viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

mailserver: silence mixed-TLS-directive warning + drop SMTP scanner noise from Loki

Browse source 
Two mailserver-namespace log-noise cleanups (cluster's #1 Loki error
source, from the 2026-06-06 log triage):

1. TLS warning: docker-mailserver SSL_TYPE=manual writes the authoritative
   smtpd_tls_chain_files at boot, so the legacy smtpd_tls_cert_file/key_file
   in our postfix-main.cf override were IGNORED and triggered postfix's
   'Both smtpd_tls_chain_files and ... legacy ...' warning. Dropped the two
   legacy lines (functional no-op; chain_files already wins). Verified via
   live postconf.

2. Scanner noise (~9k lines/hr): narrow Alloy stage.drop for the benign
   public-SMTP probe patterns (unknown[unknown] SSL_accept resets, postscreen
   half-open drops, rate-limit-exceeded from unknown). Real delivery logs +
   real-IP SASL failures KEPT; CrowdSec bans these IPs independently, so
   security posture is unchanged. Validated with 'alloy fmt' (exit 0).
   Reversible.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
Viktor Barzin 2026-06-06 05:11:33 +00:00
parent de181a9afc
commit 8a3bbde38c
2 changed files with 19 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
stacks/mailserver/modules/mailserver/variables.tf
View file

@ -8,8 +8,11 @@ smtp_sasl_password_maps = hash:/etc/postfix/sasl/passwd
smtp_sasl_security_options = noanonymous smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous smtp_sasl_tls_security_options = noanonymous
smtp_tls_security_level = encrypt smtp_tls_security_level = encrypt
smtpd_tls_cert_file=/tmp/ssl/tls.crt # TLS cert/key come from docker-mailserver's SSL_TYPE=manual flow, which writes
smtpd_tls_key_file=/tmp/ssl/tls.key # the authoritative `smtpd_tls_chain_files` into main.cf at boot. Setting the
# legacy smtpd_tls_cert_file/smtpd_tls_key_file here too makes postfix warn
# ("Both smtpd_tls_chain_files and one or more of the legacy ...") and ignore
# them. Dropped to silence the warning functionally a no-op (chain_files wins).
smtpd_use_tls=yes smtpd_use_tls=yes
# Require STARTTLS before any AUTH command on the SMTPD listener. # Require STARTTLS before any AUTH command on the SMTPD listener.
# Without this, a misconfigured client that skips STARTTLS would send # Without this, a misconfigured client that skips STARTTLS would send

14
stacks/monitoring/modules/monitoring/alloy.yaml
View file

@ -135,6 +135,20 @@ alloy:
// line. All cluster nodes run containerd, so a bare stage.cri is correct. // line. All cluster nodes run containerd, so a bare stage.cri is correct.
stage.cri { } stage.cri { }
// Drop benign public-SMTP scanner noise from the mailserver pod only:
// unknown[unknown] probes that never complete TLS/PROXY + postscreen
// half-open drops (~9k lines/hr, the cluster's #1 Loki error source).
// Real delivery logs and real-IP SASL failures are KEPT; CrowdSec bans
// these scanner IPs independently, so security posture is unchanged.
// Reversible — delete this stage to ship the lines again.
stage.match {
selector = `{namespace="mailserver"}`
stage.drop {
expression = `.*(getpeername: Transport endpoint is not connected -- dropping|SSL_accept error from unknown\[unknown\]|Connection rate limit exceeded: [0-9]+ from unknown\[unknown\]).*`
drop_counter_reason = "mailserver_scanner_noise"
}
}
stage.static_labels { stage.static_labels {
values = { values = {
cluster = "default", cluster = "default",