DNS And TLS
KumoMTA needs clean DNS and TLS before PING8 should inject production mail.
Example hostnames
| Host | Purpose |
|---|---|
mta.yourdomain.com | KumoMTA HTTPS injection and metrics host. |
proxy.yourdomain.com | Optional KumoProxy egress host. |
mail.yourdomain.com | Domain mail host used by PING8 DNS verification. |
TLS for injection
The KumoMTA injection URL should use HTTPS:
https://mta.yourdomain.com/api/inject/v1PING8 should be configured with TLS verification enabled unless you are in a temporary lab environment.
Metrics access
Metrics should not be public. Allow only trusted internal addresses or authenticated reverse proxy access.
Example:
https://mta.yourdomain.com/metricsWebhook return path
KumoMTA must be able to reach the PING8 event endpoint over HTTPS. The webhook should include a shared secret or signed token expected by PING8.
Common TLS mistakes
- Certificate covers
mail.yourdomain.combut notmta.yourdomain.com. - Private CA is used while TLS verification is enabled.
- Reverse proxy forwards the wrong path.
- Firewall allows browser access but blocks the PING8 server.