Background
This document will guide you through the installation of a Virtru Gateway backed by Office 365 infrastructure.
The messages will flow through Office 365 and to the Virtru Gateway based on:
- Recipient is inside the organization
- Subject contains: #secure#
- Action: Decrypt Mail
- Final Delivery: Gateway
Requirements
- All Prerequisites below must be complete prior to beginning the installation of your Virtru Gateway.
- Please contact your Virtru Deployment Engineer prior to installation and request the below Virtru Provided Variables.
Sections in this article:
Prerequisites
- Synced domain
- Gateway Server setup
- Firewall to Gateway Open
- Virtru Variables Available
- Virtru Required Endpoints allowed
Virtru Provided Variables
- GATEWAY_API_TOKEN_NAME
- GATEWAY_API_TOKEN_SECRET
- GATEWAY_AMPLITUDE_API_KEY
Sample Install
Description
This example install will Virtru Gateway that will receive mail and decrypt all messages received. The Gateway will then deliver the mail to the final recipient.
Assumptions:
- Domain in use: example.com
- FQDN of the Gateway: gateway.example.com
- DKIM Selector: gateway
- Listening Port: 25
- Certificates are all Self Signed
Install Docker
Docker CE is the minimum required version.
Install Instructions: https://docs.docker.com/engine/installation/
Create Required Directories
Shell
mkdir /var/virtru mkdir /var/virtru/vg mkdir /var/virtru/vg/env mkdir /var/virtru/vg/scripts mkdir /var/virtru/vg/test mkdir /var/virtru/vg/tls mkdir /var/virtru/vg/dkim
Create Certificates
TLS
The following commands create the TLS certificates to encrypt the traffic in transit between the SMTP servers. Self Signed Certificates will be generated.
Shell
mkdir /var/virtru/vg/tls/gateway.example.com openssl genrsa -out /var/virtru/vg/tls/gateway.example.com/client.key 2048 openssl req -new -key /var/virtru/vg/tls/gateway.example.com/client.key -x509 -subj /CN=gateway.example.com -days 3650 -out /var/virtru/vg/tls/gateway.example.com/client.pem
DKIM
The following commands create the DKIM certificates to signs emails.
Shell
openssl genrsa -out /var/virtru/vg/dkim/gateway._domainkey.example.pem 1024 -outform PEM openssl rsa -in /var/virtru/vg/dkim/gateway._domainkey.example.pem -out /var/virtru/vg/dkim/gateway._domainkey.example-public.pem -pubout -outform PEM
Create Environment Variables
#/var/virtru/vg/env/decrypt-everything.env
# Enable verbose logging in Gateway? Default is 0.
# Set this to 0 unless you are debugging something.
GATEWAY_VERBOSE_LOGGING=0
# Domain name of organization
GATEWAY_ORGANIZATION_DOMAIN=example.com
# Comma delimited list of trusted networks (CIDR) and IPs.
# In other words, list of IP addresses that can relay email via this Gateway.
# All Office 365 IPs: https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx
GATEWAY_RELAY_ADDRESSES=64.18.0.0/20,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,207.126.144.0/20,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,108.177.96.0/19
# Enable TLS at the Gateway. Default is 1 (enabled).
# GATEWAY_SMTPD_USE_TLS=1
# Enable Proxy Protocol for SMTP.
# Use 1 if you are configuring Docker behind a Load Balancer. Else 0.
# Default is 1 (enabled)
GATEWAY_PROXY_PROTOCOL=0
# Comma delimited set of domains and next-hop destinations and optional ports
# GATEWAY_TRANSPORT_MAPS=*=>[smtp.office365.com]:587
# The mode for the Gateway.
# Either decrypt-everything or encrypt-everything.
# Default is encrypt-everything.
GATEWAY_MODE=decrypt-everything
# Topology of the gateway.
# Either outbound or inbound. Default is outbound
GATEWAY_TOPOLOGY=inbound
# URL to Virtru's ACM service. Note: Do not change this.
GATEWAY_ACM_URL=https://acm.virtru.com
# URL to Virtru's Accounts service.
# Note: Do not change this.
GATEWAY_ACCOUNTS_URL=https://accounts.virtru.com
# The base URL for remote content.
# Note: Do not change this.
GATEWAY_REMOTE_CONTENT_BASE_URL=https://www.virtru.com/start
# DKIM certificate information
# Example is selector of gateway matching the FQDN
# Optional Comma separated list of domainkey domains to enable and use DKIM.
# This field is Required if you are configuring DKIM.
GATEWAY_DKIM_DOMAINS=gateway._domainkey.example.com
# HMAC Token to connect to Virtru services such as Accounts and ACM.
# Contact Virtru Support for getting your token.
GATEWAY_API_TOKEN_NAME=<Provided by Virtru>
# HMAC Token Secret to connect to Virtru services such as Accounts and ACM.
# Contact Virtru Support for getting your token.
GATEWAY_API_TOKEN_SECRET=<Provided by Virtru>
# Virtru Amplitude Key
# Contact Virtru Support for getting your token.
GATEWAY_AMPLITUDE_API_KEY=<Provided by Virtru>`
Create Setup Script
Script will create and run the Docker container. It cannot be rerun until after the container is removed.
/var/virtru/vg/scripts/setup-decrypt-everything.sh # /var/virtru/vg/scripts/setup-decrypt-everything.sh docker run \ --env-file /var/virtru/vg/env/decrypt-everything.env \ -v /var/virtru/vg/tls/gateway.example.com/:/etc/postfix/tls \ -v /var/virtru/vg/dkim/:/etc/opendkim/keys \ --hostname gateway.example.com \ --name decrypt-everything \ --publish 9001:25 \ --interactive --tty --detach \ --restart unless-stopped \ --log-opt max-size=1g \ --log-opt max-file=3 \ virtru/gateway:2.0.14
Log into the Docker hub repository. This will allow the host to download the required images for the Virtru Gateway.
Shell
docker login
Run Setup Script
- Change to the script directory and
- Make the script executable
- Execute the script
cd /var/virtru/vg/scripts chmod +x setup-decrypt-everything.sh ./setup-decrypt-everything.sh
Check the logs
- Follow the logs
- Exit
docker logs decrypt-everything -f # Will show the logs as they are generated # Control+C will exit the log follow