diff --git a/hosts/falkenstein/modules/monitoring/default.nix b/hosts/falkenstein/modules/monitoring/default.nix
index be1d931..4f18bfe 100644
--- a/hosts/falkenstein/modules/monitoring/default.nix
+++ b/hosts/falkenstein/modules/monitoring/default.nix
@@ -3,9 +3,6 @@
   age.secrets."maxmind" = {
     file = ../../../../secrets/shared/maxmind.age;
   };
-  imports = [
-    ./dmarc.nix
-  ];
   users.users."promtail".extraGroups = [ "caddy" "systemd-journal" ];
   services.prometheus = {
     exporters = {
@@ -13,6 +10,9 @@
         enable = true;
         enabledCollectors = [ "systemd" ];
       };
+      postfix = {
+        enable = true;
+      };
     };
   };
   services.geoipupdate = {
@@ -115,5 +115,6 @@
   };
   networking.firewall.allowedTCPPorts = [
     config.services.prometheus.exporters.node.port
+    config.services.prometheus.exporters.postfix.port
   ];
 }
diff --git a/hosts/falkenstein/modules/monitoring/dmarc.nix b/hosts/falkenstein/modules/monitoring/dmarc.nix
deleted file mode 100644
index f1d66bb..0000000
--- a/hosts/falkenstein/modules/monitoring/dmarc.nix
+++ /dev/null
@@ -1,35 +0,0 @@
-{ config, ... }:
-{
-  age.secrets.dmarc = {
-    file = ../../../../secrets/falkenstein/dmarc.age;
-  };
-  users.users.dmarc = {
-    description = "DMARC Report recipient";
-    isNormalUser = true;
-  };
-  networking.firewall.allowedTCPPorts = [ config.services.elasticsearch.tcp_port ];
-  services.parsedmarc = {
-    enable = true;
-    provision = {
-      grafana = {
-        dashboard = false;
-        datasource = false;
-      };
-      localMail.enable = false;
-      elasticsearch = false;
-      geoIp = false;
-    };
-    settings = {
-      imap = {
-        user = "dmarc@rfive.de";
-        port = 993;
-        host = "mail.rfive.de";
-        password = {
-          _secret = config.age.secrets.dmarc.path;
-        };
-      };
-      opensearch.hosts = "localhost:9200";
-    };
-  };
-  services.opensearch.enable = true;
-}
diff --git a/hosts/nuc/modules/monitoring/default.nix b/hosts/nuc/modules/monitoring/default.nix
index 31619ae..ba3aed7 100644
--- a/hosts/nuc/modules/monitoring/default.nix
+++ b/hosts/nuc/modules/monitoring/default.nix
@@ -104,6 +104,12 @@ in
         }];
         scrape_interval = "15s";
       }
+      {
+        job_name = "postfix";
+        static_configs = [{
+          targets = [ "falkenstein.vpn.rfive.de:${toString config.services.prometheus.exporters.postfix.port}" ];
+        }];
+      }
       {
         job_name = "synapse";
         static_configs = [{
diff --git a/overlays/default.nix b/overlays/default.nix
index 3e9738a..7e4ccb5 100644
--- a/overlays/default.nix
+++ b/overlays/default.nix
@@ -112,4 +112,16 @@ in
       pythonPath = python.pkgs.makePythonPath propagatedBuildInputs;
     };
   });
+  # (hopefully) fix systemd journal reading
+  prometheus-postfix-exporter = prev.prometheus-postfix-exporter.overrideAttrs (_old: {
+    patches = [
+      ./prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
+    ];
+    src = fetchFromGitHub {
+      owner = "adangel";
+      repo = "postfix_exporter";
+      rev = "414ac12ee63415eede46cb3084d755a6da6fba23";
+      hash = "sha256-m1kVaO3N7XC1vtnxXX9kMiEFPmZuoopRUYgA7gQzP8w=";
+    };
+  });
 }
diff --git a/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch b/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
new file mode 100644
index 0000000..2b60316
--- /dev/null
+++ b/overlays/prometheus-postfix-exporter/0001-cleanup-also-catch-milter-reject.patch
@@ -0,0 +1,25 @@
+From f4c5dd5628c873981b2d6d6b8f3bbf036b9fd724 Mon Sep 17 00:00:00 2001
+From: Rouven Seifert <rouven.seifert@ifsr.de>
+Date: Thu, 2 May 2024 11:20:27 +0200
+Subject: [PATCH] cleanup: also catch milter-reject
+
+---
+ postfix_exporter.go | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/postfix_exporter.go b/postfix_exporter.go
+index f20d99c..676d767 100644
+--- a/postfix_exporter.go
++++ b/postfix_exporter.go
+@@ -335,6 +335,8 @@ func (e *PostfixExporter) CollectFromLogLine(line string) {
+ 				e.cleanupProcesses.Inc()
+ 			} else if strings.Contains(remainder, ": reject: ") {
+ 				e.cleanupRejects.Inc()
++			} else if strings.Contains(remainder, ": milter-reject: ") {
++				e.cleanupRejects.Inc()
+ 			} else {
+ 				e.addToUnsupportedLine(line, subprocess, level)
+ 			}
+-- 
+2.44.0
+
diff --git a/secrets.nix b/secrets.nix
index 8c188cb..055be04 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -36,7 +36,6 @@ in
   "secrets/falkenstein/wireguard/dorm/preshared.age".publicKeys = [ rouven falkenstein ];
   "secrets/falkenstein/borg/passphrase.age".publicKeys = [ rouven falkenstein ];
   "secrets/falkenstein/borg/key.age".publicKeys = [ rouven falkenstein ];
-  "secrets/falkenstein/dmarc.age".publicKeys = [ rouven falkenstein ];
 
   #shared
   "secrets/shared/maxmind.age".publicKeys = [ rouven nuc falkenstein ];
diff --git a/secrets/falkenstein/dmarc.age b/secrets/falkenstein/dmarc.age
deleted file mode 100644
index 0383f1e..0000000
--- a/secrets/falkenstein/dmarc.age
+++ /dev/null
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 uWbAHQ OVBZwLNH5ryKgNruVU0XRV2F5dDu7W9R3qMWz08Krzs
-vrXngscbxNRGfITXKM1uRNFRjUZRaWNpZ9ijSy+pERw
--> ssh-ed25519 slrRig AIO7ny4bykCYWzLgCfd75dt00myFSd+waEv2/MEOpUY
-65u83G9Ew+idajuExoTb5URAnM1paEGFYsfQ3HqKvGg
---- YoSI0kDXGCKQQCebjG8vzsTJMomjJ3RZWY0j+eG5U6U
-n�N�S�]6e����p
�!��Y��"�D&u��2�NJ�y���`�j�
\ No newline at end of file