It was already there, I added this debug to understand if anything was getting through at all
And if you implement it as in the documents and enter the wrong password, it gives an error - incorrect password
And if you enter the right password you’re getting Trusted IP Required.
yep
And if you set trusted hosts to specifically include the IP of the client?
exactly the same
And what does that look like in your init.lua when you configured it?
kumo.on(‘http_server_validate_auth_basic’, function(user, password)
local password_database = {
[‘admin’] = ‘admin1’,
}
if password == ‘’ then
return false
end
return password_database[user] == password
end)
Are you passing password = “” or are you passing password = nil?
They are different.
You may want to trap that with
if password == '' or password == nil then ...
also, it may just be a copy/paste issue, or it may be in your original code, but the single quote beside 8000 seems to be a “magic quote”
I tested this and it did not work ( failed on a </226> character)
replaced the quotes with “real” quotes and it worked fine.
OK, so I took some time to test your scenario and it looks like you have found an “undocumented feature”.
Like literally, we just forgot to document it.
The expected behaviour is that for the INJECT API, Basic Auth can be used to override the lack of a trusted IP. This allows you to inject from hosts that are not specifically listed in your trusted IPs if they have other auth credentials.
HOWEVER, for the ADMIN API calls ( bounce, set_diagnostic_log_filter), you MUST perform those actions from a Trusted IP. While the http_server_validate_auth_basic will actually execute for these, the result is discarded.
The net is that any of the ADMIN API calls must be performed from a trusted IP. In your case, your curl is using a host, not an IP so it is possible that it is being interpreted as IPv6 not IPv4. Ideally you should not use 0.0.0.0 but rather the actually IP range you want to have access to ADMIN functions.
Hi Tom,
Thanks for your detailed response — really helpful!
Just to follow up:
I’ve updated the password check logic to:
if password == '' or password == nil then return false end
I double-checked all the quotes — no magic quotes anymore, everything is plain ’ or " ASCII.
I also verified the trusted_hosts list in start_http_listener, and my current public IP is definitely listed there.
For testing, I tried both:
curl -u admin:admin1 http://<hostname>:8000/api/admin/bounce/v1 curl -u admin:admin1 http://<public-ip>:8000/api/admin/bounce/v1
But in both cases I still get:
Trusted IP required
Any ideas what else might be interfering? Could it be something with IPv6 resolution, nginx proxying (though I’m hitting the port directly), or something else I might’ve overlooked?
Nope. I replicated the issue, got the same problem, and resolved it as described. The first two were “red herrings” that did not actually contribute to the problem. The error message you are getting is telling you the IP being used is not trusted.
Perhaps you did not restart the process after your change?
Thanks for confirming.
Just to be sure — I’ve tested with all kinds of quotes around: single, double, straight ASCII quotes, even intentionally wrong ones like smart quotes — but the result is always the same.
I’ve restarted the process after every change, but the error message still persists: Trusted IP required
At this point, I honestly have no idea what else could be wrong — everything seems to be in place.
Maybe the order of modules in ini.lua affects it?
What else can I check or change?
Did you use my config in its entirety? Or just a snippet? Maybe I have a mistake somewhere? And does it affect the entire work?
This is not a quote issue, this is an IP issue.
If you want to share the full config that would be helpful. I might have time in the next few days to scan it.
Of course, here is my configuration
Thank you very much for your help
init.lua (4.57 KB)
to Tom
Good day
Did you have time to look?
I feel that the fastest way is to modify only the trusted_hosts according to the official documents, remove/32 and only do ip tests.Example Server Policy - KumoMTA Docs
I can be sure that this function is bug-free, because I have been using it all the time.
Thank you, I’ll check again
but I tried all the options, the only thing left is to reinstall everything