diff --git a/stacks/mailserver/modules/mailserver/main.tf b/stacks/mailserver/modules/mailserver/main.tf
index 4adcd50f..5367a8aa 100644
--- a/stacks/mailserver/modules/mailserver/main.tf
+++ b/stacks/mailserver/modules/mailserver/main.tf
@@ -580,6 +580,29 @@ resource "kubernetes_service" "mailserver" {
       port        = 993
       target_port = "imap-secure"
     }
+  }
+}
+
+# Split the Dovecot metrics port off the public LB and onto its own
+# ClusterIP Service. Port 9166 was only LAN-routable via 10.0.20.202
+# but was over-exposed for a Prometheus-internal metric. Addresses
+# code-izl. Prometheus scrape target follows in
+# stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
+# (updated to `mailserver-metrics.mailserver.svc.cluster.local:9166`).
+resource "kubernetes_service" "mailserver_metrics" {
+  metadata {
+    name      = "mailserver-metrics"
+    namespace = kubernetes_namespace.mailserver.metadata[0].name
+    labels = {
+      app = "mailserver"
+    }
+  }
+
+  spec {
+    type = "ClusterIP"
+    selector = {
+      app = "mailserver"
+    }
 
     port {
       name        = "dovecot-metrics"
diff --git a/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl b/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
index aac306d9..c083b2a5 100755
--- a/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
+++ b/stacks/monitoring/modules/monitoring/prometheus_chart_values.tpl
@@ -2033,11 +2033,12 @@ serverFiles:
 extraScrapeConfigs: |
   - job_name: 'mailserver-dovecot'
     # Dovecot exporter lives on the mailserver pod; port 9166 is exposed by
-    # the mailserver Service (`dovecot-metrics`). Kube-prometheus-stack (with
-    # ServiceMonitor CRDs) isn't deployed here, so we scrape by service DNS.
+    # the dedicated ClusterIP Service `mailserver-metrics` (split from the
+    # public LB in code-izl). Kube-prometheus-stack (with ServiceMonitor
+    # CRDs) isn't deployed here, so we scrape by service DNS.
     static_configs:
       - targets:
-        - "mailserver.mailserver.svc.cluster.local:9166"
+        - "mailserver-metrics.mailserver.svc.cluster.local:9166"
     metrics_path: '/metrics'
     scrape_interval: 30s
   - job_name: 'proxmox-host'