From c693e695b4d591b69dc55a2e7bdd1fe064d1e859 Mon Sep 17 00:00:00 2001 From: Brad Stein Date: Tue, 6 Jan 2026 14:00:14 -0300 Subject: [PATCH] mailu: harden relay + fix postmark exporter --- scripts/dashboards_render_atlas.py | 4 ++-- services/mailu/helmrelease.yaml | 4 ++++ services/monitoring/dashboards/atlas-overview.json | 4 ++-- services/monitoring/grafana-dashboard-overview.yaml | 4 ++-- services/monitoring/postmark-exporter-deployment.yaml | 4 ++-- 5 files changed, 12 insertions(+), 8 deletions(-) diff --git a/scripts/dashboards_render_atlas.py b/scripts/dashboards_render_atlas.py index fa8f609..0965860 100644 --- a/scripts/dashboards_render_atlas.py +++ b/scripts/dashboards_render_atlas.py @@ -960,7 +960,7 @@ def build_overview(): "type": "stat", "title": "Mail Bounces (1d)", "datasource": PROM_DS, - "gridPos": {"h": 2, "w": 6, "x": 6, "y": 8}, + "gridPos": {"h": 2, "w": 6, "x": 12, "y": 8}, "targets": [ { "expr": 'max(postmark_outbound_bounce_rate{window="1d"})', @@ -1006,7 +1006,7 @@ def build_overview(): 32, "Mail Success Rate (1d)", 'clamp_min(100 - max(postmark_outbound_bounce_rate{window="1d"}), 0)', - {"h": 2, "w": 6, "x": 12, "y": 8}, + {"h": 2, "w": 6, "x": 6, "y": 8}, unit="percent", thresholds=mail_success_thresholds, decimals=1, diff --git a/services/mailu/helmrelease.yaml b/services/mailu/helmrelease.yaml index e591e64..c72c38f 100644 --- a/services/mailu/helmrelease.yaml +++ b/services/mailu/helmrelease.yaml @@ -218,6 +218,10 @@ spec: hardware: rpi4 overrides: postfix.cf: | + smtpd_helo_required = yes + smtpd_helo_restrictions = reject_invalid_helo_hostname, reject_non_fqdn_helo_hostname + smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_pipelining + smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_non_fqdn_recipient, reject_unknown_recipient_domain smtpd_relay_restrictions = permit_sasl_authenticated, reject_unauth_destination smtpd_sender_restrictions = reject_non_fqdn_sender, reject_unknown_sender_domain, reject_sender_login_mismatch, reject_authenticated_sender_login_mismatch smtpd_tls_auth_only = yes diff --git a/services/monitoring/dashboards/atlas-overview.json b/services/monitoring/dashboards/atlas-overview.json index 7a9c73e..0382199 100644 --- a/services/monitoring/dashboards/atlas-overview.json +++ b/services/monitoring/dashboards/atlas-overview.json @@ -864,7 +864,7 @@ "gridPos": { "h": 2, "w": 6, - "x": 6, + "x": 12, "y": 8 }, "targets": [ @@ -969,7 +969,7 @@ "gridPos": { "h": 2, "w": 6, - "x": 12, + "x": 6, "y": 8 }, "targets": [ diff --git a/services/monitoring/grafana-dashboard-overview.yaml b/services/monitoring/grafana-dashboard-overview.yaml index 82ca78c..af69a39 100644 --- a/services/monitoring/grafana-dashboard-overview.yaml +++ b/services/monitoring/grafana-dashboard-overview.yaml @@ -873,7 +873,7 @@ data: "gridPos": { "h": 2, "w": 6, - "x": 6, + "x": 12, "y": 8 }, "targets": [ @@ -978,7 +978,7 @@ data: "gridPos": { "h": 2, "w": 6, - "x": 12, + "x": 6, "y": 8 }, "targets": [ diff --git a/services/monitoring/postmark-exporter-deployment.yaml b/services/monitoring/postmark-exporter-deployment.yaml index eb2877e..646c455 100644 --- a/services/monitoring/postmark-exporter-deployment.yaml +++ b/services/monitoring/postmark-exporter-deployment.yaml @@ -33,12 +33,12 @@ spec: valueFrom: secretKeyRef: name: postmark-exporter - key: relay-username + key: server-token - name: POSTMARK_SERVER_TOKEN_FALLBACK valueFrom: secretKeyRef: name: postmark-exporter - key: relay-password + key: server-token-fallback - name: POSTMARK_SENDING_LIMIT valueFrom: secretKeyRef: