Chris Reich

Introduction
Cancel messages allow the author of a message to delete their message from the server if they later decide they should not have posted it for any reason. Most newsreaders allow a user to send a cancel message for their own messages through their menu system.

While most newsreaders will check that the message the user is trying to cancel was sent by them, this system is open to abuse and people can send cancel messages to delete messages originally posted by other people. Because of this abuse, many news server administrators have chosen to disable the use of cancel messages altogether. While this prevents the abuse, it also removes a useful option from the majority of users who do not abuse the system.

To allow your users to cancel their own messages while preventing abuse, MPNews implements an authenticated cancels system. In this system, each message is tagged with a value that includes, in an encrypted form, the username of the person who posted the message. When a cancel message is posted, that is also tagged with a corresponding value containing the username of the person who posted the cancel message. If the two match, the cancel message will be processed and the message will be deleted.

For full technical details of the authenticated cancels mechanism, please refer to http://tools.ietf.org/wg/usefor/draft-ietf-usefor-cancel-lock/draft-ietf-usefor-cancel-lock-01.txt.

Authenticating users
As mentioned above, this system relies on each user being logged in to the MPNews server with a unique username and associated password. Beyond this, there are no other steps the user has to take to use the authenticated cancel system as all the work is done on the MPNews server. The user does not have to use any particular newsreader or change any settings.

Automating user account creation
If you only have a small number of users or if you already have user accounts set up for everyone, the requirement of having unique usernames for everyone will not be a problem. However, if your newsgroups are available to the public without requiring authentication, the requirement for each of them to have a username and password could mean a lot of additional time spent manually creating usernames.

To avoid this problem, MPNews supports the automatic creation of new user accounts via the web interface. If you have one or more user groups set up with the "Default" option set, your users will be able to use the signup links displayed in the web interface to your newsgroups to create a new account without any administrator interference.

Once the user account has been created, an e-mail will be sent to the user to verify their e-mail account exists. To allow this e-mail to be sent, you must have already configured the details of your SMTP server under the "E-mail settings" item in the main MPNews administration site.

Accepting authenticated cancels
By default, MPNews does not allows the use of any type of cancel messages, whether authenticated or not. To allow cancel messages, you must create a cancel message rule within the virtual server administration site. Click on the main "Delete messages" option, then the "cancel message rules" link. On this screen, click "Add new rule" to create a new cancel message rule.

The cancel message rule defines which newsgroups the rule applies to, and whether cancel messages in those newsgroups can be used by anyone, with authentication, or not at all. Select the newsgroups you want to allow cancel messages in, and click Save.

Bypassing authenticated cancels for administrators
You may want to allow some people to send cancel messages for any messages and bypass the authenticated cancels system. You can do this by changing the permissions assigned to these users. When editing a permission, in the "Newsgroup permissions" area you have the option of selecting the "Cancel articles" permission. This allows the users included in the permission to cancel any articles in the specified newsgroups, regardless of any other settings.