diff --git a/infra/ansible/roles/mail/tasks/main.yml b/infra/ansible/roles/mail/tasks/main.yml
index c99d787..252fa85 100644
--- a/infra/ansible/roles/mail/tasks/main.yml
+++ b/infra/ansible/roles/mail/tasks/main.yml
@@ -96,3 +96,30 @@
   register: postfix_milter
   changed_when: false
   notify: Reload postfix
+
+# Postfix on this host logs via its built-in postlogd (maillog_file mode), not
+# rsyslog -- there is no rsyslog.service. postlogd holds mail.log open, so a
+# plain rename+create leaves it writing to the old inode. Use copytruncate
+# (copy then truncate in place) which needs no daemon signal. mail.log had
+# grown unbounded to ~1 GB (~150 MB/day) with no rotation rule at all.
+- name: Install logrotate rule for Postfix (postlogd) mail logs
+  ansible.builtin.copy:
+    dest: /etc/logrotate.d/rsyslog-mail
+    owner: root
+    group: root
+    mode: "0644"
+    content: |
+      /var/log/mail.log
+      /var/log/mail.err
+      /var/log/mail.warn
+      /var/log/mail.info
+      {
+          rotate 14
+          daily
+          missingok
+          notifempty
+          compress
+          delaycompress
+          copytruncate
+      }
+