Skip to main content

Server Improvements & Fixes

Generated: February 20, 2026

🔴 Critical Fixes (Do Now)

1. Fix OVH IPv6 bind_failures (2.5M failures!)

SSH to OVH and disable IPv6 in KumoMTA config: 
ssh root@84.247.139.105

# Edit KumoMTA config
nano /opt/kumomta/etc/policy/init.lua

# Find the get_egress_pool section and change to 100% IPv4:
kumo.on('get_egress_pool', function(pool_name)
  return kumo.make_egress_pool {
    name = pool_name,
    entries = {
      { name = 'ipv4-primary', weight = 100 },
      -- IPv6 disabled: bind failures
      -- { name = 'ipv6-primary', weight = 20 },
    },
  }
end)

# Restart KumoMTA
sudo systemctl restart kumomta

2. Setup Log Rotation (Contabo has 13GB!)

ssh root@217.217.250.114

# Create logrotate config
cat > /etc/logrotate.d/kumomta << 'EOF'
/opt/kumomta/logs/* {
    daily
    rotate 3
    compress
    delaycompress
    missingok
    notifempty
    maxage 3
    dateext
    dateformat -%Y%m%d
}
EOF

# Clean old logs immediately (keep last 3 days)
find /opt/kumomta/logs/ -type f -mtime +3 -delete

# Verify space freed
du -sh /opt/kumomta/logs/

3. Sync DKIM Keys (Contabo 656 → OVH 507)

# From Contabo, sync to OVH
ssh root@217.217.250.114

# Create sync script
rsync -avz --progress /opt/kumomta/dkim/ root@84.247.139.105:/opt/kumomta/dkim/

# Or manual approach:
scp /opt/kumomta/dkim/*.key root@84.247.139.105:/opt/kumomta/dkim/

# Then on EU server, fix permissions
ssh root@84.247.139.105
chown -R kumod:kumod /opt/kumomta/dkim/
chmod 600 /opt/kumomta/dkim/*.key

🟡 Performance Improvements

4. Add Mimecast-specific Rate Limiting

Mimecast has 5,686 transient failures. Add stricter limits: 
ssh root@217.217.250.114

# Edit traffic shaping
nano /opt/kumomta/etc/policy/custom-shaping.toml
Add/update Mimecast section: 
# ============================================
# MIMECAST - Very conservative (blocking us)
# ============================================
[provider."mimecast"]
match=[
  {MXSuffix=".mimecast.com"},
]
connection_limit = 2
max_connection_rate = "2/min"  # Very slow
max_message_rate = "20/min"   # Reduced from default
max_deliveries_per_connection = 10
enable_tls = "Required"
idle_timeout = "60s"

[[provider."mimecast".automation]]
regex = [
  '''4\d\d.*temporarily rejected''',
  '''rate limit''',
  '''too many connections''',
]
action = [
  {SetConfig={name="max_message_rate", value="5/min"}},
  {SetConfig={name="connection_limit", value=1}},
]
duration = "4h"

5. Reduce KumoMTA CPU (77.6%)

High CPU might be due to:
  • Too many scheduled retries
  • Log writing overhead
# Check what's causing high CPU
top -p 983361  # KumoMTA PID

# If it's retry loops, bounce old messages
curl -X POST http://127.0.0.1:8000/api/admin/bounce/v1 \
  -H "Content-Type: application/json" \
  -d '{"campaign": ".*", "reason": "Cleanup old queue", "duration": "0s"}'

6. Setup Redis Password Security

Ensure Redis requires authentication: 
# Check current config
docker exec redis redis-cli CONFIG GET requirepass

# If empty, set password
docker exec redis redis-cli CONFIG SET requirepass "NAtQGmdxWxbc6WEQnwg"
docker exec redis redis-cli CONFIG REWRITE

🟢 Monitoring Improvements

7. Create Health Check Script

cat > /opt/scripts/health-check.sh << 'EOF'
#!/bin/bash
# Unosend Health Check

echo "=== Unosend Server Health Check ==="
echo "Date: $(date)"
echo

# KumoMTA
echo "--- KumoMTA ---"
systemctl is-active kumomta
SCHEDULED=$(curl -s http://127.0.0.1:8000/metrics | grep scheduled_count_total | grep -oP '\d+$')
echo "Scheduled Queue: $SCHEDULED"
if [ "$SCHEDULED" -gt 5000 ]; then
  echo "⚠️ WARNING: Queue is backing up!"
fi

# Redis
echo
echo "--- Redis ---"
docker exec redis redis-cli -a NAtQGmdxWxbc6WEQnwg PING 2>/dev/null

# Disk
echo
echo "--- Disk ---"
df -h / | tail -1
LOGS_SIZE=$(du -sm /opt/kumomta/logs/ 2>/dev/null | cut -f1)
echo "KumoMTA Logs: ${LOGS_SIZE}MB"
if [ "$LOGS_SIZE" -gt 5000 ]; then
  echo "⚠️ WARNING: Logs over 5GB!"
fi

# Memory
echo
echo "--- Memory ---"
free -h | grep Mem

echo
echo "=== Health check complete ==="
EOF

chmod +x /opt/scripts/health-check.sh

# Add to cron (run every 6 hours)
echo "0 */6 * * * /opt/scripts/health-check.sh >> /var/log/health-check.log 2>&1" | crontab -

8. Setup Automatic Log Cleanup Cron

# Add daily cleanup cron
cat >> /etc/cron.daily/kumo-cleanup << 'EOF'
#!/bin/bash
# Delete logs older than 3 days
find /opt/kumomta/logs/ -type f -mtime +3 -delete
# Compact if needed
du -sh /opt/kumomta/logs/
EOF

chmod +x /etc/cron.daily/kumo-cleanup

🚀 Deliverability Improvements

9. Add DMARC Reporting

Current DMARC is basic. Upgrade to get reporting: v=DMARC1; p=quarantine; rua=mailto:dmarc@unosend.co; ruf=mailto:dmarc-failures@unosend.co; pct=100; adkim=r; aspf=r

10. Setup Postmaster Tools

Register IPs with major providers:

11. Warm New EU IP Properly

Contabo EU (84.247.139.105) needs gradual warmup: 
# Add to OVH's custom-shaping.toml
# Start with very low limits for first 2 weeks

[provider."gmail-warmup"]
match=[{MXSuffix=".google.com"}]
connection_limit = 2
max_message_rate = "30/min"  # Start low

[provider."microsoft-warmup"]  
match=[{MXSuffix=".outlook.com"}]
connection_limit = 2
max_message_rate = "20/min"
Gradually increase limits over 4 weeks:
  • Week 1: 30/min Gmail, 20/min Microsoft
  • Week 2: 60/min Gmail, 40/min Microsoft
  • Week 3: 90/min Gmail, 60/min Microsoft
  • Week 4: 120/min Gmail, 80/min Microsoft

12. Enable DANE on Both Servers

DANE improves security and deliverability to security-conscious domains: 
-- In init.lua, ensure DANE is enabled
enable_dane = true

📊 Summary

PriorityIssueImpactTime to Fix
🔴 CriticalOVH bind_failures (2.5M)Emails failing5 min
🔴 CriticalLog rotation (13GB)Disk full soon10 min
🔴 CriticalDKIM sync (149 missing)OVH DKIM failures15 min
🟡 HighMimecast throttling5,686 failures10 min
🟡 HighKumoMTA CPU (77%)Performance15 min
🟢 MediumHealth monitoringVisibility20 min
🟢 MediumPostmaster registrationReputation tracking30 min
🟢 MediumOVH IP warmupEU deliverabilityOngoing

Commands Cheatsheet

# Check queue size
curl -s http://127.0.0.1:8000/metrics | grep scheduled_count_total

# Check delivery stats
curl -s http://127.0.0.1:8000/metrics | grep total_messages_delivered

# Bounce all stuck messages
curl -X POST http://127.0.0.1:8000/api/admin/bounce/v1 \
  -H "Content-Type: application/json" \
  -d '{"campaign": ".*", "reason": "Queue cleanup"}'

# Check Redis queues
redis-cli --user unosend --pass NAtQGmdxWxbc6WEQnwg LLEN email:default

# Check DKIM keys count
ls /opt/kumomta/dkim/*.key | wc -l

# Check log size
du -sh /opt/kumomta/logs/

# Restart KumoMTA
systemctl restart kumomta

# Check KumoMTA status
systemctl status kumomta

# View recent KumoMTA logs
tail -100 /opt/kumomta/logs/kumo.log | grep -i error