-- init.lua: KumoMTA policy — force Maileroo relay for peer 172.29.100.82 local kumo = require 'kumo' local dkim_sign = require 'policy-extras.dkim_sign' local rate_limit = require 'policy-extras.rate_limit' local concurrency = require 'policy-extras.concurrency' local log_hooks = require 'policy-extras.log_hooks' -------------------------------------------------------------- -- WEBHOOK LOGGING -------------------------------------------------------------- log_hooks:new_json { name = 'email_specter', url = 'http://172.29.100.44:8989/api/webhook/687e2631fddbaa831fbe949e/04de3be121c1c27ca2f3d488cc7287a86665a8fb4ad524e534d53677fe744a85', log_parameters = { headers = { 'Message-ID', 'From', 'To', 'Subject' }, }, } -------------------------------------------------------------- -- INIT -------------------------------------------------------------- kumo.on('init', function() kumo.define_spool { name = 'data', path = '/var/spool/kumod/data' } kumo.define_spool { name = 'meta', path = '/var/spool/kumod/meta' } local relay_hosts_list = { '127.0.0.1', '::1', '10.0.0.0/8', '172.29.100.82/32', '172.29.125.5/32', } kumo.start_esmtp_listener { listen = '0.0.0.0:25', hostname = 'xyz.com', relay_hosts = relay_hosts_list, } kumo.start_esmtp_listener { listen = '0.0.0.0:587', hostname = 'xyz.com', tls_certificate = '/opt/kumomta/etc/ssl/STAR_xyz.com.pem', tls_private_key = '/opt/kumomta/etc/ssl/tes_pri.key', relay_hosts = relay_hosts_list, } kumo.start_http_listener { listen = '0.0.0.0:9090', trusted_hosts = { '127.0.0.1', '172.29.100.62', '172.29.207.6' }, use_tls = false, } kumo.configure_local_logs { log_dir = '/var/log/kumomta', max_segment_duration = '10 seconds', max_file_size = 524288000, compression_level = 3, meta = { 'subject', 'x_client_id', 'route_via_maileroo', 'egress_pool', 'egress_source' }, per_record = { Reception = { log_dir = '/var/log/kumomta/reception', suffix = '_recv' }, Delivery = { log_dir = '/var/log/kumomta/delivery', suffix = '_delivery' }, Bounce = { log_dir = '/var/log/kumomta/bounce', suffix = '_bounce' }, TransientFailure = { enable = true, log_dir = '/var/log/kumomta/transient', suffix = '_transient' }, Any = { enable = true, log_dir = '/var/log/kumomta/any', suffix = '_any' }, }, } kumo.log_info('Kumo init completed') end) -------------------------------------------------------------- -- DKIM + Rate Limit + Concurrency -------------------------------------------------------------- local ok, signer = pcall(dkim_sign.setup, dkim_sign, { '/opt/kumomta/etc/dkim_data.toml', default_policy = 'SignIfPossible' }) if ok then kumo.log_info('DKIM signer loaded') else kumo.log_error('DKIM signer failed: ' .. tostring(signer)) end rate_limit.setup { max_messages_per_hour = 8000, max_recipients_per_hour = 8000, per_domain = { ['gmail.com'] = { max_messages_per_hour = 5000 }, ['yahoo.com'] = { max_messages_per_hour = 200 }, }, } concurrency.setup { max_concurrent_total = 200, max_concurrent_per_domain = { ['default'] = 5, ['gmail.com'] = 20, ['yahoo.com'] = 1, }, } -------------------------------------------------------------- -- ROUTING: tag Maileroo traffic -------------------------------------------------------------- kumo.on('accept_inbound', function(msg) local peer_ip = msg:peer_address().addr or 'unknown' local mail_from = (msg:mail_from() or ''):lower() if peer_ip == '172.29.100.82' or mail_from == 'billing@xyz.com' then msg:set_meta('route_via_maileroo', 'yes') kumo.log_info('Policy: marked Maileroo route for peer ' .. peer_ip) else msg:set_meta('route_via_maileroo', 'no') end end) -------------------------------------------------------------- -- QUEUE CONFIG -------------------------------------------------------------- kumo.on('get_queue_config', function(domain, source, site, msg) if msg and msg:meta('route_via_maileroo') == 'yes' then kumo.log_info('Routing via Maileroo for ' .. tostring(msg:id())) return kumo.queue_config { max_concurrency = 10, max_age = '24h', retry_interval = '1h', max_retry_interval = '4h', max_message_rate = '500/1m', } end -- Default DNS delivery return kumo.queue_config { max_concurrency = 20, max_age = '24h', retry_interval = '1h', max_retry_interval = '4h', } end) -------------------------------------------------------------- -- EGRESS SOURCE -------------------------------------------------------------- kumo.on('get_egress_source', function(source_name) if source_name == 'maileroo' then return kumo.egress_source { name = 'maileroo', ehlo_domain = 'smtpblk.xyz.com', } end return kumo.egress_source { name = 'default', ehlo_domain = 'smtpblk.xyz.com' } end) -------------------------------------------------------------- -- EGRESS POOL (Maileroo SMTP AUTH) -------------------------------------------------------------- kumo.on('get_egress_pool', function(pool_name) if pool_name == 'maileroo_pool' then return kumo.egress_pool { kumo.egress_source { name = 'maileroo', transport = kumo.transport { protocol = 'smtp_client', relay_host = 'smtp.maileroo.com', relay_port = 587, enable_starttls = true, auth = { username = 'billing@xyz.com', password = 'supersecure password', }, }, }, } end -- Default pool (direct MX) return kumo.egress_pool { kumo.egress_source { name = 'default', transport = kumo.transport { protocol = 'smtp_client' }, }, } end) -------------------------------------------------------------- -- EGRESS PATH -------------------------------------------------------------- kumo.on('get_egress_path', function(msg) if msg:meta('route_via_maileroo') == 'yes' then return kumo.egress_path { source = 'maileroo', pool = 'maileroo_pool', ehlo_domain = 'smtpblk.xyz.com', mail_from = 'bounce@xyz.com', } end return kumo.egress_path { source = 'default', pool = 'default', ehlo_domain = 'smtpblk.xyz.com', mail_from = 'bounce@xyz.com', } end) -------------------------------------------------------------- -- TLS POLICY -------------------------------------------------------------- kumo.on('get_egress_path_config', function(domain, source_name, site_name) if string.match(site_name or '', '^mail%.zee%-hosting%.com') then return kumo.egress_path { enable_tls = 'Disabled' } end return kumo.egress_path { enable_tls = 'OpportunisticInsecure' } end) -------------------------------------------------------------- -- FINAL LOG -------------------------------------------------------------- kumo.log_info('Policy loaded: Maileroo routing enforced for 172.29.100.82')