FIPS compliance question

KumoMTA Configuration
1

Hi all,

I’m trying to understand KumoMTA’s TLS configuration model for environments that need to enforce FIPS-oriented TLS constraints.

For outbound SMTP, I found that kumo.make_egress_path exposes controls such as:

  • tls_prefer_openssl

  • openssl_cipher_list

  • openssl_cipher_suites

  • openssl_options

That seems to provide a clear way to constrain outbound TLS behavior.

For inbound SMTP listeners, in kumo.start_esmtp_listener, I found:

  • tls_certificate

  • tls_private_key

  • tls_required_client_ca

and dynamic overrides via smtp_server_get_dynamic_parameters.

I also found that connection metadata can expose negotiated TLS details such as:

  • tls_cipher

  • tls_protocol_version

My questions are:

  1. In environments with stricter/FIPS-oriented TLS requirements, what is the recommended approach for inbound SMTP listeners?

  2. Is there a supported/documented way to restrict SMTP listener-side cipher list for inbound STARTTLS?

  3. Is the intended model that outbound TLS is policy-controlled in KumoMTA config, while inbound listener TLS is constrained differently?

2

We’ve had a FIPS mode on the roadmap but it’s been waiting for a sponsor.