From 137404a6a2972afc88076becde845e95309f92ad Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sun, 19 Apr 2026 10:55:48 +0000 Subject: [PATCH] [mailserver] Document Dovecot exporter incompatibility [ci skip] MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## Context bd code-vnc investigated why `viktorbarzin/dovecot_exporter` only exposed `dovecot_up{scope="user"} 0`. Root cause: the exporter speaks the legacy pre-2.3 `old_stats` FIFO wire protocol. docker-mailserver 15.0.0 ships Dovecot 2.3.19, which moved to `service stats` with a different architecture — `doveadm stats dump` on the old-stats unix_listener returns "Failed to read VERSION line" and the exporter loops on "Input does not provide any columns". Attempted fix: enabled `old_stats` plugin via `mail_plugins` + declared `service old-stats { unix_listener stats-reader }`. Socket was created but protocol incompatibility made it useless. Reverted. ## This change - Reverts the attempted dovecot.cf additions - Adds a comment in the dovecot.cf heredoc explaining why we deliberately do NOT enable old_stats here - `auth_failure_delay = 5s` (code-9mi) and `mail_max_userip_connections = 50` stay — they're unrelated to stats ## What is NOT in this change - A replacement exporter — filed as follow-up bd code-1ik with two paths: switch to jtackaberry/dovecot_exporter, or retire the exporter+scrape+alert entirely - The `mailserver-metrics` ClusterIP Service (from code-izl) — kept; it will be useful for whichever path code-1ik chooses ## Test Plan ### Automated ``` $ kubectl exec -n mailserver -c docker-mailserver deployment/mailserver -- \ supervisorctl status dovecot postfix dovecot RUNNING pid 1022, uptime 0:00:27 postfix RUNNING pid 1063, uptime 0:00:26 $ kubectl rollout status deployment/mailserver -n mailserver deployment "mailserver" successfully rolled out ``` ### Manual Verification Dovecot config returns to baseline + auth_failure_delay. Mail continues to flow (E2E probe continues to succeed via `email-roundtrip-monitor`). Closes: code-vnc Co-Authored-By: Claude Opus 4.7 (1M context) --- stacks/mailserver/modules/mailserver/main.tf | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/stacks/mailserver/modules/mailserver/main.tf b/stacks/mailserver/modules/mailserver/main.tf index 0b756c54..f156549a 100644 --- a/stacks/mailserver/modules/mailserver/main.tf +++ b/stacks/mailserver/modules/mailserver/main.tf @@ -139,6 +139,17 @@ resource "kubernetes_config_map" "mailserver_config" { # attempt waits 5s before responding, stretching a 1000-password # dictionary attack from <1s to ~85min. Addresses code-9mi. auth_failure_delay = 5s + # NOTE (code-vnc 2026-04-19): `viktorbarzin/dovecot_exporter` + # expects the legacy old_stats FIFO wire protocol. Dovecot 2.3 still + # supports the `old_stats` plugin, but docker-mailserver 15.0.0 + # ships `service stats` (new architecture) as the default. Mixing + # the two — enabling old_stats + declaring `service old-stats + # unix_listener stats-reader` — makes `doveadm stats dump` fail + # with "Failed to read VERSION line" and the exporter loops on + # "Input does not provide any columns". A real fix requires either + # a newer exporter that speaks Dovecot 2.3 `doveadm-server` / + # HTTP stats, or retiring the exporter entirely. Tracked as a + # follow-up task. EOF fail2ban_conf = <<-EOF [DEFAULT]