add a bit more logging for non-SNI tls requests

for peace of mind.

these are probably requests to port 443 without SNI.

autotls/autotls.go

@@ -52,7 +52,7 @@ var (
 // certificates for allowlisted hosts.
 type Manager struct {
 	ACMETLSConfig *tls.Config // For serving HTTPS on port 443, which is required for certificate requests to succeed.
-	TLSConfig     *tls.Config // For all TLS servers not used for validating ACME requests. Like SMTP and HTTPS on ports other than 443.
+	TLSConfig     *tls.Config // For all TLS servers not used for validating ACME requests. Like SMTP and IMAP (including with STARTTLS) and HTTPS on ports other than 443.
 	Manager       *autocert.Manager
 
 	shutdown <-chan struct{}
@@ -147,7 +147,7 @@ func Load(name, acmeDir, contactEmail, directoryURL string, shutdown <-chan stru
 		// common for SMTP STARTTLS connections, which often do not care about the
 		// validation of the certificate.
 		if hello.ServerName == "" {
-			log.Debug("tls request without sni servername, rejecting")
+			log.Debug("tls request without sni servername, rejecting", mlog.Field("localaddr", hello.Conn.LocalAddr()), mlog.Field("supportedprotos", hello.SupportedProtos))
 			return nil, fmt.Errorf("sni server name required")
 		}
 

config/config.go

@@ -287,6 +287,6 @@ type TLS struct {
 	} `sconf:"optional"`
 	MinVersion string `sconf:"optional" sconf-doc:"Minimum TLS version. Default: TLSv1.2."`
 
-	Config     *tls.Config `sconf:"-" json:"-"`
-	ACMEConfig *tls.Config `sconf:"-" json:"-"`
+	Config     *tls.Config `sconf:"-" json:"-"` // TLS config for non-ACME-verification connections, i.e. SMTP and IMAP, and not port 443.
+	ACMEConfig *tls.Config `sconf:"-" json:"-"` // TLS config that handles ACME verification, for serving on port 443.
 }