Authentication and Relay Issues with KumoMTA - SMTP AUTH Setup

friendly-impala · May 7, 2025, 6:44pm

Hi everyone,
I’m new to KumoMTA and struggling with setting up proper SMTP authentication and relaying. I’ve installed KumoMTA on a Rocky Linux server and generated self-signed certificates for TLS.
My issue is that when clients try to send mail through my server, they receive:
Mailbox unavailable.The server response was: 5.7.1 relaying not permitted for 192.99.35.202
I’ve configured the server with authentication users in my my init.lua (attached. ) and set up the get_listener_domain event to allow authenticated users to relay to any domain.
I believe my auth setup is correct, but I’m not seeing any auth attempts in the logs, which makes me think clients aren’t successfully doing STARTTLS and attempting authentication before sending.
My current setup includes:

Self-signed certs for TLS
SMTP listeners on ports 25 and 587
Authentication handler for smtp_server_auth_plain
Connection logging for debugging
Special rule to allow mail-tester.com for testing

Are there any common gotchas with authentication and relaying I should be aware of? How can I debug whether clients are attempting authentication correctly?
Any help would be greatly appreciated!

I have now noticed that when i send the email, even with right authentication it does not send and says that The server response was: 5.7.1 relaying not permitted for 192.99.35.202. Am i missing something in my config?
message.txt (5.03 KB)

tom · May 8, 2025, 2:06am

The way authentication works is that ONE of the methods will let you pass mail. You can use:

relay hosts
smtp_auth
listener_domains

If you want smtp_auth, you do not (should not) add the ip to relay_hosts. If a message arrives from ANY IP with valid credentials it will be allowed to pass. It is important to know that you do NOT need to set the listener as an open relay. If the credentials are valid Kumo will accept it.

tom · May 8, 2025, 2:07am

Note that you also need to use valid TLS

tom · May 8, 2025, 2:08am

tom · May 8, 2025, 2:08am

tom · May 8, 2025, 2:16am

At a rough glance, your code seems ok. I would test with kcli trace-smtp-server to see what is actually being injected

tom · May 8, 2025, 2:16am

tom · May 8, 2025, 2:18am

You should see TLS negotiation, then authentication all visible in the stream

friendly-impala · May 8, 2025, 7:02am

I have now implemented your recommendation, and have still faced thesame issues. I am now sharing screenshot and also my trace.

The biggest challenge i have is that i am not able to see the debug logs via journalctl -f -n 50 -u kumomta.service

I feel like something is just missing on my code that I do not know of. Any kind of support will be appreciated.

init.lua (5.09 KB)
journalctl.log (17.9 KB)

tom · May 8, 2025, 1:27pm

If you want to use a smtp_auth you NEED to use TLS. I can see you have not in the screenshots.

friendly-impala · May 9, 2025, 9:55am

I now started seeing different error. I had to dump all my code to see if i am missing something, of if someone can help me reproduce the issues and see if we come up with a solution together

I am also requesting for a general review of my work to see if i get some recommendation.

init.lua (31.6 KB)
shaping.toml (4.43 KB)
sources.toml (277 Bytes)
tsa_init.lua (599 Bytes)
queues.toml (471 Bytes)
journalctl.log (35.9 KB)

friendly-impala · May 9, 2025, 9:56am

Jack · May 9, 2025, 10:08am

I see the error is : ‘technique problem’ .
Z ERROR smtpsrv-0 run{socket=PollEvented { io: Some(TcpS tream { addr: 87.236.146.75:25, peer: 192.99.35.202:50339, fd: 62 }) }}: kumod::smt p_server: Error in SmtpServerSession: Permission denied (os error 13)

Jack · May 9, 2025, 10:09am

ls -l to check , all files should be kumod

Jack · May 9, 2025, 10:14am

Maybe the doc can help : How do I resolve a `Permission Denied` error? - KumoMTA Docs

friendly-impala · May 9, 2025, 11:53am

Thank you, I solved the permission issues, but then I just noticed from the logs that I am not receiving the credentials actually from the logs.

I feel it is from this code block

local authz_id = conn_meta:get_meta('authz_id')
  local peer_ip = conn_meta:get_meta('peer_address')
  local is_using_tls = conn_meta:get_meta('tls_status') == 'Active'
  
  kumo.log_debug("Checking relay permissions - Domain:", domain,
                  "IP:", peer_ip,
                  "Auth:", authz_id or "none",
                  "TLS:", is_using_tls and "Yes" or "No")```

Maybe I am not collecting the connection meta data right and then there is no value for peer_ip, autz_id and even is_using_tls all are empty string unfortunately.  from my logs observation

friendly-impala · May 9, 2025, 11:54am

My debug log
debug.log (3.9 KB)

tom · May 9, 2025, 12:53pm

Did Chat GPT write this?

tom · May 9, 2025, 12:55pm

The conn_meta variable tls_status does not exist. Neither does peer_address.

friendly-impala · May 9, 2025, 1:11pm

lol some i wrote, some i pushed to claude. lol