Feature: NTM open SMTP + add rate limit fn & [DOCs/operators]: Release updates niolo (#6317)

* initialise smtp rate limit

* simplify

* remove duplicate hooks

* fix ordering

* ntm finalized

* add changelog for niolo

* bump up version

* correct nym buy info

* update stats

* fix typo

* fix typo

* ready to merge

* PR finished
This commit is contained in:
import this
2026-01-15 10:09:59 +00:00
committed by GitHub
parent 8a00ed6071
commit 877d4d68c9
16 changed files with 162 additions and 32 deletions
@@ -9,7 +9,7 @@
changed_when: false
when: not ansible_check_mode
# show the full stdout so we dont depend on regex parsing at all
# show the full stdout
# show full upgraded version output, line by line
- name: Show upgraded nym-node version info
debug:
@@ -5,7 +5,7 @@
},
"mixmining_reserve": {
"denom": "unym",
"amount": "176683247613141"
"amount": "174592308324894"
},
"vesting_tokens": {
"denom": "unym",
@@ -13,6 +13,6 @@
},
"circulating_supply": {
"denom": "unym",
"amount": "823316752386859"
"amount": "825407691675106"
}
}
@@ -1 +1 @@
823_316_752
825_407_691
@@ -1 +1 @@
60_455_259
60_608_795
@@ -1 +1 @@
60_455_258
60_608_794
@@ -1,7 +1,7 @@
| **Item** | **Description** | **Amount in NYM** |
|:-------------------|:------------------------------------------------------|--------------------:|
| Total Supply | Maximum amount of NYM token in existence | 1_000_000_000 |
| Mixmining Reserve | Tokens releasing for operators rewards | 176_683_247 |
| Mixmining Reserve | Tokens releasing for operators rewards | 174_592_308 |
| Vesting Tokens | Tokens locked outside of cicrulation for future claim | 0 |
| Circulating Supply | Amount of unlocked tokens | 823_316_752 |
| Stake Saturation | Optimal size of node self-bond + delegation | 251_896 |
| Circulating Supply | Amount of unlocked tokens | 825_407_691 |
| Stake Saturation | Optimal size of node self-bond + delegation | 252_536 |
@@ -1,10 +1,10 @@
{
"interval": {
"reward_pool": "176683247613141.489518623753339272",
"staking_supply": "60455258984180.809034503857018251",
"reward_pool": "174592308324894.719164125613282609",
"staking_supply": "60608794397902.33807512267258462",
"staking_supply_scale_factor": "0.07342892",
"epoch_reward_budget": "4907867989.25393026440621537",
"stake_saturation_point": "251896912434.086704310432737576",
"epoch_reward_budget": "4849786342.358186643447933702",
"stake_saturation_point": "252536643324.593075313011135769",
"sybil_resistance": "0.3",
"active_set_work_factor": "10",
"interval_pool_emission": "0.02"
@@ -1 +1 @@
Thursday, December 11th 2025, 11:24:33 UTC
Thursday, January 15th 2026, 09:44:55 UTC
@@ -49,6 +49,95 @@ This page displays a full list of all the changes during our release cycle from
<VarInfo />
## `v2026.1-niolo`
- [Release Binaries](https://github.com/nymtech/nym/releases/tag/nym-binaries-v2026.1-niolo)
- [`nym-node`](nodes/nym-node.mdx) version `1.23.0`
```sh
nym-node
Binary Name: nym-node
Build Timestamp: 2025-12-02T16:21:03.251191389Z
Build Version: 1.23.0
Commit SHA: 46fe1bc8191f42aa27f34743c96e9e9f26453d87
Commit Date: 2025-12-02T15:29:30.000000000Z
Commit Branch: release/2025.22-niolo
rustc Version: 1.91.1
rustc Channel: stable
cargo Profile: release
```
### Operators Updates & Tools
Were excited to announce the first **nym-node release of 2026**.
**Exit Policy Ports Management**
In December 2025, two NIP proposals were approved, introducing new ports to Nym network: [NIP-6](https://governator.nym.com/proposal/prop-ba886b9d-6f6e-4365-b4ed-fe7e604bc375), opening ports for WhatsApp and Session + Port `465` and [NIP-4](https://governator.nym.com/proposal/prop-ca6726ea-38b1-4568-97fe-8bdc5fdc83a0), opening port `587`.
**Due to the concerns raised by the operators we built a rate limiting function to Network tunnel manager (NTM) to prevent spam abuse of the network. You can see the changes [here](https://github.com/nymtech/nym/pull/6317).**
To implement the changes and ensure that the nodes have expected performance, please re-run NTM following these steps:
<Steps>
###### 1. Get the new NTM
- Download the updated NTM and make executable
```sh
curl -L https://raw.githubusercontent.com/nymtech/nym/refs/heads/develop/scripts/nym-node-setup/network-tunnel-manager.sh -o ./network-tunnel-manager.sh && \
chmod +x network-tunnel-manager.sh
```
###### 2. Update exit policy
- To be sure that your routing is clean, run this command:
```sh
./network-tunnel-manager.sh complete_networking_configuration
```
</ Steps>
**Node Orchestration**
Nym network scaling is done mostly by squads, organizations, DAOs and other entities of collaborating operators administrating multiple nodes. To improve efficiency, user experience and cost we added a new menu item [*Orchestration*](/operators/orchestration) where you can find step by step guides to:
- [Virtualise server using KVM](/operators/nodes/preliminary-steps/vps-setup/advanced): Creating VMs with desired size, bandwidth and capacity for lower cost in comparison to renting VPS
- [Ansible guide](/operators/orchestration/ansible): Orchestrating many nodes effectively using the [Ansible template](https://github.com/nymtech/nym/tree/develop/ansible/nym-node)
Please, let us know how that worked for you.
### Features
- [Merge intermediate upgrade mode changes](https://github.com/nymtech/nym/pull/6174): This PR contains a long changelog on itself, please read the full [in the PR description](https://github.com/nymtech/nym/pull/6174)
- [Config migration](https://github.com/nymtech/nym/pull/6259)
- [Statistics API v2](https://github.com/nymtech/nym/pull/6227): This PRs adds a v2 of the `VpnClientSessionReport` and update the stats API to be able to store it
- [Update chain registry link](https://github.com/nymtech/nym/pull/6219)
### Bugfix
- [Re-exposed 'derive_extended_private_key'](https://github.com/nymtech/nym/pull/6247)
- [`gateway-probe` fixes for run-local](https://github.com/nymtech/nym/pull/6212)
- [Upgrade mode: VPN adjustments](https://github.com/nymtech/nym/pull/6189): This PR further builds up on [\#6174](https://github.com/nymtech/nym/pull/6174) to include changes required by the VPN-client to fully support the upgrade mode, what is relevant here is that this PR modifies the credential storage to allow it to storage an opaque `emergency credential` that lets it be shared between sessions (if it is still valid) ]
- [Add weighted scoring to NS API](https://github.com/nymtech/nym/pull/6144)
### Refactors & Maintenance
- [Remove run DKG migration](https://github.com/nymtech/nym/pull/6253)
- [Do not re-derive wallet keys on every tx](https://github.com/nymtech/nym/pull/6213): The `cosmrs' trait bounds on `EcdsaSigner` got updated to include `Send` and `Sync`, meaning we no longer need to derive private keys on every transaction and instead we can just do it once, on construction
- [Remove support for legacy mixnode within the performance contract](https://github.com/nymtech/nym/pull/6205): The network no longer supports those nodes, there's no point in having the "brand new" (kinda) contract support them either
<br />
<AccordionTemplate name="Changelog 2025">
## Last Update of 2025
We are not going to do a platform release this year anymore, but we have two important updates to share.
@@ -2750,6 +2839,7 @@ Config changes:
To allow reading through older changelogs, we store them below sorted by years.
</ AccordionTemplate>
<br />
<AccordionTemplate name="Changelog 2024">
@@ -4444,7 +4534,7 @@ done
- Top routing score now includes:
- Wireguard registration and complete handshake test, to configure see [tasklist below](#operators-tasks)
- DNS resolution check, to configure see [tasklist below](#operators-tasks)
- Wireguard perfomance bigger than 0.75, to configure see [tasklist below](#operators-tasks)
- Wireguard performance bigger than 0.75, to configure see [tasklist below](#operators-tasks)
- New [Nym Wallet](https://github.com/nymtech/nym/releases/tag/nym-wallet-v1.2.14) is out!
- Vesting contract functionalities have been purged, users can only remove tokens from vesting
@@ -21,16 +21,17 @@ This documentation page provides a guide on how to set up and run a [NYM NODE](.
```sh
nym-node
Binary Name: nym-node
Build Timestamp: 2025-11-25T14:26:29.627763948Z
Build Version: 1.22.0
Commit SHA: 22793bc45ea21561671d6670497ff42bc36b9d76
Commit Date: 2025-11-25T15:16:42.000000000+01:00
Commit Branch: HEAD
rustc Version: 1.88.0
Build Timestamp: 2025-12-02T16:21:03.251191389Z
Build Version: 1.23.0
Commit SHA: 46fe1bc8191f42aa27f34743c96e9e9f26453d87
Commit Date: 2025-12-02T15:29:30.000000000Z
Commit Branch: release/2025.22-niolo
rustc Version: 1.91.1
rustc Channel: stable
cargo Profile: release
```
Detailed version archive and release notes is documented [here](../../changelog.mdx).
{/* COMMENTING THIS OUT ASS WE HAVE TO FIGURE OUT HOW TO SHOW THE LATEST VERSION FROM MASTER BRANCH
@@ -11,7 +11,13 @@ If pre-compiled binaries for your operating system aren't available, you can bui
If you don't already have one, please create a Nym address using the wallet, and fund it with NYM tokens. The minimum amount required to bond a node is 100 `NYM`, but make sure you have a bit more to account for gas costs.
`NYM` can be purchased via [Bity](https://bity.com) from the wallet itself with BTC or fiat, and is currently present on several [exchanges](https://www.coingecko.com/en/coins/nym#markets).
`NYM` can be swapped in these places:
- [SpectreDAO Swap](https://explorer.nym.spectredao.net/swap) (1000+ tokens supported)
- [Binance bridge](https://bridge.nym.com/)
- [ERC20 bridge](https://swapper.nym.com/swap) - follow [this guide](https://nym.com/blog/nym-for-nym-swapper-app-bridges-native-and-erc20-token)
`NYM` can be also bought on several [exchanges](https://www.coingecko.com/en/coins/nym#markets).
> Remember that you can **only** use Cosmos `NYM` tokens to bond your node. You **cannot** use ERC20 representations of `NYM` to run a node.
@@ -487,6 +487,25 @@ configure_dns_and_icmp_wg() {
ok "dns and icmp configuration completed"
}
apply_smtps_465_rate_limit() {
info "adding SMTPS tcp/465 rules with rate limiting to ${NYM_CHAIN}"
# IPv4
iptables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate NEW -m hashlimit \
--hashlimit-upto 30/min --hashlimit-burst 60 --hashlimit-mode srcip --hashlimit-name smtps465v4 -j ACCEPT
iptables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
# IPv6
ip6tables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
ip6tables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate NEW -m hashlimit \
--hashlimit-upto 30/min --hashlimit-burst 60 --hashlimit-mode srcip --hashlimit-name smtps465v6 -j ACCEPT
ip6tables -A "$NYM_CHAIN" -p tcp --dport 465 -m conntrack --ctstate NEW -j REJECT --reject-with tcp-reset
ok "SMTPS tcp/465 installed: NEW <= 30/min burst 60 per srcip; overflow rejected; ESTABLISHED allowed"
}
###############################################################################
# part 2: wireguard exit policy manager
###############################################################################
@@ -527,6 +546,7 @@ exit_policy_install_deps() {
create_nym_chain() {
info "creating nym exit policy chain $NYM_CHAIN"
# create/flush chain
if iptables -S "$NYM_CHAIN" >/dev/null 2>&1; then
iptables -F "$NYM_CHAIN"
else
@@ -539,15 +559,25 @@ create_nym_chain() {
ip6tables -N "$NYM_CHAIN"
fi
if ! iptables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then
iptables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN"
fi
# remove *all* FORWARD -> NYM-EXIT jumps
while read -r rule; do
spec="${rule#-A FORWARD }"
iptables -D FORWARD $spec 2>/dev/null || true
done < <(iptables -S FORWARD | grep -F " -j $NYM_CHAIN" || true)
if ! ip6tables -C FORWARD -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN" 2>/dev/null; then
ip6tables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN"
fi
while read -r rule; do
spec="${rule#-A FORWARD }"
ip6tables -D FORWARD $spec 2>/dev/null || true
done < <(ip6tables -S FORWARD | grep -F " -j $NYM_CHAIN" || true)
# add the single correct hook
iptables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN"
ip6tables -I FORWARD 1 -i "$WG_INTERFACE" -o "$NETWORK_DEVICE" -j "$NYM_CHAIN"
ok "NYM-EXIT chain ready + single FORWARD hook installed"
}
setup_nat_rules() {
info "setting up nat and forwarding rules for $WG_INTERFACE via $NETWORK_DEVICE"
@@ -616,6 +646,8 @@ apply_port_allowlist() {
["HTTPS"]="443"
["SMBWindowsFileShare"]="445"
["Kpasswd"]="464"
# this port is opened and rate limited in apply_smtps_465_rate_limit
# ["SMTP"]="465"
["RTSP"]="554"
["SMTPSubmission"]="587"
["LDAPS"]="636"
@@ -1178,6 +1210,7 @@ exit_policy_install() {
create_nym_chain
setup_nat_rules
apply_port_allowlist
apply_smtps_465_rate_limit
apply_spamhaus_blocklist
add_default_reject_rule
save_iptables_rules