Unable to setup log_hook with MSK using IAM authentication (SASL_SSL / OAUTHBEARER)

joint-coyote · September 15, 2025, 10:17pm

I’m trying to configure KumoMTA so that events go directly into Kafka. My setup:

Deployment: Kumo on EC2 (Ubuntu 24.04, arm64)
Kafka: AWS MSK, IAM-only auth enabled (port 9098)
Kumo version: kumod 2025.05.06-b29689af

When I attempt to send a test message, I get this error:

Sep 15 21:59:21 mta1.felloauth.com kumod[57546]:         [C]: in local 'poll'
Sep 15 21:59:21 mta1.felloauth.com kumod[57546]:         [string "?"]:4: in field 'build_producer'
Sep 15 21:59:21 mta1.felloauth.com kumod[57546]:         [string "/opt/kumomta/etc/policy/init.lua"]:135: in function <[string "/opt/kumomta/etc/policy/init.lua"]:131>
Sep 15 21:59:21 mta1.felloauth.com kumod[57546]:  (consecutive_connection_failures=6)
Sep 15 21:59:22 mta1.felloauth.com kumod[57546]: 2025-09-15T21:59:22.257095Z DEBUG       logging-0 kumod::logging::files: waiting until deadline=Some(Instant { tv_sec: 198962, tv_nsec: 555665172 }) for a log record
Sep 15 21:59:22 mta1.felloauth.com kumod[57546]: 2025-09-15T21:59:22.260925Z DEBUG        readyq-0 kumod::ready_queue: Error in Dispatcher::run for unspecified->mta_kafka_logs.log_hook@lua:make.mta_kafka_logs.log_hook: Client config error: Unsupported value "SASL_SSL" for configuration property "security.protocol": OpenSSL not available at build time security.protocol SASL_SSL```

Is there a way to build KumoMTA with OpenSSL support so that security.protocol = SASL_SSL works

init.lua log_hook snippet:
https://gist.github.com/kartik-pawar/b786608816a3afb24d888e8c701c4283

Jack · September 16, 2025, 7:45am

I think KumoMTA do not support security.protocol = SASL_SSL

tom · September 16, 2025, 4:48pm

The documented Kafka logger works as written.

Full reference documentation is here:

tom · September 16, 2025, 4:50pm

You can prefer OpenSSL:

tom · September 16, 2025, 4:51pm

Have not specifically tested this particular use case.

courteous-moose · November 20, 2025, 12:24pm

Hi, just reading this thread, so the kafka producer implementation does not support SSL?

courteous-moose · November 20, 2025, 12:39pm

also, the prefer Openssl option is for all communication? So, setting tls_prefer_openssl to true will mean that SSL options are usable for kafka connections?

tom · November 20, 2025, 1:59pm

SASL and SSL are two different things. We support SSL but not SASL.

tom · November 20, 2025, 2:06pm

Openssl will be available within the limits of what we have defined above.

courteous-moose · November 20, 2025, 2:11pm

thanks, I couldn’t see a way of specifying a custom ca cert for the kafka broker connection