mailserver: silence mixed-TLS-directive warning + drop SMTP scanner noise from Loki

Two mailserver-namespace log-noise cleanups (cluster's #1 Loki error source, from the 2026-06-06 log triage): 1. TLS warning: docker-mailserver SSL_TYPE=manual writes the authoritative smtpd_tls_chain_files at boot, so the legacy smtpd_tls_cert_file/key_file in our postfix-main.cf override were IGNORED and triggered postfix's 'Both smtpd_tls_chain_files and ... legacy ...' warning. Dropped the two legacy lines (functional no-op; chain_files already wins). Verified via live postconf. 2. Scanner noise (~9k lines/hr): narrow Alloy stage.drop for the benign public-SMTP probe patterns (unknown[unknown] SSL_accept resets, postscreen half-open drops, rate-limit-exceeded from unknown). Real delivery logs + real-IP SASL failures KEPT; CrowdSec bans these IPs independently, so security posture is unchanged. Validated with 'alloy fmt' (exit 0). Reversible. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-06 05:11:33 +00:00 · 2026-06-06 05:11:33 +00:00 · 8a3bbde38c
commit 8a3bbde38c
parent de181a9afc
2 changed files with 19 additions and 2 deletions
--- a/stacks/monitoring/modules/monitoring/alloy.yaml
+++ b/stacks/monitoring/modules/monitoring/alloy.yaml
@ -135,6 +135,20 @@ alloy:
        // line. All cluster nodes run containerd, so a bare stage.cri is correct.
        stage.cri { }

+        // Drop benign public-SMTP scanner noise from the mailserver pod only:
+        // unknown[unknown] probes that never complete TLS/PROXY + postscreen
+        // half-open drops (~9k lines/hr, the cluster's #1 Loki error source).
+        // Real delivery logs and real-IP SASL failures are KEPT; CrowdSec bans
+        // these scanner IPs independently, so security posture is unchanged.
+        // Reversible — delete this stage to ship the lines again.
+        stage.match {
+          selector = `{namespace="mailserver"}`
+          stage.drop {
+            expression          = `.*(getpeername: Transport endpoint is not connected -- dropping|SSL_accept error from unknown\[unknown\]|Connection rate limit exceeded: [0-9]+ from unknown\[unknown\]).*`
+            drop_counter_reason = "mailserver_scanner_noise"
+          }
+        }
+
        stage.static_labels {
            values = {
              cluster = "default",