with the directory. It should also be noted that when users upload files to your system, they will be prompted for file descriptions, which will be added to the “filedir” file. If one does not exist, it will be created.

Anyone with Aide level access may use the “.Aide edit User” command to create and/or edit user accounts. There are several parameters which can be set here.

To create a user:

Lobby> . Aide edit User 
  User name: New User Name
  No such user.
  Do you want to create this user? Yes

At this point, the new user account has been created, and the command will continue as if you were editing an existing account. Therefore the remainder of this procedure is the same for creating and editing:

Lobby> . Aide edit User 
User name: person of significance
User #70 - Person of Significance  PW: 
,

Current access level: 4 (Network User)

The blank lines are the user's 'registration' information – personal information such as full name, address, telephone number, etc. This information will comprise the user's vCard in both their user profile and in the Global Address Book.

Change password [No]: No

…answer Yes to set or change the password for this account.

Access level [4]: 

…this allows you to set or change the access level for this account. The access levels available are as follows:

• 0 - Deleted. (This immediately deletes the account.)
• 1 - New, unvalidated user
• 2 - Problem user (severely restricts account - use for probationary access)
• 3 - User with no network privileges. Same access as a normal user except cannot post messages in rooms shared on a network.
• 4 - Normal user
• 5 - Preferred user (access is granted to privileged rooms)
• 6 - Aide (administrative access to the whole system)

Permission to send/receive Internet mail [ No]? No

If your system is configured to only allow Internet mail privileges to certain users, this is where you can grant or revoke that privilege.

Ask user to register again [Yes]: Yes

If you answer Yes to this question, the user will be presented with a 'registration' screen or set of prompts, the next time they log in using a Citadel client. This will prompt them for their full name, address, telephone number, etc.

Times called [0]: 
Messages posted [0]: 

These statistics are available for informational purposes only, so there is normally no need to change them.

Set last call to now [No]: No
Purge time (in days, 0 for system default [0]: 

Citadel contains an auto-purger which is capable of automatically deleting accounts which have not been accessed in a predefined period of time. If you choose to perform this operation, you can 'touch' the account of a wayward user by setting their 'last call' time to 'now'. You can also adjust, on a per-user basis, the amount of time which must pass before their account is purged by the system. This time is set in days. You can also specify 0 days to indicate that you wish to use the system default setting.

Aides and Room Aides have the ability to delete and move messages. After each message, the normal prompt appears:

(8) <B>ack <A>gain <Q>uote <R>eply <N>ext <S>top m<Y> next <?>help ->

Entering “Delete” will delete the message. A ”(y/n)” prompt will appear to confirm that you really want to delete the message. Entering “Move” will prompt for a room to which the message should be moved.

The subdirectory called “help” contains your system's help files. There's nothing hard-coded into the system that dictates what files should be there. Whenever a user types the command “.Help” followed by the name of a help file, it displays the contents of that help file.

The help files that come with the system, of course, are enough to guide a user through its operation. But you can add, change, or remove help files to suit whatever is appropriate for your system.

There are several strings that you can put in help files that will be automatically substituted with other strings. They are:

 
^nodename    = The node name of your system on a Citadel network
^humannode   = Human-readable node name (also your node name on C86Net)
^fqdn        = Your system's fully-qualified domain name
^username    = The name of the user reading the help file
^usernum     = The user number of the user reading the help file
^sysadm      = The name of the system administraor (i.e., you)
^variantname = The name of the software you're running
^bbsdir      = The directory on the host system in which you have
               installed the Citadel system.

So, for example, you could create a help file which looked like:

  "Lots of help, of course, is available right here on ^humannode.  Of

course, if you still have trouble, you could always bug ^sysadm about it!”

Once your Citadel server is up and running, the first thing you'll want to do is customize and tune it. This can be done from the text-based client with the “.Aide System configuration General” command, or from WebCit (if you have it installed) by clicking 'Advanced Options' followed by 'Edit site-wide configuration.' Either method will offer the same configuration options. This document shows the text mode client being used.

The first set of options deal with the identification of your system.

Lobby> . Aide System configuration General
Node name [uncnsrd]: 
Fully qualified domain name [uncensored.citadel.org]: 
Human readable node name [Uncensored]: 
Modem dialup number [US 914 999 9999]: 
Geographic location of this system [Mount Kisco, NY]: 
Name of system administrator [IGnatius T Foobar]: 
Paginator prompt []: 

'Node name' refers to the short, unqualified node name by which your system is known on a Citadel network. Generally it will be the same as the unqualified host name of your computer; this is, in fact, the default setting.

Then enter the fully-qualified domain name (FQDN) of your system. If you are not on the Internet, you can simply set it to the same as your unqualified host name. Otherwise you should set this value to the host name by which your system is most commonly known.

The field called 'Human-readable node name' (also known as the 'node title' or 'organization name' in other software) is used solely for display purposes. Set it to the actual name of your system as you want it to appear in banners, messages, etc.

If you have a modem or bank of modems answering data calls for your system, enter it in the field marked 'Modem dialup number.' Otherwise you may leave it blank.

'Geographic location of this system' is another display field. Enter a city and state, or city and country.

'Name of system administrator' is important! Any user who logs on with the name you enter here will automatically be granted Aide privileges. This is one of two ways for the system administrator to grant himself/herself Aide access to the system when initially setting it up. (The other is simply to have the first account created on a new installation.)

The next set of options are your system's security settings. Before delving into the actual options, we should review the various access levels available on the system. Citadel has seven access levels:

• 0 (Deleted). A user whose access level is set to 0 will automatically be deleted by the system.
• 1 (New User). Users at this level may only read messages. Entering messages is prohibited, except in the “Mail>” room, where a message to 'sysop' may be entered.
• 2 (Problem User). Also known as 'Twit.'
• 3 (Local User). May enter messages, except in rooms shared on a Citadel network.
• 4 (Network User). May enter messages in every accessible room.
• 5 (Preferred User). Use of this level is up to the whim of the system administrator.
• 6 (Aide). Access is granted to the administrative functions of the system. (This access level may also be granted to a user only for a specific room, please see 'Room Aide' for more information.)

Require registration for new users [No]: No
Disable self-service user account creation [No]: No
Initial access level for new users [4]:
Access level required to create rooms [4]: 
Automatically give room aide privs to a user who creates a private room [No]: No

Automatically move problem user messages to twit room [Yes]: Yes
Name of twit room [Trashcan]: 
Restrict Internet mail to only those with that privilege [No]: No
Allow Aides to Zap (forget) rooms [Yes]: Yes
Log all pages [No]: No

'Registration' refers to the process of a user entering various personal contact information (real name, address, telephone number, etc.) into the system. When enabled, this information is stored as a vCard object on the system in two places: the user's “My Citadel Config>” room, and in the “Global Address Book>” room. (Note: the latter should be made private on publicly-accessible systems, for obvious reasons.)

If you answer Yes to 'Require registration for new users' then each new user, upon creating a new account, will immediately be entered into the registration process. On the other hand, if you answer Yes to 'Disable self-service user account creation' then new users will not be able to log in at all – all accounts must be created by an Aide.

'Initial access level for new users' should be set to 1 (New User) if you would like to review each new user's registration info before granting them higher access. This would be done periodically with the “.Aide Validate new users” command. If you do not require registration, you should set the initial access level to 4 (Network User).

Given the above options, it then becomes clear that there are generally two ways you can set up your Citadel system, depending on its purpose:

• A public access BBS or message board - since you do not know who might want to log in, self-service account creation needs to stay enabled. If you want to be strict about users identifying themselves, then you should also require users to register (just remember to post a privacy policy if you're going to collect personal information) – then set the initial access level to 1 (New User), so new users cannot post messages until after you've validated them. For a more lax environment, you can remove the registration requirement and grant new accounts level 4 (Normal User) access on the first visit.
• A private email/groupware system for your organization - in this case, disable self-service account creation; you don't want strangers welcoming themselves to your system. You'll probably also want to disable registration, because you or some other site administrator will be entering users' contact info when you create their accounts. Since this is also how you assign their Internet e-mail addresses, it's probably a good idea to do it yourself instead of expecting them to do it.

'Access level required to create rooms' is up to you. You might wish to restrict the creation of new rooms only to Aides, or you might wish to allow anyone to create a room. The latter is one of the Citadel culture's most long-standing traditions; the former may be appropriate if users are abusing this privilege.

You have the ability to 'Automatically give room aide privs to a user who creates a private room.' If you answer Yes, then any user who creates a guess-name, passworded, or invitation-only room will automatically become the room aide, and will have access to a subset of the “.Aide” command set while in that room. If you would rather grant this permission manually, answer No.

Another tradition in the Citadel culture is to refrain from deleting problem users, but instead to 'twit' them (reduce their access level to 2 [Problem User]). You can then 'Automatically move problem user messages to twit room' (answer Yes, then specify 'Name of twit room' and remember to create that room). If you employ this logic, any user with level 2 (Problem User) access will continue to have access to the same set of rooms, but all messages posted will automatically be routed to the Trashcan (or whatever you call your twit room).

If you have Internet mail configured, you have the option of restricting its use on a user-by-user basis. If you wish to do this, answer Yes to 'Restrict Internet mail to only those with that privilege.' Obviously this makes no sense for an internal e-mail system, but for a public BBS it might be appropriate.

Normally, Aides have access to every room, public or private. They are also forbidden from “Zap”ping rooms, because the review of content is considered one of their roles. If you wish to change these policies, the next two options allow you to. You may 'Allow Aides to Zap (forget) rooms', in which case they may use the “Zap” command just like any other user. Aides may also “.Goto” any private mailbox belonging to any user, using a special room name format.

If your local security and/or privacy policy dictates that you keep a log of all pages (instant messages) that go through the system, then answer Yes to 'Log all pages'. If you answer Yes, you will be prompted for the name of a room to which all pages will be logged. If you answer No, then only the sender and recipient of each individual message will receive a copy.

The next set of options deals with the tuning of your system. It is usually safe to leave these untouched.

Server connection idle timeout (in seconds) [900]: 
Maximum concurrent sessions [20]: 
Maximum message length [10000000]: 
Minimum number of worker threads [5]: 
Maximum number of worker threads [256]: 
Automatically delete committed database logs [Yes]:

The 'Server connection idle timeout' is for the connection between client and server software. It is not an idle timer for the user interface. 900 seconds (15 minutes) is the default and a sane setting.

'Maximum concurrent sessions' is the highest number of user sessions you wish to allow on your system at any given time. Citadel can scale to hundreds of concurrent users, but if you have limited hardware or (more likely) limited bandwidth, you might wish to set a maximum. You can also set it to zero for no limit.

'Maximum message length' is just that. This could be a good way to prevent enormous multimedia files from finding their way into your message base. This maximum is enforced in all protocols and is also advertised by the ESMTP service.

The minimum and maximum number of worker threads can be tuned to your liking. Citadel will attempt to keep one worker thread running per session, within these constraints. You should be aware that due to the use of the worker thread model, Citadel can handle a large number of concurrent sessions with a much smaller thread pool. If you don't know the programming theory behind multithreaded servers, you should leave these parameters alone.

'Automatically delete committed database logs' is a crucial setting which affects your system's disk utilization and backup recoverability. Please refer to the database maintenance section of this document to learn how the presence or absence of database logs affect your ability to reliably backup your Citadel system.

The next set of options affect how Citadel behaves on a network.

Server IP address (0.0.0.0 for 'any') [0.0.0.0]:
POP3 server port (-1 to disable) [110]:
POP3S server port (-1 to disable) [995]:
IMAP server port (-1 to disable) [143]:
IMAPS server port (-1 to disable) [993]:
SMTP MTA server port (-1 to disable) [25]:
SMTP MSA server port (-1 to disable) [587]:
SMTPS server port (-1 to disable) [465]:
Correct forged From: lines during authenticated SMTP [Yes]:
Allow unauthenticated SMTP clients to spoof my domains [No]: No
Instantly expunge deleted IMAP messages [No]: Yes

“Server IP address” refers to the IP address on your server to which Citadel's protocol services should be bound. Normally you will leave this set to 0.0.0.0, which will cause Citadel to listen on all of your server's interfaces. However, if you are running multiple Citadels on a server with multiple IP addresses, this is where you would specify which one to bind this instance of Citadel to.

Then you can specify TCP port numbers for the SMTP, POP3, and IMAP services. For a system being used primarily for Internet e-mail, these are essential, so you'll want to specify the standard port numbers: 25, 110, and 143. If Citadel is running alongside some other mail system, though, then you might want to choose other, unused port numbers, or enter -1 for any protocol to disable it entirely.

You'll also notice that you can specify two port numbers for SMTP: one for MTA (Mail Transport Agent) and one for MSA (Mail Submission Agent). The traditional ports to use for these purposes are 25 and 587. If you are running an external MTA, such as Postfix (which submits mail to Citadel using LMTP) or Sendmail (which submits mail to Citadel using the 'citmail' delivery agent), that external MTA will be running on port 25, and you should specify ”-1” for the Citadel MTA port to disable it. The MSA port (again, usually 587) would be the port used by end-user mail client programs such as Aethera, Thunderbird, Eudora, or Outlook, to submit mail into the system. All connections to the MSA port must use Authenticated SMTP.

The protocols ending in “S” (POP3S, IMAPS, and SMTPS) are SSL-encrypted. Although all of these protocols support the STARTTLS command, older client software sometimes requires connecting to “always encrypted” server ports. Usually when you are looking at a client program that gives you a choice of “SSL or TLS,” the SSL option will connect to one of these dedicated ports, while the TLS option will connect to the unencrypted port and then issue a STARTTLS command to begin encryption. (It is worth noting that this is not the proper use of the acronyms SSL and TLS, but that's how they're usually used in many client programs.)

All of the default port numbers, including the encrypted ones, are the standard ones.

The question about correcting forged From: lines affects how Citadel behaves with authenticated SMTP clients. Citadel does not ever allow third-party SMTP relaying from unauthenticated clients – any incoming messages must be addressed to a user on the system or somewhere in a Citadel network. To use Citadel with SMTP client software such as Netscape, Outlook, Eudora, or whatever, users must log in with a username and password. In order to prevent message forgeries, Citadel discards the “From:” line in any message entered by an authenticated user, and replaces it with a “From:” line containing the user's genuine name and e-mail address. Technically, this violates RFC822, because headers are never supposed to be altered, but common sense dictates that this is a good idea. Nevertheless, if you want to suppress this behavior, answer 'No' at the prompt (the default is 'Yes') and the headers will never be altered.

“Instant expunge” affects what happens when IMAP users delete messages. As you may already know, messages are not truly deleted when an IMAP client sends a delete command; they are only marked for deletion. The IMAP client must also send an “expunge” command to actually delete the message. The Citadel server automatically expunges messages when the client logs out or selects a different folder, but if you select the Instant Expunge option, an expunge operation will automatically follow any delete operation (and the client will be notified, preventing any mailbox state problems). This is a good option to select, for example, if you have users who leave their IMAP client software open all the time and are wondering why their deleted messages show up again when they log in from a different location (such as WebCit).

“Allow spoofing” refers to the security level applied to non-authenticated SMTP clients. Normally, when another host connects to Citadel via SMTP to deliver mail, Citadel will reject any attempt to send mail whose sender (From) address matches one of your host's own domains. This forces your legitimate users to authenticate properly, and prevents foreign hosts (such as spammers) from forging mail from your domains. If, however, this behavior is creating a problem for you, you can select this option to bypass this particular security check.

Connect this Citadel to an LDAP directory [No]: No

The LDAP configuration options are discussed elsewhere in this document.

The final set of options configures system-wide defaults for the auto-purger:

Default user purge time (days) [120]: 
Default room purge time (days) [30]: 
System default message expire policy (? for list) [0]: 
Keep how many messages online? [150]:
Mailbox default message expire policy (? for list) [0]:
How often to run network jobs (in seconds) [1800]:
Default frequency to run POP3 collection (in seconds) [3600]:
Fastest frequency to run POP3 collection (in seconds) [0]:
Enable full text search index (warning: resource intensive) [Yes]: Yes
Hour to run purges (0-23) [4]:

Perform journaling of email messages [No]:
Perform journaling of non-email messages [No]:
Email destination of journalized messages [example@example.com]:

Any user who does not log in for the period specified in 'Default user purge time' will be deleted the next time a purge is run. This setting may be modified on a per-user basis.

'Default room purge time' behaves the same way, and may also be modified on a per-room basis.

'System default message expire policy' defines the way in which old messages are expired (purged) off the system. You can specify any of:

• Purge by age (specify in days)
• Purge by message count in the room (specify number of messages)
• Do not purge at all

Again, this setting may be overridden on a per-floor basis, and the floor setting may be overridden on a per-room basis. You'll also notice that you can set a different default for mailbox rooms if you want to. This can allow you, for example, to set a policy under which old messages scroll out of public rooms, but private mail stays online indefinitely until deleted by the mailbox owners.

“How often to run network jobs” refers to the sharing of content on a Citadel network. If your system is on a Citadel network, this configuration item dictates how often the Citadel server will contact other Citadel servers to send and receive messages. In reality, this will happen more frequently than you specify, because other Citadel servers will be contacting yours at regular intervals as well.

“Default frequency to run POP3 collection”. If not overriden by a rooms own setting this determines how often POP3 mail will be collected for each configured room.

“Fastest frequency to run POP3 collection” is the fastest frequency that POP3 collection will be performed for any room. If a rooms frequency is set faster it will only be collected at this frequency.

“Hour to run purges” determines when expired and/or deleted objects are purged from the database. These purge operations are typically run overnight and automatically, sometime during whatever hour you specify. If your site is much busier at night than during the day, you may choose to have the auto-purger run during the day.

“Enable full text search index,” if enabled, instructs the server to build and maintain a searchable index of all messages on the system. This is a time and resource intensive process – it could take days to build the index if you enable it on a large database. It is also fairly memory intensive; we do not recommend that you enable the index unless your host system has at least 512 MB of memory. Once enabled, however, it will be updated incrementally and will not have any noticeable impact on the interactive response time of your system. The full text index is currently only searchable when using IMAP clients; other search facilities will be made available in the near future.

The “Perform journaling…” options allow you to configure your Citadel server to send an extra copy of every message, along with recipient information if applicable, to the email address of your choice. The journaling destination address may be an account on the local Citadel server, an account on another Citadel server on your network, or an Internet email address. These options, used in conjunction with an archiving service, allow you to build an archive of all messages which flow through your Citadel system. This is typically used for regulatory compliance in industries which require such things. Please refer to the journaling guide for more details on this subject.

Save this configuration? No

When you're done, enter 'Yes' to confirm the changes, or 'No' to discard the changes.

As you know by now, Citadel is a completely self-contained, full-featured Internet e-mail system. When you run Citadel you do not need any other mail software on your host system. This eliminates the need for tedious mucking about with sendmail, qmail, postfix, Cyrus, the UW IMAP server, or any of countless other needlessly complex programs that lead some people to the false assumption that Unix systems are difficult to administer.

Some of the many features supported by Citadel are:

• Built-in SMTP and ESMTP service, for delivering and receiving e-mail on the Internet
• Built-in POP3 service, for remote fetching of messages
• Built-in IMAP service, for access to mail using any standard mail client program
• Web mail (implemented using the “WebCit” middleware, which is installed separately)
• Support for mailing lists, in both “individual message” and “digest” formats
• Multiple/virtual domain support
• Any user may have multiple Internet e-mail addresses, in multiple domains
• Global address book (Users with addresses in a domain may be spread out across many servers on a Citadel network)
• Easy-to-configure integration with SpamAssassin can block spam before it enters the mail system
• Easy-to-configure integration with most Realtime Blackhole Lists (RBL) provide further defense against spammers

This section of the documentation will demonstrate how to configure these features.

Basic configuration of your Citadel system for Internet e-mail begins with the “.Aide System configuration Internet” command:

Lobby> **.A**ide **S**ystem configuration **I**nternet
 
###                    Host or domain                     Record type
--- ------------------------- --------------------
  1
<A>dd <D>elete <S>ave <Q>uit  ->

This is a “clean” setup. For a simple, standalone e-mail system you simply have to enter the “Add” command:

<A>dd <D>elete <S>ave <Q>uit  -> **A**dd
 
Enter host name: schmeep.splorph.com
 (1) localhost       (Alias for this computer)
 (2) smart-host      (Forward all outbound mail to this host)
 (3) directory       (Consult the Global Address Book)
 (4) SpamAssassin    (Address of SpamAssassin server)
 (5) RBL             (domain suffix of spam hunting RBL)
 
Which one [1]:

localhost: Basically what you're doing here is telling Citadel what any aliases for your machine are. If your machine were “schmeep.splorph.com” and you also had a DNS entry set up for “blah.com”, you might want to enter '1' and enter “blah.com” as your alias, so that e-mail sent to that address won't bounce.

Important tip: if your system is known by one name and only one domain, you might not even need to do this at all. You will recall that you entered your system's fully qualified domain name earlier when you went through the “.Aide System configuration General” command. The domain name you entered there is automatically considered by Citadel to be a 'localhost' entry in your Internet mail configuration. It does not hurt to enter it in both locations, though.

smart-host: Normally, Citadel sends outbound Internet e-mail directly to its destination. This may not be appropriate for some sites; you may require (due to local convention, security policy, or whatever) that all outbound mail be sent to an SMTP relay or forwarder. To configure this functionality, simply enter the domain name or IP address of your relay as a 'smart-host' entry.

If your relay server is running on a port other than the standard SMTP port 25, you can also specify the port number using “host:port” syntax; i.e. “relay99.myisp.com:2525”

Furthermore, if your relay server requires authentication, you can specify it using username:password@host or username:password@host:port syntax; i.e. “jsmith:pass123@relay99.myisp.com:25”

Citadel just speaks AUTH PLAIN here. You can check the abilities of you opponent doing: (you must type the telnet and the ehlo line)

yourbox#>telnet mail.yourisp.com 25
220 mail.yoursip.com ESMTP Sendmail 8.13.1/8.12.11; Thu, 22 Feb 2007 15:48:35 +0100
ehlo me.myself.and.i
250-Mail.o3sis.com Hello your_ip_probably_somethin_dsl.net [1.1.1.1], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE
250-DSN
250-ETRN
250-AUTH DIGEST-MD5 CRAM-MD5 LOGIN PLAIN
250-DELIVERBY
250 HELP
quit

If the AUTH-line doesn't offer PLAIN or LOGIN, you must use something like qpsmtp or postfix to talk to this isp, citadel won't be able to do that directly.

directory: a domain for which you are participating in directory services across any number of Citadel nodes. For example, if users who have addresses in the domain “citadel.org” are spread out across multiple Citadel servers on your network, then enter “citadel.org” as a 'directory' entry. For this to work, all Citadel servers participating in directory service must carry and share the “Global Address Book>” room.

spamassassin: if you are running a SpamAssassin service anywhere on your local network, enter its name or IP address as a 'spamassassin' entry. This may be (and, in fact, will usually be) “127.0.0.1” to specify that the service is running on the same host computer as the Citadel server.

Please install SpamAssassin as per its own documentation. You will want to run SpamAssassin in client/server mode, where a “spamd” daemon is always running on your computer. Citadel does not utilize the “spamc” client; instead, it implements SpamAssassin's protocol on its own.

Connecting to a SpamAssassin service across a wide area network is strongly discouraged. In order to determine whether an incoming e-mail is spam, Citadel must feed the entire message to the SpamAssassin service. Doing this over a wide area network would consume time and bandwidth, which would affect performance.

Citadel invokes the SpamAssassin service when incoming messages are arriving via SMTP. Before a message is accepted, it is submitted to SpamAssassin. If SpamAssassin determines that the message is spam, the Citadel SMTP service rejects the message, causing a delivery failure on the sending host. This is superior to software which files away spam in a separate folder, because delivery failures will cause some spammers to assume the address is invalid and remove it from their mailing lists.

RBL: Realtime Blackhole Lists (RBL's) provide defense against spammers based on their source IP address. There are many such lists available on the Internet, some of which may be utilized free of charge. Since they are DNS based, the lists do not require storage on your server – they are queried during the SMTP conversation.

Citadel can utilize any RBL that uses the “z.y.x.w.nameoflist.org” syntax, where “w.x.y.z” is the source IP address which is attempting to deliver mail to your server. For example, SpamCop would use the query “2.0.0.127.bl.spamcop.net” to determine whether the host at “127.0.0.2” is a known spammer or open relay. In this case, you simply select option '6' to add an RBL entry, and provide it with the domain suffix of “bl.spamcop.net” (the IP address and extra dot will be automatically prepended for each query).

Now select “Save” and you are just about ready for Internet e-mail.

As previously mentioned, Citadel contains its own SMTP, POP3, and IMAP services. Enabling them is simple.

Check for the existance of a current MTA (sendmail, qmail, etc.) by connecting to port 25 on your host. If you see something similar to the following you're running an MTA already and you'll need to shut it down:

smw @ pixel % telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 pixel.citadel.org ESMTP Sendmail 8.9.3/8.9.3; Wed, 15 Mar 2000 19:00:53 -0500

In the above example, we see that the host already has Sendmail listening on port 25. Before Citadel can use port 25, Sendmail must be shut off. Please consult the documentation for your operating system for instructions on how to do this. (On a Red Hat Linux system, for example, you can run the “ntsysv” utility, un-checking “sendmail” to disable it at the next reboot; then, run “service sendmail stop” to shut off the currently running service.)

If you get a 'connection refused' message when you telnet to port 25 there's nothing running and you should be able to continue. You might also want to turn off POP (try the above test substituting 110 for 25) and IMAP (port 143) and use Citadel's POP and IMAP services.

Citadel will look for an existing pop/smtp server on startup. If they don't exist (and you've configured them properly) then Citadel should enable them at startup. You can check your logs to be sure, or you can start the server from a shell and watch it load. It might look something like this:

smw @ pixel % ./citserver

Init Starting params = 0xbfc2d020
Adding thread 0xb77366d0 (MasterThread)
2009/01/18 22:44:12.425673 
2009/01/18 22:44:12.428991 
2009/01/18 22:44:12.431528 *** Citadel server engine v7.39 (build 6804M) ***
2009/01/18 22:44:12.434108 Copyright (C) 1987-2008 by the Citadel development team.
2009/01/18 22:44:12.436836 This program is distributed under the terms 
2009/01/18 22:44:12.438987 of the GNU General Public License.
2009/01/18 22:44:12.439376 Called as: ./citserver
2009/01/18 22:44:12.439433 $Id: libcitadel.c 5941 2008-01-16 14:42:41Z ajc $
2009/01/18 22:44:12.439450 Loading citadel.config
2009/01/18 22:44:12.439768 Acquiring control record
2009/01/18 22:44:12.544350 Registered server command STLS (Start SSL/TLS session)
2009/01/18 22:44:12.544418 Registered server command GTLS (Get SSL/TLS session status)
2009/01/18 22:44:12.544439 Registered a new session function (type 0)
2009/01/18 22:44:12.544509 master_startup() started
2009/01/18 22:44:12.544537 Opening databases
2009/01/18 22:44:12.544564 cdb_*: open_databases() starting
2009/01/18 22:44:12.544585 Compiled db: Sleepycat Software: Berkeley DB 4.4.20: (February 24, 2006)
2009/01/18 22:44:12.544615   Linked db: Sleepycat Software: Berkeley DB 4.4.20: (February 24, 2006)
2009/01/18 22:44:12.544636 Calculated dbversion: 4004020
2009/01/18 22:44:12.544652   Previous dbversion: 4004020
2009/01/18 22:44:12.544774 cdb_*: Setting up DB environment
2009/01/18 22:44:12.544889 dbenv->open(dbenv, /var/lib/citadel//data/, 1392737, 0)
2009/01/18 22:44:12.703400 BDB: Finding last valid log LSN: file: 4 offset 6682554
2009/01/18 22:44:12.710590 BDB: Recovery starting from [4][6680296]
2009/01/18 22:44:12.715256 BDB: Recovery complete at Sun Jan 18 22:44:12 2009
2009/01/18 22:44:12.718080 BDB: Maximum transaction ID 80000061 Recovery checkpoint [4][6682554]

2009/01/18 22:44:12.720728 Starting up DB
2009/01/18 22:44:12.725381 Checking floor reference counts
2009/01/18 22:44:12.759949 Floor 0: 59 rooms
2009/01/18 22:44:12.882510 Floor 1: 0 rooms
2009/01/18 22:44:12.983090 Creating base rooms (if necessary)
2009/01/18 22:44:12.983126 create_room(name=Lobby, type=0, view=0)
2009/01/18 22:44:12.983320 Lobby already exists.
2009/01/18 22:44:12.983355 create_room(name=Aide, type=3, view=0)
2009/01/18 22:44:12.983403 Aide already exists.
2009/01/18 22:44:12.983425 create_room(name=Local System Configuration, type=3, view=0)
2009/01/18 22:44:12.983466 Local System Configuration already exists.
2009/01/18 22:44:12.983488 create_room(name=Trashcan, type=0, view=0)
2009/01/18 22:44:12.983528 Trashcan already exists.
2009/01/18 22:44:12.987894 Seeding the pseudo-random number generator...
2009/01/18 22:44:12.991851 Initializing ipgm secret
2009/01/18 22:44:12.992022 master_startup() finished
2009/01/18 22:44:12.992048 Checking/re-building control record
2009/01/18 22:44:12.999411 Upgrading modules.
2009/01/18 22:44:12.999472 Upgrade modules.
2009/01/18 22:44:12.999493 Server-hosted upgrade level is 7.39
2009/01/18 22:44:12.999512 $Id: serv_upgrade.c 6351 2008-05-30 22:10:27Z ajc $
2009/01/18 22:44:12.999775 Unix domain socket '/var/run/citadel//citadel.socket': registered.
2009/01/18 22:44:12.999919 TCP port 0.0.0.0:504: (citadel-TCP) registered.
2009/01/18 22:44:12.999942 Initializing server extensions
2009/01/18 22:44:12.999962 Initialise modules, CtdlThreads not yet enabled.
2009/01/18 22:44:12.999983 Registered server command AUTO (Do recipient autocompletion)
2009/01/18 22:44:13.000003 $Id: serv_autocompletion.c 5777 2007-11-25 22:15:18Z davew $
2009/01/18 22:44:13.000019 Registered server command EBIO (Enter your bio)
2009/01/18 22:44:13.000036 Registered server command RBIO (Read a user's bio)
2009/01/18 22:44:13.000052 Registered server command LBIO (List users with bios)
2009/01/18 22:44:13.000067 $Id: serv_bio.c 6159 2008-03-29 01:15:32Z davew $
2009/01/18 22:44:13.000089 Registered a new message function (type 201)
2009/01/18 22:44:13.000105 Registered a new message function (type 202)
2009/01/18 22:44:13.000121 Registered a new session function (type 2)
2009/01/18 22:44:13.000136 Registered server command ICAL (Citadel iCal commands)
2009/01/18 22:44:13.000152 Registered a new session function (type 1)
2009/01/18 22:44:13.000166 Registered a new session function (type 0)

...

The lines emphasized in boldface in the above log output tell you that Citadel “can't bind” to various ports. The error 'address already in use' generally means that something else is already running on the requested port. Make SURE you've followed the above steps to remove sendmail/pop and start your Citadel server again.

Occationally it is not practical to remove a non-Citadel MTA on your host system. For example, you might have multiple groups of users, some of which are using Citadel and some of which are using a legacy Unix mail spool. This type of configuration is discouraged, but two tools are provided to allow it.

The tool is called “citmail” and it is, quite simply, a local MDA (Mail Delivery Agent) which you can configure into your MTA for final delivery of incoming messages to Citadel users. A full discussion of the finer points of complex Sendmail configurations is beyond the scope of this document; however, you might want to visit Pixel BBS where some useful HOWTO documents are provided.

The other tool is an RFC2033 compliant LMTP service running on a local socket. If you're running a mailer that speaks LMTP (such as Postfix), you can simply point your mailer at the socket called citadel.socket in your Citadel directory. For example, in Postfix you might put the following line into main.cf in order to tell it to use Citadel to deliver mail to local recipients:

local_transport = lmtp:unix:/usr/local/citadel/lmtp.socket

Postfix also has something called a “fallback transport” which can be used to implement Citadel as a “secondary” mail system on your server, while keeping the existing Unix mailboxes intact. However, it is beyond the scope of this document to detail the finer points of the configuration of Postfix or any other mailer, so refer to the documentation to those programs and keep in mind that Citadel has LMTP support.

There are actually two LMTP sockets. One is called “lmtp.socket” and the other is called “lmtp-unfiltered.socket” (both are found in your Citadel directory). The difference should be obvious: messages submitted via “lmtp.socket” are subject to any spam filtering you may have configured (such as SpamAssassin), while messages submitted via “lmtp-unfiltered.socket” will bypass the filters. You would use the filtered socket when receiving mail from an external MTA such as Postfix, but you might want to use the unfiltered socket with utilities such as fetchmail.

For outbound mail, you can either allow Citadel to perform deliveries directly (this won't affect your other mail system because outbound mail doesn't tie up port 25) or enter “127.0.0.1” as your smart-host, which will tell Citadel to forward all of its outbound mail to your other mail system.

Citadel has built in mailing list service (known in Internet vernacular as “listserv”) functionality. You can turn any room into a mailing list. Users can then choose how they participate – by logging on to your Citadel server directly, or by having the room's contents mailed to them somewhere else. Configuring this is easy.

Citadel supports two modes of mailing list delivery:

• “List mode” – each individual message is delivered as a single e-mail to each list mode recipient. The “From:” header will display the address of the message's original author.
• “Digest mode” – groups of one or more messages are delivered to digest mode recipients. The number of messages in the group depends on how many new messages arrived since the last batch was delivered. The “From:” header will display the address of the room itself, which allows replies to be posted back to the room.

A room may have any combination of list mode and digest mode recipients.

As alluded to above, every room on your Citadel system has an Internet e-mail address of its own. Messages sent to that address will be posted in the room (and sent back out to mailing list recipients, as well as to any other Citadels you share the room with). The address format is “room_” plus the name of the room, with any spaces replaced by underscores, followed by ”@” and your hostname. For example, if your system is known as “phlargmalb.orc.org” on the Internet, and you have a room called “Bubblegum Collectors”, you can post to that room from anywhere on the Internet simply by sending an e-mail to “room_bubblegum_collectors@phlargmalb.orc.org”. When the message arrives, it's automatically posted in that room.

To manually edit the list of “list mode” recipients, simply enter the “.Aide mailing List management” command. Your text editor will open up and you will be able to create or edit a list of recipients, one per line. Lines beginning with a hash (”#”) are comments.

To manually edit the list of “digest mode” recipients, enter the “.Aide mailing list Digest recipients” command. As with the previous command, the text editor will open up and you can edit the list of digest mode recipients, one per line.

Citadel also has a facility which allows users to subscribe or unsubscribe to mailing lists using a web browser. In order to do this, WebCit must also be running on your server in addition to Citadel. WebCit is obtained and installed separately from the rest of the Citadel system.

In order to prevent “just anyone” from subscribing to any room on your system, there is a setting in the “.Aide Edit room” command:

CitaNews} . Aide Edit this room

Room name [CitaNews]:

(lots of other stuff omitted for brevity…)

Self-service list subscribe/unsubscribe [No]: Yes

When you answer “Yes” to self-service list subscribe/unsubscribe, you are enabling that feature. Now, all you have to do is tell the world about the web page they need to visit. It looks like this:

“http://foobar.baz.org:2000/listsub”

In this example, the server is called “foobar.baz.org” and WebCit is running on port 2000. Edit appropriately.

Citadel offers a subscribe/unsubscribe facility that is more intuitive than other listservs. With most systems, sending commands to the listserv requires that you e-mail it commands in a special format. It's easy to get it wrong. Citadel simply uses your web browser. You select the list you want to subscribe or unsubscribe (hint: it's the list of rooms you've enabled self-service for), select whether you want list mode or digest mode, and enter your e-mail address. For security purposes, a confirmation message is sent to the address you enter. But you don't have to reply to the message in a weird format, either: the confirmation contains another URL which you simply click on (or paste into your browser if you can't click on URL's in your e-mail software) and the confirmation is automatically completed.

If you are running Citadel as a BBS or other forum type of application, one way to 'keep the conversation going' is to share rooms with other Citadel systems. In a shared room, a message posted to the room is automatically propagated to every system on the network. It's kind of like a UseNet newsgroup, but without the spam.

If you are using Citadel as the e-mail and groupware platform for a large organization, you can use its networking features to build a large network of Citadel servers which share content (think of rooms as public folders), redistribute e-mail throughout the organization, and integrate the global address book. It might make sense, for example, in a large corporation to give each department or location its own Citadel server. Thanks to Citadel's global address book features, you could still have all of the users share a single e-mail domain.

Obviously, the first thing you have to do is find another Citadel to share rooms with, and make arrangements with them. The following Citadels are a good place to start:

• UNCENSORED! - uncensored.citadel.org
• The Dog Pound II - dogpound2.citadel.org

You don't have to be a part of the citadel.org domain to participate in the public Citadel network, but the DNS service is provided free of charge by the Citadel community if you wish to do this.

Before we get into the technical nitty gritty, there are two points of etiquette to keep in mind. The first thing to keep in mind is that the operator of any particular Citadel may not be willing to share some of his/her rooms. Some sites are proud to offer exclusive content in certain areas. Chances are, if a room is already being shared on the network, it's available for anyone to share; if not, it can't hurt to ask – but take care not to demand it of them. Ask if you may share the room instead of telling them that you wish to share the room. When looking at a “K“nown rooms list, network rooms are the ones ending in parentheses instead of angle brackets. For example, “Gateway)” would be a network room, “Lobby>” would not.

The other point of etiquette to remember is that you should be making the arrangements in advance, and then set it up. It is extremely rude to simply begin networking with another Citadel, or unilaterally start sharing a new room, without first obtaining permission from its operator. Always ask first. Most Citadel operators are more than happy to network with you. Also, if later on you decide to take your system down, please take the time to notify the operators of any other Citadels you network with, so they can unconfigure their end.

Ok, first things first. On a Citadel room sharing network, the first thing you need to know is your own system's node name. Presumably you set this up during installation, but if you want to change it you can do so using the “.Aide Sysconfig General” command:

Lobby> . Aide System configuration General

Node name [uncnsrd]: Fully qualified domain name [uncensored.citadel.org]: Human readable node name [Uncensored]:

The “node name” is important, it's how the network identifies messages coming from your system. The “human readable node name” is simply a label; it shows up in messages coming from your system. “Fully qualified domain name” is your DNS name; it's used for routing messages on the Internet. In the above example, the node name is “uncnsrd”.

The next thing you need to do is configure your neighbor node(s). You need to do this for each node you network with. Let's say you wanted to talk to a Citadel system called “frobozz”. Use the “.Aide Sysconfig Network” command:

Lobby> . Aide System configuration Network
###    Node            Secret                   Host or IP             Port#
--- ---------------- ---------------- -------------------------------- -----
<A>dd <D>elete <S>ave <Q>uit  -> Add

Enter node name    : frobozz
Enter shared secret: frotz
Enter host or IP   : frobozz.magick.org
Enter port number  :  [504]: 504

###    Node            Secret                   Host or IP             Port#
--- ---------------- ---------------- -------------------------------- -----
 1 frobozz          frotz            frobozz.magick.org               504
<A>dd <D>elete <S>ave <Q>uit  -> Save

Lobby>

As you can see in the above example, you have to enter the Citadel node name, the DNS name or IP address of the server, and the port number the Citadel service is running on. The “shared secret” is a password to allow the two Citadel nodes to connect to each other to exchange network data. The password must be identical on both ends of the connection – when the operator of the other Citadel node sets up the connection with your system, he/she must use the same password.

Now you're ready to share rooms. You have to do this for each room you want to share, and you have to do it from BOTH ENDS – again, when you share a room with another Citadel, they must share it with you as well. Let's say you have a room called “Quiche Recipes>” and you want to share it with the node you set up above. First, edit the room and flag it as a network room:

Quiche Recipes> . Aide Edit this room
Room name [Quiche Recipes]:
Private room  [No]: No
Preferred users only  [No]: No
Read-only room  [No]: No
Directory room  [No]: No
Permanent room  [No]: No
Network shared room  [No]: Yes
Automatically make all messages anonymous  [No]: No
Ask users whether to make messages anonymous  [No]: No
Listing order [64]:
Room aide (or 'none') [none]:
Message expire policy (? for list) [0]:
Save changes (y/n)? Yes
Ok

Quiche Recipes)

Notice how the prompt changed? It was > before, but it's ) now. That means it's a network room. Now you can tell Citadel that you want to share the room with frobozz. Enter this command:

Quiche Recipes) . Aide Network room sharing

Your text editor will pop up (you did configure Citadel to use your favorite text editor, right?) with a screen that looks like this:

# Configuration for room: Quiche Recipes
# Nodes with which we share this room
# Specify one per line.

All you have to do is enter the name of the other Citadel node (i.e. “frobozz” in our example) on a line by itself. As usual, lines starting with a ”#” are comments. Just go to the end of the file, type “frobozz” (without the quotes), save the file… and you're done!

At this point, you just sit back and enjoy. Your Citadel and the other one will begin polling each other at regular intervals (once per hour by default) and sharing messages.

You can send mail to any user on any node of your Citadel network. It may take a little while for your system to learn the entire node list, though, as this is done by watching incoming messages on the network and learning which nodes are out there.

To send a private message, just enter “user @ host” as the recipient:

Mail> Enter message                                                            
Enter recipient: Some other user @ frobozz
Feb 11 2003 11:36pm from I. M. Me to Some other user @ frobozz
type message here...

Entry command (? for options)  ->

As previously mentioned, Citadel will poll other Citadel nodes for messages once per hour. If this is not an acceptable interval, you can change it using the “.Aide System configuration General” command. Enter this command and look for the option:

How often to run network jobs (in seconds) [3600]:

Change it to whatever you like. For example, 15 minutes is 900 seconds. So if you changed the default value to 900, network polling would occur every 15 minutes.

The data store used by Citadel is reliable and self-maintaining. It requires very little maintenance. This is primarily due to its use of the Berkeley DB record manager. It is robust, high-performance, and transactional.

A few small data files are kept in your main Citadel directory, but the databases are in the “data/” subdirectory. The files with names that begin with “cdb” are the databases themselves; the files with names that begin with “log” are the logs (sometimes referred to as “journals”). Log files will continue to appear as you use your system; each will grow to approximately 10 megabytes in size before a new one is started. There is a system configuration setting (found in .Aide System-configuration General in the text mode client, or in Administration –> Edit site-wide configuration –> Tuning in the WebCit client) which specifies “Automatically delete committed database logs.” If you have this option enabled, Citadel will automatically delete any log files whose contents have been fully committed to the database files.

For more insight into how the database and log files work, you may wish to read the Berkeley DB documentation on this subject.

Please read this section carefully.

There are two backup strategies you can use, depending on your site's availability requirements and disk space availability.

The standard (or “offline”) backup is used when your Citadel server is configured to automatically delete committed database logs. The backup procedure is as follows:

1. Shut down the Citadel server.
2. Back up all files (database files, log files, etc.) to tape or some other backup media.
3. Start the Citadel server.

Advantage: very little disk space is consumed by the logs.Disadvantage: Citadel is not available during backups.

The “hot backup” procedure is used when your Citadel server is configured not to automatically delete committed database logs. The backup procedure is as follows:

1. Back up all files. Make sure the database files (cdb.*) are backed up before the log files (log.*). This will usually be the case, because the database files tend to appear first in both alphabetical and on-disk ordering of the data/ directory.
2. After verifying that your backup completed successfully, delete the committed log files with a command like this:

/usr/local/citadel/sendcommand "CULL"

Advantage: Citadel continues to run normally during backups. Disadvantage: Much disk space is consumed by the log files, particularly if the full text indexer is turned on.

It is up to you to decide which backup strategy to use. Warning: if you configure Citadel to automatically delete committed database logs, and do not shut the Citadel service down during backups, there is no guarantee that your backups will be usable!

Although Citadel's data store is quite reliable, database corruption can occur in rare instances. External factors such as an operating system crash or an unexpected loss of power might leave the database in an unknown state. A utility is provided which may be able to repair your database if this occurs. If you find that your Citadel server is not running, and reading the logs shows that it is crashing because of an inability to validate a database, follow these steps:

1. Stop the Citadel service with a command like ”/etc/init.d/citadel stop”
2. Make a backup of your data. Either write it out to tape or copy it to another directory, or a tarball.
3. “cd” to your Citadel directory and type ”./database_cleanup.sh”
4. Let the cleanup script run. Do not interrupt this process for any reason.
5. Restart the Citadel service with a command like ”/etc/init.d/citadel start”

If this procedure does not work, you must restore from your most recent backup.

Citadel contains a module which allows you to export the entire contents of your Citadel databases to an XML file, which may then be imported on either the same host system or another host system. This procedure is also known as “dump and load” to database gurus.

If your intention is to migrate your Citadel installation from one host system to another, it is no longer necessary to run these commands manually. Please use the "ctdlmigrate" utility to perform an automatic, system-attended, across-the-wire migration.

1. This should be obvious, but it's still worth mentioning: Make sure you have a backup of everything before you start this! You're performing a major operation here. Don't risk it.
2. First, get all the users logged off from your system. Disconnect it from the network if possible. You don't want anyone logging in while you're doing this.
3. Log on as root, or some other user that has read/write access to all relevant files.
4. Go to the directory that Citadel is installed in. For example, issue a command like “cd /usr/local/citadel”
5. Export the databases with the following command:

./sendcommand "MIGR export" >exported.xml

1. This command may run for a while. On a very large system it could take an hour or more. Please be patient!
2. When the export completes, check to make sure that “exported.dat” exists and has some data in it. (Type “ls -l exported.dat”)
3. Shut down the Citadel server. If you have a line in ”/etc/inittab” that reads like this:

 
c1:2345:respawn:/usr/local/citadel/citserver -h/usr/local/citadel

1. …then you should change the “respawn” to “off” and then type ”/sbin/init q” to make the changes take effect.
2. Now it's time to delete your current binary databases. Type:

 
rm -f citadel.config citadel.control data/*

1. If you're moving Citadel to another computer, you should move the entire directory over at this time. “exported.dat” only contains the information that was in the binary databases. Information which was stored in portable formats doesn't need to be exported/imported, so you must bring it all over in its current form.
2. Now get Citadel running on the new computer (or whatever). Run “setup” and turn the service back on (from ”/etc/inittab”) but DO NOT log in.
3. As root, run the import command:

./sendcommand "MIGR import" <exported.xml

1. This will import your databases. Again, it may run for a long time.
2. If you get watchdog time out messages during the import you will need to use the -w switch to sendcommand like this:

./sendcommand -w60 "MIGR import" <exported.xml

1. Restart the Citadel server. You can do this any way you like. From the command line, you can do it with a command like:

./sendcommand "DOWN"

1. Now you're finished. Log in and test everything. You may delete exported.dat at this time, or you might want to save it somewhere as a sort of pseudo-backup.

Citadel provides built-in support for encryption using Transport Layer Security (TLS) for ESMTP, IMAP, POP3, and the Citadel client protocol. A simple cryptographic configuration is installed automatically when you bring the system online. The remainder of this section describes how this configuration is built, and what you can do to make changes to it.

Encryption files are kept in the “keys/” directory. The three files used by Citadel are:

• “citadel.key” - Contains your system's RSA private key. Citadel generates a new key automatically if one is not found.
• “citadel.csr” - Contains a Certificate Signing Request (CSR) for your system. Citadel generates a new CSR automatically, using your private key, if one is not found.
• “citadel.cer” - Contains the public certificate for your system. The public key in the certificate must correspond with the private key in “citadel.key”, otherwise encryption will not function properly. Citadel will generate a self-signed certificate, again using your private key, if a certificate is not found.

If you wish to interact with 3rd party clients that have hard coded lists of acceptable Certificate Authorities, and you do not want annoying dialog boxes popping up for the user on the first (or all) connections, then you will have to have your key signed by a valid Certificate Authority.

It is beyond the scope of this document to provide a complete tutorial on SSL certificates. Here are the general rules to follow:

• Generally, the Certificate Signing Requeste which is automatically generated by Citadel will not contain enough information for any Certificate Authority to sign it. Generate a new CSR with the following commands:

cd keys
openssl req -new -key citadel.key -out citadel.csr

Answer all questions (your geographic location, organization name, etc.) and then send the new “citadel.csr” to your Certificate Authority when you order the certificate.

• When the certificate is received, simply save it as “citadel.cer” and restart the Citadel server.
• If your certificate authority delivers a 'chained' certificate (one with intermediate certificate authorities), simply append the intermediate certificate after your server's own certificate in the “citadel.cer” file.

Citadel is capable of authenticating users against an external LDAP service instead of maintaining its own username/password database. This is useful if you are installing Citadel in an organization that already uses LDAP for “single sign on” purposes.

Citadel supports both the standard LDAP schema (RFC 2307) as well as the most popular non-standard schema (Microsoft Active Directory).

Your LDAP service must be up and running before you attempt to connect Citadel to it. It must also be able to accept TCP client connections.

Once you've located or installed your LDAP server, connecting Citadel to it is easily completed with the .Aide System-configuration General command:

Lobby> . Aide System configuration General

//(lots of other stuff omitted for brevity...)//

Connect this Citadel to an LDAP directory [Yes]: **Yes**
Host name of LDAP server []: **127.0.0.1**
Port number of LDAP service [389]: **389**
Base DN []: **dc=servername,dc=domain,dc=org**
Bind DN []: **cn=manager,dc=servername,dc=domain,dc=org**
Password for bind DN []: **secret**

(more questions omitted…)

Save this configuration? **Yes**

Once you've done this, restart your Citadel service with the .Aide Terminate-server Now command. When Citadel restarts, it will connect to your LDAP directory. Note that we gave Citadel the same Base DN, Bind DN, and password that was in our LDAP server configuration example. Obviously, everything needs to be identical on both sides or the connection will be refused. 127.0.0.1 is the loopback address, and 389 is the standard port number for LDAP, so this would be the proper host and port combination for an LDAP service running on your local server. It could just as easily be on another server, for example an organization-wide directory server.

The following utilities will be discussed:

• aidepost - Post standard input to the Aide> room
• msgform - Format a binary message to the screen (stdin or in a file)
• sendcommand - Send a server command

It is up to you to decide which utilities should be made accessible only to system administrators. It is important that you set the file permissions correctly. All utilities should have access to the Citadel data files. We will attempt to address each program individually.

The nature of this program is rather simple. Standard input (stdin) is converted into a message, filed in the main message store, and posted in the Aide> room. This is useful for keeping transcripts of system activity that has to do with Citadel operations. You might even elect to send all of your system logs there, too.

“aidepost” also accepts the usage “aidepost -rTargetRoom”, where TargetRoom is the name of a room to which you'd like the message to be sent.

The “msgform” utility reads its standard input (stdin) looking for Citadel messages stored in the internal format used on disk and over the network, and sends them in a human-readable format to standard output (stdout). There is no longer much use for this program, but it is included for hack value.

“sendcommand” will interpret its arguments (except for ”-hDIRNAME”) as a server command, which is sent to the server. Commands which require textual input will read it from stdin. Commands which generate textual output will be sent to stdout.

This utility is intended to be used to enable Citadel server commands to be executed from shell scripts.

NOTE: be sure that this utility is not world-executable. It connects to the server in privileged mode, and therefore could present a security hole if not properly restricted.