mail: add logrotate for Postfix mail.log (postlogd copytruncate)

mail.log had no logrotate rule and grew unbounded to ~1GB (~150MB/day) since Jun 8. This host logs via Postfix's built-in postlogd (maillog_file mode), not rsyslog (no rsyslog.service exists), so postlogd holds the file open -- a plain rename+create would leave it writing to the stale inode. Use copytruncate (no daemon signal needed). Rotate daily, keep 14 days compressed. Applied live: forced first rotation, compressed the 1GB archive (->99MB), verified logging + bounce watchers + DKIM signing intact. Part of the email-deliverability incident hardening (follows DKIM fix 4d59019).
2026-06-17 19:47:13 -05:00 · 2026-06-17 19:47:13 -05:00 · 2e4388a803
commit 2e4388a803
parent 4d5901921e
1 changed files with 27 additions and 0 deletions
--- a/infra/ansible/roles/mail/tasks/main.yml
+++ b/infra/ansible/roles/mail/tasks/main.yml
@ -96,3 +96,30 @@
  register: postfix_milter
  changed_when: false
  notify: Reload postfix
+
+# Postfix on this host logs via its built-in postlogd (maillog_file mode), not
+# rsyslog -- there is no rsyslog.service. postlogd holds mail.log open, so a
+# plain rename+create leaves it writing to the old inode. Use copytruncate
+# (copy then truncate in place) which needs no daemon signal. mail.log had
+# grown unbounded to ~1 GB (~150 MB/day) with no rotation rule at all.
+- name: Install logrotate rule for Postfix (postlogd) mail logs
+  ansible.builtin.copy:
+    dest: /etc/logrotate.d/rsyslog-mail
+    owner: root
+    group: root
+    mode: "0644"
+    content: |
+      /var/log/mail.log
+      /var/log/mail.err
+      /var/log/mail.warn
+      /var/log/mail.info
+      {
+          rotate 14
+          daily
+          missingok
+          notifempty
+          compress
+          delaycompress
+          copytruncate
+      }
+