Background
This document will guide you through the installation of a Virtru Gateway backed by Office 365 infrastructure.
The messages will flow through Office 365 and to the Virtru Gateway based on:
- Recipient is inside the organization
- Subject contains: #secure#
- Action: Decrypt Mail
- Final Delivery: Gateway
Requirements
- All Prerequisites below must be complete prior to beginning the installation of your Virtru Gateway.
- Please contact your Virtru Deployment Engineer prior to installation and request the below Virtru Provided Variables.
Skip to:
Prerequisites
- Synced domain
- Gateway Server setup
- Firewall to Gateway Open
- Virtru Variables Available
- Virtru Required Endpoints allowed
Virtru Provided Variables
- GATEWAY_API_TOKEN_NAME
- GATEWAY_API_TOKEN_SECRET
- GATEWAY_AMPLITUDE_API_KEY
Sample Install
Description
This is an example install with a Virtru Gateway that will receive mail and decrypt all messages received. The Gateway will then deliver the mail to the final recipient.
Assumptions:
- Domain in use: example.com
- FQDN of the Gateway: gateway.example.com
- DKIM Selector: gateway
- Listening Port: 25
- Certificates are all Self Signed
Install Docker
Docker CE is the minimum required version.
Install Instructions: https://docs.docker.com/engine/installation/
Create Required Directories
Shell
mkdir /var/virtru mkdir /var/virtru/vg mkdir /var/virtru/vg/env mkdir /var/virtru/vg/scripts mkdir /var/virtru/vg/test mkdir /var/virtru/vg/tls mkdir /var/virtru/vg/dkim
Create Certificates
TLS
The following commands create the TLS certificates to encrypt the traffic in transit between the SMTP servers. Self Signed Certificates will be generated.
Shell
mkdir /var/virtru/vg/tls/gateway.example.com openssl genrsa -out /var/virtru/vg/tls/gateway.example.com/client.key 2048 openssl req -new -key /var/virtru/vg/tls/gateway.example.com/client.key -x509 -subj /CN=gateway.example.com -days 3650 -out /var/virtru/vg/tls/gateway.example.com/client.pem
DKIM
The following commands create the DKIM certificates to signs emails.
Shell
openssl genrsa -out /var/virtru/vg/dkim/gateway._domainkey.example.pem 1024 -outform PEM openssl rsa -in /var/virtru/vg/dkim/gateway._domainkey.example.pem -out /var/virtru/vg/dkim/gateway._domainkey.example-public.pem -pubout -outform PEM
Create Environment Variables
#/var/virtru/vg/env/decrypt-everything.env
# Enable verbose logging in Gateway? Default is 0.
# Set this to 0 unless you are debugging something.
GATEWAY_VERBOSE_LOGGING=0
# Domain name of organization
GATEWAY_ORGANIZATION_DOMAIN=example.com
# Comma delimited list of trusted networks (CIDR) and IPs.
# In other words, list of IP addresses that can relay email via this Gateway.
# All Office 365 IPs: https://technet.microsoft.com/en-us/library/dn163583(v=exchg.150).aspx
GATEWAY_RELAY_ADDRESSES=64.18.0.0/20,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,207.126.144.0/20,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,108.177.96.0/19
# Enable TLS at the Gateway. Default is 1 (enabled).
# GATEWAY_SMTPD_USE_TLS=1
# Enable Proxy Protocol for SMTP.
# Use 1 if you are configuring Docker behind a Load Balancer. Else 0.
# Default is 1 (enabled)
GATEWAY_PROXY_PROTOCOL=0
# Comma delimited set of domains and next-hop destinations and optional ports
# GATEWAY_TRANSPORT_MAPS=*=>[smtp.office365.com]:587
# The mode for the Gateway.
# Either decrypt-everything or encrypt-everything.
# Default is encrypt-everything.
GATEWAY_MODE=decrypt-everything
# Topology of the gateway.
# Either outbound or inbound. Default is outbound
GATEWAY_TOPOLOGY=inbound
# URL to Virtru's ACM service. Note: Do not change this.
GATEWAY_ACM_URL=https://acm.virtru.com
# URL to Virtru's Accounts service.
# Note: Do not change this.
GATEWAY_ACCOUNTS_URL=https://accounts.virtru.com
# The base URL for remote content.
# Note: Do not change this.
GATEWAY_REMOTE_CONTENT_BASE_URL=https://www.virtru.com/start
# DKIM certificate information
# Example is selector of gateway matching the FQDN
# Optional Comma separated list of domainkey domains to enable and use DKIM.
# This field is Required if you are configuring DKIM.
GATEWAY_DKIM_DOMAINS=gateway._domainkey.example.com
# HMAC Token to connect to Virtru services such as Accounts and ACM.
# Contact Virtru Support for getting your token.
GATEWAY_API_TOKEN_NAME=<Provided by Virtru>
# HMAC Token Secret to connect to Virtru services such as Accounts and ACM.
# Contact Virtru Support for getting your token.
GATEWAY_API_TOKEN_SECRET=<Provided by Virtru>
# Virtru Amplitude Key
# Contact Virtru Support for getting your token.
GATEWAY_AMPLITUDE_API_KEY=<Provided by Virtru>`
Create Setup Script
Script will create and run the Docker container. It cannot be rerun until after the container is removed.
/var/virtru/vg/scripts/setup-decrypt-everything.sh # /var/virtru/vg/scripts/setup-decrypt-everything.sh docker run \ --env-file /var/virtru/vg/env/decrypt-everything.env \ -v /var/virtru/vg/tls/gateway.example.com/:/etc/postfix/tls \ -v /var/virtru/vg/dkim/:/etc/opendkim/keys \ --hostname gateway.example.com \ --name decrypt-everything \ --publish 9001:25 \ --interactive --tty --detach \ --restart unless-stopped \ --log-opt max-size=1g \ --log-opt max-file=3 \ virtru/gateway:2.0.14
Log into the Docker hub repository. This will allow the host to download the required images for the Virtru Gateway.
docker login
Run Setup Script
- Change to the script directory and
- Make the script executable
- Execute the script
cd /var/virtru/vg/scripts chmod +x setup-decrypt-everything.sh ./setup-decrypt-everything.sh
Check the logs
- Follow the logs
- Exit
docker logs decrypt-everything -f # Will show the logs as they are generated # Control+C will exit the log follow