Configuring KumoMTA
The KumoMTA configuration is entirely written in Lua. Lua is a powerful embedded scripting language that is easy to read and code, and is very powerful. It is used for custom scripts in Cisco security appliances, Roblox, World of Warcraft, and really awesome MTAs. You can read more about how we leverage Lua here.
-
Create an initial core configuration by copying the example at https://docs.kumomta.com/userguide/configuration/example/ and writing it to
/opt/kumomta/etc/policy/init.lua. -
Update the relay_hosts configuration within the start_esmtp_listener function to reflect which networks are authorized to inject mail:
-
By default only localhost and private networks are able to relay (send) mail. Add the IP address or CIDR block of your injectors here to allow them to relay mail.
For HTTP, this is done with the trusted_hosts setting in a listener stanza:
kumo.start_http_listener { listen = '0.0.0.0:8000', -- allowed to access any http endpoint without additional auth trusted_hosts = { '127.0.0.1', '::1' }, }Note
If you are going to allow the HTTP listener on any IP other than localhost, you should also configure TLS and HTTP Validation.
-
Copy the default Traffic Shaping helper configuration files into place. The helpers are designed to provide simple configuration for standard use cases:
-
Configure the listener_domains.toml file, written to
/opt/kumomta/etc/listener_domains.tomlin the following format, substituting your own sending domain information:["bounce.example.com"] # You can specify multiple options if you wish log_oob = true log_arf = true relay_to = falseNote
The preceding example configures the server to accept traffic from the outside world addressed to the bounce.example.com domain, as long as the incoming messages are either Out-Of-Band DSN (bounce) notifications, or Feedback Loop messages, but will not accept regular mail for inbound relay such as with a corporate mail environment.
-
Configure the sources.toml file, written to
/opt/kumomta/etc/sources.tomlin the following format, substituting your own IP and ehlo information: -
Configure DKIM signing keys. Read the guide for details, but the short version is below:
Replace the domain and selector with your own, then generate signing keys with:
export DOMAIN=<your_domain> export SELECTOR=<your_selector> sudo mkdir -p /opt/kumomta/etc/dkim/$DOMAIN sudo openssl genrsa -f4 -out /opt/kumomta/etc/dkim/$DOMAIN/$SELECTOR.key 1024 sudo openssl rsa -in /opt/kumomta/etc/dkim/$DOMAIN/$SELECTOR.key -outform PEM -pubout -out /opt/kumomta/etc/dkim/$DOMAIN/$SELECTOR.pub sudo chown kumod:kumod /opt/kumomta/etc/dkim/$DOMAIN -R -
Configure the dkim_data.toml file, written to
/opt/kumomta/etc/dkim_data.tomlin the following format, substituting your own DKIM signing information:[base] # Default selector to assume if the domain/signature block # doesn't specify one selector = "dkim1024" # The default set of headers to sign if otherwise unspecified headers = ["From", "To", "Subject", "Date", "MIME-Version", "Content-Type", "Sender"] # Domain blocks match based on the sender domain of the incoming message [domain."example.com"] selector = 'dkim1024' headers = ["From", "To", "Subject", "Date", "MIME-Version", "Content-Type", "Sender"] algo = "sha256" # Optional override of keyfile path Default is "/opt/kumomta/etc/dkim/DOMAIN/SELECTOR.key" filename = "/full/path/to/key."Note
These instructions assume that the keyfiles are already created and in place, along with the appropriate DNS records. See the UserGuide for more information.
You now have a basic and safe sending configuration that will allow you to move on to Starting KumoMTA.
Created: 2023-03-22