diff --git a/stacks/mailserver/modules/mailserver/variables.tf b/stacks/mailserver/modules/mailserver/variables.tf
index 29d6665c..47c448b4 100644
--- a/stacks/mailserver/modules/mailserver/variables.tf
+++ b/stacks/mailserver/modules/mailserver/variables.tf
@@ -8,8 +8,11 @@ smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
 smtp_sasl_security_options = noanonymous
 smtp_sasl_tls_security_options = noanonymous
 smtp_tls_security_level = encrypt
-smtpd_tls_cert_file=/tmp/ssl/tls.crt
-smtpd_tls_key_file=/tmp/ssl/tls.key
+# TLS cert/key come from docker-mailserver's SSL_TYPE=manual flow, which writes
+# the authoritative `smtpd_tls_chain_files` into main.cf at boot. Setting the
+# legacy smtpd_tls_cert_file/smtpd_tls_key_file here too makes postfix warn
+# ("Both smtpd_tls_chain_files and one or more of the legacy ...") and ignore
+# them. Dropped to silence the warning — functionally a no-op (chain_files wins).
 smtpd_use_tls=yes
 # Require STARTTLS before any AUTH command on the SMTPD listener.
 # Without this, a misconfigured client that skips STARTTLS would send
diff --git a/stacks/monitoring/modules/monitoring/alloy.yaml b/stacks/monitoring/modules/monitoring/alloy.yaml
index d2f9602d..2585d3f2 100644
--- a/stacks/monitoring/modules/monitoring/alloy.yaml
+++ b/stacks/monitoring/modules/monitoring/alloy.yaml
@@ -135,6 +135,20 @@ alloy:
         // line. All cluster nodes run containerd, so a bare stage.cri is correct.
         stage.cri { }
 
+        // Drop benign public-SMTP scanner noise from the mailserver pod only:
+        // unknown[unknown] probes that never complete TLS/PROXY + postscreen
+        // half-open drops (~9k lines/hr, the cluster's #1 Loki error source).
+        // Real delivery logs and real-IP SASL failures are KEPT; CrowdSec bans
+        // these scanner IPs independently, so security posture is unchanged.
+        // Reversible — delete this stage to ship the lines again.
+        stage.match {
+          selector = `{namespace="mailserver"}`
+          stage.drop {
+            expression          = `.*(getpeername: Transport endpoint is not connected -- dropping|SSL_accept error from unknown\[unknown\]|Connection rate limit exceeded: [0-9]+ from unknown\[unknown\]).*`
+            drop_counter_reason = "mailserver_scanner_noise"
+          }
+        }
+
         stage.static_labels {
             values = {
               cluster = "default",