KumoMTA & Migration
KumoMTA gives you the data. A panel gives you somewhere to stand.
A KumoMTA control panel is the operational interface the engine deliberately does not ship — a secure web view of queues, traffic shaping, IP and domain management, blacklist status and safe quick-actions, wired to your estate. KumoMTA exposes the data and leaves the interface to operators; this is that interface, built and run so you are not managing a high-volume engine from the command line alone.
A KumoMTA control panel is the operational web interface the engine deliberately does not ship: a secure view of scheduled queues, Traffic Shaping Automation status, IP and domain management, DKIM, blacklist monitoring and safe quick-actions, wired to your estate. KumoMTA exposes the data — over 100 metrics, a full HTTP API and structured logs — and leaves the interface to operators, so a panel is an add-on built on top of the existing HTTP listener rather than a rebuild, and the central task is locking it down because it can flush queues, reload policy and rotate IPs.
In short
- → KumoMTA ships no web console by design; it exposes the data and leaves the interface to operators, so a control panel is an add-on, not a rebuild of the engine.
- → Monitoring and control are different jobs: Prometheus and Grafana read metrics, while a panel takes action — pause a queue, reload policy, rest an IP — and serious estates run both.
- → A panel can flush queues, reload policy and rotate IPs, so it must be locked down: HTTP listener bound to localhost, behind an authenticated reverse proxy with two-factor and audit logging.
- → It puts day-to-day visibility and routine actions in reach of a non-CLI team — a deliverability manager or ops person — without touching Lua or SSH.
- → It sits on the existing HTTP listener and metrics endpoints, so it can be added to an estate already in production, and one panel can aggregate a whole cluster.
KumoMTA ships no web console, and that is a decision rather than an omission. The project exposes its data \u2014 over a hundred metrics, a full HTTP API, structured logs \u2014 and leaves the interface to operators, on the reasoning that every team wants something different and a bundled UI would satisfy none of them perfectly. The logic is sound, and it leaves a real gap on day one. A team arriving from PowerMTA’s built-in monitor, used to a queue view and at-a-glance health, suddenly has a more powerful engine and nowhere to look at it but the command line.
Closing that gap is what a control panel does, and it is worth being precise about what kind of gap it is. This is not about making KumoMTA prettier. It is about giving the people who operate sending \u2014 deliverability managers, ops, on-call engineers \u2014 a place to see what the engine is doing and to act on it safely, without every routine task requiring SSH and Lua. A good panel turns a powerful black box into something a team can actually run.
Why does KumoMTA ship no control panel?
The absence is principled. A bundled interface is an opinion about how you should work, baked into the software, and KumoMTA’s designers chose to keep the engine unopinionated and let the interface be a separate, swappable layer. That is the right call for a piece of infrastructure meant to slot into wildly different stacks \u2014 an ESP, a SaaS notification system, a multi-tenant platform all want different things from a console.
The cost lands on the operator. Without a panel, checking queue depth means a command; watching deferrals means tailing a log over SSH; understanding why a destination is throttled means reading shaping state by hand. None of that is hard for an engineer, and all of it is friction that adds up, slows incident response, and shuts out the non-engineers who often own deliverability. The gap is not in the engine’s capability; it is in who can reach that capability and how quickly. A panel is the bridge across it.
Does a panel replace Grafana and Prometheus?
It is easy to assume Grafana already solves this, and it solves half of it. KumoMTA exports its metrics to Prometheus, and there are ready-made Grafana dashboards that visualise throughput, queue depth, bounce rates and system health beautifully. That is observability, and it is genuinely valuable \u2014 trends over time, alerting, history. But it is read-only by design. A dashboard tells you the queue to one provider is climbing; it cannot pause that queue, reload a corrected policy, or rest the IP that is causing it.
A control panel is the operational layer that observability is not. It shows the live state, like a dashboard, and it also lets an operator do something about it: inspect a specific queue and its last errors, see what Traffic Shaping Automation is currently doing and why, pause or flush a queue, reload policy after a change, manage IPs and domains. Monitoring and control are complementary, not competing, and a well-run estate has both \u2014 Grafana for the trends and the alerts, a panel for the moment something needs a hand. Conflating them leaves you able to see every problem and unable to touch any of them.
There is a practical reason this distinction matters beyond tidiness. In an incident, the gap between noticing and acting is where reputation is lost, and forcing an operator to jump from a Grafana tab to an SSH session to do anything about what the graph just showed them adds minutes precisely when minutes are expensive. A panel that shows and acts in the same place collapses that gap. The dashboard remains the right tool for the slow questions \u2014 how did delivery trend this month, when did bounces start climbing \u2014 and the panel becomes the right tool for the fast ones, where the answer is a button rather than a query.
What does a KumoMTA control panel actually show?
The exact shape varies with the estate, but a control panel worth running covers a consistent set of views. These are the screens that turn the engine’s raw endpoints into something an operator can read and act on.
| View | What it gives the operator |
|---|---|
| Dashboard | Live throughput, queue depth and a delivery summary at a glance — the single screen that answers "is sending healthy right now?" without reading a log. |
| Queues explorer | The scheduled queues broken down by tenant, campaign and destination, with recipient counts, connections, paused state, mode, retry windows and the last error per queue. |
| Shaping & TSA status | What Traffic Shaping Automation is currently doing: active throttles, suspensions and the provider status codes driving them, so you can see why a destination is slowed. |
| Live logs | The engine’s log streamed into the browser in real time, so an operator watches deferrals and rejections as they happen rather than tailing a file over SSH. |
| IP inventory | The sending IPs, their pools and rotation state, with the reverse-DNS and reputation context that makes an IP safe to use or worth resting. |
| Domains & DKIM | Sending and tracking domains with their authentication, including DKIM key generation, so identity management does not mean hand-editing DNS and config in parallel. |
| Blacklist monitoring | Recurring checks against the listings that matter — Spamhaus and others — surfaced in the panel so a listing is caught in the panel, not in a customer complaint. |
# 1. Bind the engine HTTP listener to localhost, never 0.0.0.0 (init.lua)
kumo.start_http_listener { listen = '127.0.0.1:8000' }
# 2. Confirm nothing is listening on a public interface
$ ss -tlnp | grep 8000
LISTEN 0 1024 127.0.0.1:8000 0.0.0.0:* users:(("kumod"))
# 3. Panel reached only via the authenticated Nginx proxy (TLS + 2FA upstream)
location / { proxy_pass http://127.0.0.1:8000; auth_request /2fa; }
# 4. Port closed at the firewall; every action lands in the audit log
$ ufw status | grep 8000
8000 DENY Anywheress that nothing answers on a public interface, reach the panel only through an authenticated Nginx proxy, and close the port at the firewall. Skip any one of these and the panel becomes a control surface for your whole sending operation, reachable by anyone who finds it.What feeds the panel
A panel is not magic layered over the engine; it is a reader of interfaces KumoMTA already exposes, which is worth understanding because it shapes what a panel can and cannot do. The engine runs an HTTP listener — conventionally bound to localhost on a port such as 8000 — that serves both its metrics and a JSON API. The metrics endpoint is the same one Prometheus scrapes; the API is how a panel reads queue state and issues actions like reloading policy or flushing a queue. Live logs are streamed separately, typically from the system journal, into the browser so an operator sees events as they happen.
This architecture has two consequences worth knowing. First, a panel works with any standard KumoMTA install without modifying the engine, because it consumes endpoints that are already there — which is why one can be added to an estate already in production rather than requiring a rebuild. Second, the panel is only ever as current and as capable as those endpoints allow; it reflects the engine’s real state rather than keeping its own, so there is no risk of the panel and the engine disagreeing about what is actually happening. Building a panel is largely the work of reading these interfaces faithfully, presenting them clearly, and — critically — securing the path between the browser and that localhost listener, which is the point the next sections keep returning to.
Quick actions, and the danger in them
The feature that makes a panel genuinely operational rather than merely informative is the quick action: a button that reloads policy after a config change, flushes or pauses a backed-up queue, or rests an IP that is drawing complaints. In an incident those actions are the difference between resolving something in seconds from a browser and assembling an SSH session under pressure. They are the reason a panel earns its place in the workflow rather than just decorating it.
They are also the reason a panel demands respect. A button that flushes a queue is a button that can dump mail; one that rotates IPs can reshape your reputation in a click; one that reloads policy can push a broken config to production instantly. The convenience and the danger are the same capability seen from two sides. So the actions a panel exposes have to be scoped to the role using it and wrapped in confirmation and audit logging, because the easier an action is to take, the more it matters that only the right person takes it, and that there is a record of who did.
Is a web panel safe to run on a production MTA?
Because a control panel can take those actions, an exposed one is among the more dangerous things you can put on a production MTA. A panel reachable from the public internet is a control surface for your entire sending operation handed to anyone who finds it \u2014 the ability to read queue metadata, flush mail, rotate IPs and alter policy. This is not a theoretical concern; it is the single most important thing to get right about running a panel at all.
The discipline is well established and we apply it without exception. The engine’s HTTP listener is bound to localhost rather than exposed, so it is reachable only from the machine itself. The panel sits behind an Nginx reverse proxy that terminates TLS and enforces authentication, with two-factor on the accounts that can take actions. The panel’s own port is kept off the public internet and closed at the firewall. And every administrative action is written to an audit log, so there is a record of who reloaded policy or rested an IP and when. A panel built and run this way is a safe, powerful tool. The same panel stood up carelessly \u2014 a port left open, no auth, no proxy \u2014 is a back door, which is exactly why we treat the securing of it as part of the build rather than a later hardening pass.
Community panels, honestly
Because the gap is real and KumoMTA is open, a small ecosystem of community control panels has grown up around it \u2014 React-and-Go projects, MailerQ-style admin UIs, lightweight dashboards that expose queues and shaping. Some are genuinely good, and for many estates the right answer is to take a solid one, harden it and integrate it rather than commission something bespoke. We would rather build on good work that exists than reinvent it.
The honesty the situation calls for is about maturity and trust. These projects vary widely in how actively they are maintained, how carefully they handle authentication, and how safely they expose the engine’s actions, and a control panel is precisely the kind of software where a security weakness is severe. So our role is selection and judgement as much as installation: evaluating which panel is sound enough to put in front of a production MTA, closing the gaps it has, securing it the way the previous section describes, and integrating it with your specific queues, shaping and metrics. The alternative \u2014 a team finding a panel, deploying it unreviewed and exposing it \u2014 is how a convenience becomes the incident. Choosing and hardening the right one is most of the value.
Can one panel manage a multi-tenant or clustered estate?
For an ESP or a platform sending on behalf of many customers, a panel is not only an operator tool — it can be part of the product. KumoMTA’s queues are already organised by tenant, so the data exists to show each customer their own sending without exposing anyone else’s. That opens two distinct kinds of panel, and they have very different requirements.
The operator’s panel is internal: full visibility across every tenant, every queue and every IP, with the powerful actions, locked behind authentication and used by your own team. A customer-facing panel is the opposite — scoped tightly to a single tenant’s data, with actions limited or removed, designed to be seen by people outside your company. Conflating the two is a serious mistake: a customer must never see another customer’s queues, and certainly must never reach an action that touches shared infrastructure. Building a multi-tenant panel is therefore as much about strict data scoping and permission boundaries as about the views themselves. We design the separation deliberately — what each role sees, what each role can do, and the hard walls between tenants — because at this level a leak between tenants becomes an incident with your customers’ names on it. Done right, the same engine that powers your sending can also give your customers a window into their own, without ever compromising the isolation multi-tenancy depends on.
A panel is not set-and-forget
One last honest point: a control panel is itself a piece of software, and like the engine beneath it, it needs tending. It has dependencies that get security updates, an authentication layer that has to stay current, and an integration with the engine that can drift as KumoMTA releases new versions. A panel deployed once and forgotten becomes, over time, the least-patched and most-exposed thing in the stack — the opposite of what it was installed to be. So running a panel properly includes keeping it updated and re-checking its security alongside the estate it watches. When we operate the panel that is simply part of the job; when we hand it over, it goes on the runbook we leave, because an unmaintained control surface is a risk wearing the costume of a convenience. There is a design decision worth making explicit here, because it shapes how a panel is built rather than just how it is maintained: which actions each role is trusted with. A deliverability manager might be allowed to read every queue and shaping decision but not to flush mail or rotate an IP; an on-call engineer might hold those powers behind two-factor and an audit trail. Scoping the doing separately from the showing, role by role, is what lets a panel be widely useful without widening the blast radius of a mistake or a compromised account.
How do you build or set up a KumoMTA panel?
We start from how your team works and what it needs to see and do, because that decides whether an existing panel fits or a tailored one is warranted, and which actions should be exposed to whom. Then we select or build, secure it to the standard above \u2014 localhost binding, reverse proxy, authentication, two-factor, firewalling, audit logging \u2014 and integrate it with your estate, wiring the queue, shaping and metrics views to your actual configuration and, for a cluster, aggregating across nodes.
From there it is yours to use, and ours to operate if you would rather not. Some teams want the panel handed over with documentation and run it themselves; others fold it into a managed engagement where we are watching the same views and acting on them as part of operating the estate. Either way the outcome is the same: the people responsible for your sending can see what the engine is doing and act on it, safely, without the command line being the only door in.
The result, when it is right, is a kind of quiet competence. The people who own your sending can answer the only two questions that matter in the moment — what is happening, and what do I do about it — from one screen, safely, whether or not they live in a terminal. That is the whole ambition of a panel: not to make KumoMTA look like something it is not, but to make the power it already has reachable by the people responsible for it, without trading away the security a control surface over production sending absolutely requires. The engine was built to be operated by experts. A good panel, run properly, quietly widens who gets to count as one.
FAQ
Control panel questions
Do you build a custom panel or set up an existing one?
Either, depending on what fits. There is a small ecosystem of open-source KumoMTA control panels of varying maturity, and for many estates the right move is to select a solid one, harden it and integrate it with your engine rather than build from scratch. Where a client needs something specific — a particular workflow, multi-tenant separation, an existing design system — a tailored panel makes sense. What we will not do is point you at a random GitHub project and leave you to wire it to your production MTA unprotected.
Does a panel replace Grafana and Prometheus?
No — they do different jobs and most serious estates run both. Prometheus and Grafana are observability: read-only metrics, history and alerting, excellent for trends and dashboards. A control panel is operational: it shows live queues and shaping and lets an operator take action — pause a queue, reload policy, rest an IP. Monitoring tells you something is wrong; the panel is where you do something about it. We usually stand up the Grafana side and the panel side together.
Is a web panel safe to run on a production MTA?
Only if it is locked down, and that is the whole point of having us do it. A control panel can flush queues, reload policy and rotate IPs, so an exposed one is a serious liability. We bind the engine’s HTTP listener to localhost, put the panel behind an Nginx reverse proxy with authentication and two-factor, keep its port off the public internet, and turn on audit logging so every administrative action is recorded. Done that way it is safe; done carelessly it is a back door into your sending.
Can our non-CLI team actually operate KumoMTA with this?
That is exactly who a panel is for. KumoMTA’s command-line-and-config model is powerful but assumes an engineer comfortable in a terminal; a panel lets a deliverability manager or an ops person watch queues, read shaping decisions and take safe actions without touching Lua or SSH. It does not remove the need for engineering on the hard problems, but it puts day-to-day visibility and routine actions in reach of the people who need them.
Does it work with our existing KumoMTA install?
Yes. A panel sits on top of the engine’s existing HTTP listener and metrics endpoints rather than requiring a rebuild, so we can add one to an estate already in production. The main work is integration and securing it correctly — binding the listener, configuring the proxy, wiring the queue and shaping views to your specific setup — not reinstalling the MTA underneath it.
Can one panel manage more than one node?
Yes, and at scale that is the point. A clustered KumoMTA deployment has several nodes and their TSA daemons, and a panel that aggregates them gives a single operational view instead of logging into each box. We design the panel and the metrics scraping to cover the whole cluster, so an operator sees the estate as one system rather than a row of servers.
What can it do versus just show?
Both, and the line between them is a deliberate design choice. Showing is the safe majority: queues, throughput, shaping, logs, blacklist status. Doing is the powerful minority: reload policy, flush or pause a queue, rest or rotate an IP. We scope the actions to what a given role should be trusted with, behind authentication and audit logging, because the convenience of a one-click action and the danger of it are the same thing, and the difference is who is allowed to click it.
Start with the audit.
Twenty-five points across authentication, reputation, infrastructure and compliance — a written assessment, no charge and no obligation. It tells both of us exactly what we are working with.