HTTP Basic auth is ignoring

Hey KumoMTA team, I’m getting weird behaviour on my http api requests:

  listen = '0.0.0.0:443',
  use_tls = true,
  hostname = 'api.xxx.org',
  trusted_hosts = { '127.0.0.1', '172.31.0.0/16'},
  tls_certificate = '/etc/letsencrypt/live/api.xxx.org/fullchain.pem',
  tls_private_key = '/etc/letsencrypt/live/api.xxx.org/privkey.pem'
}```

kumo.on(‘http_server_validate_auth_basic’, function(user, password)
print(‘VALIDATING’)
local password_database = {
[‘scott’] = ‘tiger’,
}
if password == ‘’ then
return false
end
return password_database[user] == password
end)

This is my http server description and http auth handler, and I'm sending request to /inject URL with curl without --user flag, like no authentication, and from different IPs, but the thing is - it's always success, not printing "VALIDATING", so it's ignored.
Seems like I'm missing something basic, but don't understand what exactly.
Any help is appreciated. Thanks!

Hey there @dapper-yeti, thanks for posting. Please read the “Troubleshooting” and “How to Ask for Help” buttons below. If you would like a 1:1 support session from the KumoMTA team, details are at the “Book a Support Session” button below.

if you connect from one of the trusted hosts then auth is not required

@free-spirited-yorksh yeah, but I’m not connected from the trusted hosts…

Nvm, it was an issue with my file, somehow cached version was using…sorry about that!

@free-spirited-yorksh so, now my question is: how can I set name/password pairs for each tenant/domain? Because as I understand with this configuration I can use scott:tiger for any domain right? Thanks in advance!

Take a look at Checking Inbound SMTP Authentication - KumoMTA Docs

@free-spirited-yorksh thanks for that!
This is what I have in my queues:

egress_pool = 'default'
require_authz = ["scott"]

[tenant.'yyy.com']
egress_pool = 'sporty'
require_authz = ["sporty"]

And this is in my config:

kumo.on('http_server_validate_auth_basic', function(user, password)
  print('VALIDATING')
  print(user)
  print(password)
  local password_database = {
    ['scott'] = 'tiger',
    ['sporty'] = 'lion'
  }
  if password == '' then
    return false
  end
  return password_database[user] == password
end)

Based on that I can use both login/password pairs for any of these domains xxx or yyy.
But my goal is - sporty username should be allowed only for domain yyy.com

Thanks for your help.

You’re locking users to a tenant name, not a sending domain. The fact that you named your tenants after a domain name doesn’t lock that.

You’ll need to enforce that using Lua logic when the message is received.

Oh I see..Is that https://docs.kumomta.com/reference/events/http_message_generated/ ? Or https://docs.kumomta.com/reference/events/smtp_server_message_received/ ?

That depends on how you receive messages. If you accept SMTP and API you will need to implement it in both.

Also take a look at

Specifically.

["auth-send.example.com"]
# relay to anywhere, so long as the sender domain is auth-send.example.com
# and the connected peer has authenticated as any of the authorization identities
# listed below using SMTP AUTH
relay_from_authz = [ 'username1', 'username2' ]```

Did Everything and I’m having the same issue. Server simply ignores my authentication on this block:

– Use this to lookup and confirm a user/password credential
kumo.on(‘smtp_server_auth_plain’, function(authz, authc, password, conn_meta)
local password_database = {
[‘scott’] = ‘tiger’,
}
if password == ‘’ then
return false
end
return password_database[authc] == password
end)

Just don’t know what I’m missing…

I’d start from the very bottom, just take everything out and return false. If you do that, can injectors still inject?

Did it… simply it doesn’t “pass” there.

Can I print something inside that callback?