From bc62373ae71e27cf12ad68254895f9d1e3861628 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 26 Jan 2024 22:16:19 +0000
Subject: [PATCH] add some tls debugging for mailserver [ci skip]

---
 modules/kubernetes/mailserver/variables.tf |  6 ++++++
 modules/kubernetes/reverse_proxy/main.tf   | 10 +++++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/modules/kubernetes/mailserver/variables.tf b/modules/kubernetes/mailserver/variables.tf
index 6401188f..de211589 100644
--- a/modules/kubernetes/mailserver/variables.tf
+++ b/modules/kubernetes/mailserver/variables.tf
@@ -9,8 +9,14 @@ smtp_sasl_security_options = noanonymous
 smtp_sasl_tls_security_options = noanonymous
 smtp_tls_security_level = encrypt
 header_size_limit = 4096000
+
+# Debug mail tls
+smtpd_tls_loglevel = 3
+#smtpd_tls_ciphers = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:!aNULL:!SEED:!CAMELLIA:!RSA+AES:!SHA1
+#tls_medium_cipherlist = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:!aNULL:!SEED:!CAMELLIA:!RSA+AES:!SHA1
 EOT
 }
+
 variable "postfix_cf_reference_DO_NOT_USE" {
   default = <<EOT
 # See /usr/share/postfix/main.cf.dist for a commented, more complete version
diff --git a/modules/kubernetes/reverse_proxy/main.tf b/modules/kubernetes/reverse_proxy/main.tf
index cba9784c..44279ddb 100644
--- a/modules/kubernetes/reverse_proxy/main.tf
+++ b/modules/kubernetes/reverse_proxy/main.tf
@@ -124,11 +124,11 @@ module "valchedrym" {
 # https://ip150.viktorbarzin.me/
 # Server has funky behaviour based on headers; works on some browrsers not others...
 # module "valchedrym-ip150" {
-#   source        = "./factory"
-#   name          = "ip150"
-#   external_name = "valchedrym.ddns.net"
-#   # port               = 5081 // HTTPS port; 5080 is HTTP if needed
-#   port               = 5080 // HTTPS port; 5080 is HTTP if needed
+#   source = "./factory"
+#   name   = "ip150"
+#   # external_name = "valchedrym.ddns.net"
+#   external_name      = "192.168.0.10"
+#   port               = 80
 #   backend_protocol   = "HTTP"
 #   use_proxy_protocol = false
 #   tls_secret_name    = var.tls_secret_name