[mailserver] Document Dovecot exporter incompatibility [ci skip]

## Context bd code-vnc investigated why `viktorbarzin/dovecot_exporter` only exposed `dovecot_up{scope="user"} 0`. Root cause: the exporter speaks the legacy pre-2.3 `old_stats` FIFO wire protocol. docker-mailserver 15.0.0 ships Dovecot 2.3.19, which moved to `service stats` with a different architecture — `doveadm stats dump` on the old-stats unix_listener returns "Failed to read VERSION line" and the exporter loops on "Input does not provide any columns". Attempted fix: enabled `old_stats` plugin via `mail_plugins` + declared `service old-stats { unix_listener stats-reader }`. Socket was created but protocol incompatibility made it useless. Reverted. ## This change - Reverts the attempted dovecot.cf additions - Adds a comment in the dovecot.cf heredoc explaining why we deliberately do NOT enable old_stats here - `auth_failure_delay = 5s` (code-9mi) and `mail_max_userip_connections = 50` stay — they're unrelated to stats ## What is NOT in this change - A replacement exporter — filed as follow-up bd code-1ik with two paths: switch to jtackaberry/dovecot_exporter, or retire the exporter+scrape+alert entirely - The `mailserver-metrics` ClusterIP Service (from code-izl) — kept; it will be useful for whichever path code-1ik chooses ## Test Plan ### Automated ``` $ kubectl exec -n mailserver -c docker-mailserver deployment/mailserver -- \ supervisorctl status dovecot postfix dovecot RUNNING pid 1022, uptime 0:00:27 postfix RUNNING pid 1063, uptime 0:00:26 $ kubectl rollout status deployment/mailserver -n mailserver deployment "mailserver" successfully rolled out ``` ### Manual Verification Dovecot config returns to baseline + auth_failure_delay. Mail continues to flow (E2E probe continues to succeed via `email-roundtrip-monitor`). Closes: code-vnc Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 10:55:48 +00:00 · 2026-04-19 10:55:48 +00:00 · 137404a6a2
commit 137404a6a2
parent 973f549810
1 changed files with 11 additions and 0 deletions
--- a/stacks/mailserver/modules/mailserver/main.tf
+++ b/stacks/mailserver/modules/mailserver/main.tf
@ -139,6 +139,17 @@ resource "kubernetes_config_map" "mailserver_config" {
    # attempt waits 5s before responding, stretching a 1000-password
    # dictionary attack from <1s to ~85min. Addresses code-9mi.
    auth_failure_delay = 5s
+    # NOTE (code-vnc 2026-04-19): `viktorbarzin/dovecot_exporter`
+    # expects the legacy old_stats FIFO wire protocol. Dovecot 2.3 still
+    # supports the `old_stats` plugin, but docker-mailserver 15.0.0
+    # ships `service stats` (new architecture) as the default. Mixing
+    # the two — enabling old_stats + declaring `service old-stats
+    # unix_listener stats-reader` — makes `doveadm stats dump` fail
+    # with "Failed to read VERSION line" and the exporter loops on
+    # "Input does not provide any columns". A real fix requires either
+    # a newer exporter that speaks Dovecot 2.3 `doveadm-server` /
+    # HTTP stats, or retiring the exporter entirely. Tracked as a
+    # follow-up task.
    EOF
    fail2ban_conf = <<-EOF
    [DEFAULT]