Ports and Firewall
Lock down the KumoMTA and KumoProxy path before sending production mail. The goal is to expose only what is required and keep operational endpoints private or authenticated.
Reference hosts
| Host | Example | Role |
|---|---|---|
| PING8 app | app.yourdomain.com | Control plane and webhook receiver. |
| KumoMTA | mta.yourdomain.com | HTTPS injection, metrics proxy, queueing, delivery policy. |
| KumoProxy | proxy.yourdomain.com | SOCKS5 egress and visible outbound SMTP IP. |
KumoMTA host ports
| Direction | Port | Source | Destination | Purpose | Exposure |
|---|---|---|---|---|---|
| Inbound | 80/tcp | Public internet | KumoMTA host | ACME HTTP challenge and redirect. | Public, limited to Nginx. |
| Inbound | 443/tcp | PING8 app | KumoMTA host | HTTPS injection and metrics via Nginx. | Public with bearer auth, or private network only. |
| Inbound | 8000/tcp | Localhost only | KumoMTA process | KumoMTA HTTP listener. | Loopback only. |
| Outbound | 5000/tcp | KumoMTA host | KumoProxy host | SOCKS5 egress path. | Only to trusted proxy hosts. |
| Outbound | 443/tcp | KumoMTA host | PING8 app | Webhook lifecycle events. | Public HTTPS or private network. |
| Outbound | 53/udp,tcp | KumoMTA host | Resolver | DNS lookups. | Resolver only. |
KumoProxy host ports
| Direction | Port | Source | Destination | Purpose | Exposure |
|---|---|---|---|---|---|
| Inbound | 5000/tcp | KumoMTA host only | KumoProxy host | SOCKS5 proxy listener. | Private or firewall-restricted. |
| Outbound | 25/tcp | KumoProxy host | Recipient MX | SMTP delivery. | Public outbound. |
| Outbound | 53/udp,tcp | KumoProxy host | Resolver | DNS lookups if needed. | Resolver only. |
| Optional inbound | metrics port | Monitoring system only | KumoProxy host | Proxy metrics/status. | Private or authenticated. |
Firewall principles
- Allow PING8 to reach only the authenticated Nginx endpoint.
- Keep KumoMTA port
8000bound to127.0.0.1. - Allow KumoMTA to reach KumoProxy only on the SOCKS5 port.
- Allow KumoProxy SOCKS5 only from trusted KumoMTA hosts.
- Allow outbound SMTP
25/tcpfrom KumoProxy if it is the egress host. - Block public access to proxy metrics unless they are authenticated and intentionally published.
Example allowlist model
KumoMTA host:
allow inbound 80/tcp from public internet
allow inbound 443/tcp from PING8 app or trusted networks
deny inbound 8000/tcp from non-localhost
allow outbound 5000/tcp to proxy.yourdomain.com
allow outbound 443/tcp to app.yourdomain.com
KumoProxy host:
allow inbound 5000/tcp from mta.yourdomain.com only
allow outbound 25/tcp to recipient MX hosts
deny public access to any admin or metrics listenerVerification checklist
- From an untrusted network,
/api/inject/v1without auth returns401. - From an untrusted network, unknown KumoMTA paths return
404. - From an untrusted network, KumoProxy port
5000is not reachable. - From the KumoMTA host, KumoProxy port
5000is reachable. - From the KumoProxy host, outbound SMTP to a test MX can connect.
- From the KumoMTA host, PING8 webhook URL is reachable over HTTPS.
What not to expose
- KumoMTA loopback listener.
- KumoProxy SOCKS5 listener to the public internet.
- Metrics endpoints without authentication or network restriction.
- DKIM private keys over any web-served path.
- Secret-bearing environment files through backups or support bundles.