Script for adding domain name to kumoMTA

sympathetic-crane · May 12, 2024, 8:21pm

Can anyone please help me fixing SMTP auth issue, i have created a bash script to add domain name to kumoMTA and generating SMTP creds for each domain added, but the SMTP creds generated by my script is valid for all domains to send mail(even the domain which are not added to the server), i want my SMTP cred to work only for particular domain names which it’s generated for.

inclusive-eagle · May 12, 2024, 8:21pm

Hey there @sympathetic-crane, thanks for posting. Please read the “Troubleshooting” and “How to Ask for Help” buttons below. If you would like a 1:1 support session from the KumoMTA team, details are at the “Book a Support Session” button below.

sympathetic-crane · May 12, 2024, 8:22pm

I’m using default init.lua and using this bash script :

#!/bin/bash

Paths for configuration files and directories

CONFIG_DIR=“/opt/kumomta/etc”
POLICY_DIR=“$CONFIG_DIR/policy”
TLS_CERT_DIR=“$CONFIG_DIR/ssl”
DKIM_DIR=“$CONFIG_DIR/dkim”

mkdir -p $POLICY_DIR $TLS_CERT_DIR $DKIM_DIR

if [[ ! -f “$TLS_CERT_DIR/kumomta_cert.pem” || ! -f “$TLS_CERT_DIR/kumomta_key.pem” ]]; then
echo “Generating TLS certificate and key…”
openssl req -x509 -newkey rsa:2048 -nodes -keyout “$TLS_CERT_DIR/kumomta_key.pem” -out “$TLS_CERT_DIR/kumomta_cert.pem” -days 365 -subj “/CN=kumomta.local”
fi

INIT_LUA=“$POLICY_DIR/init.lua”
if ! grep -q “smtp_users =” $INIT_LUA; then
cat << EOF >> $INIT_LUA
– Central SMTP credentials table
local smtp_users = {}

– SMTP server authentication handler
kumo.on(‘smtp_server_auth_plain’, function(authz, authc, password)
if not smtp_users[authc] or smtp_users[authc].password ~= password then
return false
end
return true
end)

– Central DKIM signer configuration
local dkim_signers = {}

– SMTP server message received handler
kumo.on(‘smtp_server_message_received’, function(msg)
local from_header = tostring(msg:from_header())
local email = from_header:match(“[^%s<]+@[^%s>]+”)
if not email then
return false, “Invalid email format in From header.”
end
local domain = email:match(“@([^@]+)$”)
local username = msg.smtp_auth_user and msg:smtp_auth_user() or “”
local registered_domain = smtp_users[username] and smtp_users[username].domain

if not domain or domain ~= registered_domain then
    return false, "Domain mismatch or missing domain in From header."
end

local signer = dkim_signers[domain]
if signer then
    msg:dkim_sign(signer)
else
    return false, "No DKIM signer configured for the domain."
end
return true

end)
EOF
fi

sympathetic-crane · May 12, 2024, 8:22pm

Loop to handle multiple domain inputs

while true; do
read -p "Enter your domain name (leave blank to stop): " DOMAIN
if [[ -z “$DOMAIN” ]]; then
break
fi

DOMAIN_DKIM_DIR="$DKIM_DIR/$DOMAIN"
mkdir -p $DOMAIN_DKIM_DIR

read -p "Enter your selector for DKIM (e.g., default, mail): " SELECTOR

echo "Generating DKIM keys for $DOMAIN..."
openssl genrsa -out "$DOMAIN_DKIM_DIR/$SELECTOR.key" 1024
openssl rsa -in "$DOMAIN_DKIM_DIR/$SELECTOR.key" -outform PEM -pubout -out "$DOMAIN_DKIM_DIR/$SELECTOR.pub"

SMTP_USERNAME="user_${RANDOM}@${DOMAIN}"
SMTP_PASSWORD=$(openssl rand -base64 12)

echo "smtp_users['$SMTP_USERNAME'] = { password = '$SMTP_PASSWORD', domain = '$DOMAIN' }" >> $INIT_LUA
echo "dkim_signers['$DOMAIN'] = kumo.dkim.rsa_sha256_signer {
    domain = '$DOMAIN',
    selector = '$SELECTOR',
    headers = { 'From', 'To', 'Subject' },
    key = '$DOMAIN_DKIM_DIR/$SELECTOR.key',
}" >> $INIT_LUA

echo "SMTP credentials for $DOMAIN:"
echo "Username: $SMTP_USERNAME"
echo "Password: $SMTP_PASSWORD"

DKIM_PUBLIC_KEY=$(cat "$DOMAIN_DKIM_DIR/$SELECTOR.pub" | sed '1d;$d' | tr -d '\n')
echo "Add the following DKIM record to your DNS for $DOMAIN:"
echo "Record Type: TXT"
echo "Host: $SELECTOR._domainkey.$DOMAIN"
echo "Value: v=DKIM1; k=rsa; p=$DKIM_PUBLIC_KEY"

done

echo “Adjusting permissions for KumoMTA…”
sudo chown kumod:kumod /opt/kumomta/etc -R

echo “Restarting KumoMTA…”
sudo systemctl restart kumomta
if [ $? -eq 0 ]; then
echo “KumoMTA restarted successfully.”
else
echo “Failed to restart KumoMTA. Check the service status and logs.”
exit 1
fi

Mike · May 12, 2024, 8:23pm

I’m on cell, are you using the listener_domains helper?

Mike · May 12, 2024, 8:24pm

If so look for relay_from_authz

Mike · May 12, 2024, 8:24pm

sympathetic-crane · May 12, 2024, 8:31pm

Thanks for helping me out.

No, i’m not using listener_domains helper, just using default init.lua

sympathetic-crane · May 12, 2024, 8:34pm

i’m trying to go through docs for relay_from_authz now.

sympathetic-crane · May 12, 2024, 8:49pm

i’m trying to make this working from days but no luck.

even with listner_domains helper.

either SMTP creds work for all domain or i’m getting endless error ERROR: 4.3.0 technical difficulties

Any idea, how can i make it working?

Mike · May 12, 2024, 8:55pm

Mike · May 12, 2024, 8:55pm

Follow that and the troubleshooting guide so we have enough context.

sympathetic-crane · May 12, 2024, 9:00pm

thanks

tom · May 13, 2024, 3:00pm

Thank you for posting the Bash script. Can you please share the resulting config it generated? Seeing the full /opt/kumomta/etc/policy/init.lua file would be very helpful.
Also, this does not work. You must use stop, start not restart.
sudo systemctl restart kumomta

sympathetic-crane · May 13, 2024, 8:56pm

Hi @faithful-ostrich Sorry for late reply. Here’s init.lua :

kumo.on(‘init’, function()
kumo.start_esmtp_listener {
listen = ‘0.0.0.0:25’,
relay_hosts = { ‘127.0.0.1’, ‘0.0.0.0/0’ },
}

kumo.start_http_listener {
listen = ‘127.0.0.1:8000’,
}

kumo.define_spool {
name = ‘data’,
path = ‘/var/spool/kumomta/data’,
}

kumo.define_spool {
name = ‘meta’,
path = ‘/var/spool/kumomta/meta’,
}

kumo.configure_local_logs {
log_dir = ‘/var/log/kumomta’,
– Flush logs every 10 seconds.
– You may wish to set a larger value in your production
– configuration; this lower value makes it quicker to see
– logs while you are first getting set up.
max_segment_duration = ‘10s’,
}
end)
–[[ End of INIT Section ]]

–[[ Start of Non-INIT level config ]]

– PLEASE read https://docs.kumomta.com/ for extensive documentation on customizing this config.
–[[ End of Non-INIT level config ]]

– Configuration for wefwe.com
local smtp_users = {
[‘user_28063’] = ‘2mRQEFA+F08rzr30’, – SMTP credentials
}

kumo.on(‘smtp_server_auth_plain’, function(authz, authc, password, conn_meta)
if password == ‘’ then
return false – Return false if password is empty
end
return smtp_users[authc] == password – Check password against the table
end)

kumo.on(‘smtp_server_message_received’, function(msg)
local domain = msg:from_header().domain
if domain == ‘wefwe.com’ then
local dkim_key_path = ‘/opt/kumomta/etc/dkim/wefwe.com/wqdqw.key’
msg:add_dkim_signature({
domain = domain,
selector = ‘wqdqw’,
key_path = dkim_key_path,
headers = ‘From:To:Subject:Date’,
})
end
end)

tom · May 13, 2024, 11:16pm

You have made this an open relay.
relay_hosts = { '127.0.0.1', '0.0.0.0/0' },

tom · May 13, 2024, 11:16pm

remove the 0.0.0.0/0

tom · May 13, 2024, 11:18pm

the SMTP_Auth function will allow any injection as long as it passes auth reguardless of the injecting IP so making this an open relay is not necessary.

sympathetic-crane · May 14, 2024, 5:49am

okay, but still SMTP can able to send email from any domain when authenticated

Mike · May 14, 2024, 11:18am

You will want to introduce Lua into the received hook to check on whether the tenant should be able to relay for that domain. It’s something we’ve looked at but not had demand for yet.