From 8a3bbde38cc0fa592dc3338c5fc24bca167beef4 Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Sat, 6 Jun 2026 05:11:33 +0000 Subject: [PATCH] mailserver: silence mixed-TLS-directive warning + drop SMTP scanner noise from Loki Two mailserver-namespace log-noise cleanups (cluster's #1 Loki error source, from the 2026-06-06 log triage): 1. TLS warning: docker-mailserver SSL_TYPE=manual writes the authoritative smtpd_tls_chain_files at boot, so the legacy smtpd_tls_cert_file/key_file in our postfix-main.cf override were IGNORED and triggered postfix's 'Both smtpd_tls_chain_files and ... legacy ...' warning. Dropped the two legacy lines (functional no-op; chain_files already wins). Verified via live postconf. 2. Scanner noise (~9k lines/hr): narrow Alloy stage.drop for the benign public-SMTP probe patterns (unknown[unknown] SSL_accept resets, postscreen half-open drops, rate-limit-exceeded from unknown). Real delivery logs + real-IP SASL failures KEPT; CrowdSec bans these IPs independently, so security posture is unchanged. Validated with 'alloy fmt' (exit 0). Reversible. Co-Authored-By: Claude Opus 4.8 --- stacks/mailserver/modules/mailserver/variables.tf | 7 +++++-- stacks/monitoring/modules/monitoring/alloy.yaml | 14 ++++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/stacks/mailserver/modules/mailserver/variables.tf b/stacks/mailserver/modules/mailserver/variables.tf index 29d6665c..47c448b4 100644 --- a/stacks/mailserver/modules/mailserver/variables.tf +++ b/stacks/mailserver/modules/mailserver/variables.tf @@ -8,8 +8,11 @@ smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd smtp_sasl_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous smtp_tls_security_level = encrypt -smtpd_tls_cert_file=/tmp/ssl/tls.crt -smtpd_tls_key_file=/tmp/ssl/tls.key +# TLS cert/key come from docker-mailserver's SSL_TYPE=manual flow, which writes +# the authoritative `smtpd_tls_chain_files` into main.cf at boot. Setting the +# legacy smtpd_tls_cert_file/smtpd_tls_key_file here too makes postfix warn +# ("Both smtpd_tls_chain_files and one or more of the legacy ...") and ignore +# them. Dropped to silence the warning — functionally a no-op (chain_files wins). smtpd_use_tls=yes # Require STARTTLS before any AUTH command on the SMTPD listener. # Without this, a misconfigured client that skips STARTTLS would send diff --git a/stacks/monitoring/modules/monitoring/alloy.yaml b/stacks/monitoring/modules/monitoring/alloy.yaml index d2f9602d..2585d3f2 100644 --- a/stacks/monitoring/modules/monitoring/alloy.yaml +++ b/stacks/monitoring/modules/monitoring/alloy.yaml @@ -135,6 +135,20 @@ alloy: // line. All cluster nodes run containerd, so a bare stage.cri is correct. stage.cri { } + // Drop benign public-SMTP scanner noise from the mailserver pod only: + // unknown[unknown] probes that never complete TLS/PROXY + postscreen + // half-open drops (~9k lines/hr, the cluster's #1 Loki error source). + // Real delivery logs and real-IP SASL failures are KEPT; CrowdSec bans + // these scanner IPs independently, so security posture is unchanged. + // Reversible — delete this stage to ship the lines again. + stage.match { + selector = `{namespace="mailserver"}` + stage.drop { + expression = `.*(getpeername: Transport endpoint is not connected -- dropping|SSL_accept error from unknown\[unknown\]|Connection rate limit exceeded: [0-9]+ from unknown\[unknown\]).*` + drop_counter_reason = "mailserver_scanner_noise" + } + } + stage.static_labels { values = { cluster = "default",