add some tls debugging for mailserver [ci skip]

2024-01-26 22:16:19 +00:00 · 2024-01-26 22:16:19 +00:00 · 0d1c9c850b
commit 0d1c9c850b
parent 3a4ecb408a
3 changed files with 11 additions and 5 deletions
--- a/modules/kubernetes/mailserver/variables.tf
+++ b/modules/kubernetes/mailserver/variables.tf
@ -9,8 +9,14 @@ smtp_sasl_security_options = noanonymous
 smtp_sasl_tls_security_options = noanonymous
 smtp_tls_security_level = encrypt
 header_size_limit = 4096000
+
+# Debug mail tls
+smtpd_tls_loglevel = 3
+#smtpd_tls_ciphers = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:!aNULL:!SEED:!CAMELLIA:!RSA+AES:!SHA1
+#tls_medium_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:!aNULL:!SEED:!CAMELLIA:!RSA+AES:!SHA1
 EOT
 }
+
 variable "postfix_cf_reference_DO_NOT_USE" {
  default = <<EOT
 # See /usr/share/postfix/main.cf.dist for a commented, more complete version
--- a/modules/kubernetes/reverse_proxy/main.tf
+++ b/modules/kubernetes/reverse_proxy/main.tf
@ -124,11 +124,11 @@ module "valchedrym" {
 # https://ip150.viktorbarzin.me/
 # Server has funky behaviour based on headers; works on some browrsers not others...
 # module "valchedrym-ip150" {
-#   source        = "./factory"
-#   name          = "ip150"
-#   external_name = "valchedrym.ddns.net"
-#   # port               = 5081 // HTTPS port; 5080 is HTTP if needed
-#   port               = 5080 // HTTPS port; 5080 is HTTP if needed
+#   source = "./factory"
+#   name   = "ip150"
+#   # external_name = "valchedrym.ddns.net"
+#   external_name      = "192.168.0.10"
+#   port               = 80
 #   backend_protocol   = "HTTP"
 #   use_proxy_protocol = false
 #   tls_secret_name    = var.tls_secret_name
--- a/terraform.tfstate
+++ b/terraform.tfstate