From b8fa918d7476569d1b8d7b15434eb2158e055fc4 Mon Sep 17 00:00:00 2001
From: Mechiel Lukkien <mechiel@ueber.net>
Date: Sat, 25 Feb 2023 12:56:25 +0100
Subject: [PATCH] add a bit more logging for non-SNI tls requests

for peace of mind.

these are probably requests to port 443 without SNI.
---
 autotls/autotls.go | 4 ++--
 config/config.go   | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/autotls/autotls.go b/autotls/autotls.go
index 435e604..bde0561 100644
--- a/autotls/autotls.go
+++ b/autotls/autotls.go
@@ -52,7 +52,7 @@ var (
 // certificates for allowlisted hosts.
 type Manager struct {
 	ACMETLSConfig *tls.Config // For serving HTTPS on port 443, which is required for certificate requests to succeed.
-	TLSConfig     *tls.Config // For all TLS servers not used for validating ACME requests. Like SMTP and HTTPS on ports other than 443.
+	TLSConfig     *tls.Config // For all TLS servers not used for validating ACME requests. Like SMTP and IMAP (including with STARTTLS) and HTTPS on ports other than 443.
 	Manager       *autocert.Manager
 
 	shutdown <-chan struct{}
@@ -147,7 +147,7 @@ func Load(name, acmeDir, contactEmail, directoryURL string, shutdown <-chan stru
 		// common for SMTP STARTTLS connections, which often do not care about the
 		// validation of the certificate.
 		if hello.ServerName == "" {
-			log.Debug("tls request without sni servername, rejecting")
+			log.Debug("tls request without sni servername, rejecting", mlog.Field("localaddr", hello.Conn.LocalAddr()), mlog.Field("supportedprotos", hello.SupportedProtos))
 			return nil, fmt.Errorf("sni server name required")
 		}
 
diff --git a/config/config.go b/config/config.go
index 9b84577..4198b3d 100644
--- a/config/config.go
+++ b/config/config.go
@@ -287,6 +287,6 @@ type TLS struct {
 	} `sconf:"optional"`
 	MinVersion string `sconf:"optional" sconf-doc:"Minimum TLS version. Default: TLSv1.2."`
 
-	Config     *tls.Config `sconf:"-" json:"-"`
-	ACMEConfig *tls.Config `sconf:"-" json:"-"`
+	Config     *tls.Config `sconf:"-" json:"-"` // TLS config for non-ACME-verification connections, i.e. SMTP and IMAP, and not port 443.
+	ACMEConfig *tls.Config `sconf:"-" json:"-"` // TLS config that handles ACME verification, for serving on port 443.
 }