Skip to main content
Welcome to Virtru's support portal. As we work to make this page more accessible to screen readers, please contact us at support@virtru.com for technical support.

Reference: TLS

Jenna Villaflor
  • Updated

How to generate TLS keys

When making connections to and from the Virtru Email Gateway the session should be secured with Transport Layer Security (TLS). TLS ensures that the information cannot be accessed while in-transit and is a method to further validate the authenticity of the email source.

To enable this capability we must perform a few configuration steps:

Generate TLS Certificates

Postfix requires, and utilize x.509 SSL certificates to ensure it can properly terminate and secure your connections with TLS.

CA Signed Certificate

If your Virtru Email Gateway will be performing final delivery it is recommended that you utilize a publicly signed SSL certificate. If your organization does not already have an SSL cert for your server's fully qualified domain name(or a wildcard cert), you must first generate a Certificate Signing Request(CSR). For postfix, using openssl you can generate this CSR with the following syntax:

Shell 
openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out server.csr

Once you execute this command, openssl will ask you a number of important certificate information. Answer each question based on your organization, contact info and server FQDN. Once complete you will now have your private key(myserver.key) and the CSR(server.csr). Use this CSR to request a CA signed certificate from the CA your organization has approved for use.

Self-Signed Certificate

If you will not be performing final delivery from the Virtru Email Gateway or if you are only testing, you can generate a self-signed certificate. A self-signed certificate does not have the verification chain of a CA signed, but will still secure the connections to/from your Virtru Email Gateway. For postfix, using openssl you can generate your self-signed certificate with the following syntax:

Shell 
mkdir /var/virtru/vg/tls/<GATEWAY FQDN>
openssl genrsa -out /var/virtru/vg/tls/<GATEWAY FQDN>/client.key 2048

openssl req -new -key /var/virtru/vg/tls/<GATEWAY FQDN>/client.key -x509 -subj /CN=<GATEWAY FQDN> -days 3650 -out /var/virtru/vg/tls/<GATEWAY FQDN>/client.pem

You will notice in this in this syntax the following:

  • <GATEWAY FQDN>: This should be the FQDN of your server
  • /var/virtru/tls/: This is the path to a folder that will be mounted for Docker during the startup of the container
  • client.key and client.pem: You need to ensure that your private key and certificate have these filenames

Validate TLS

Once you have generated your SSL certificates and following the steps in the Installation section you will have a Virtru Email Gateway instance running with TLS support. Once it is up and running you can use the following openssl syntax to confirm it is utilizing the correct certificates:

Shell
 
openssl s_client -starttls smtp -crlf -connect <server FQDN or IP>:<port>

Example output from this command sequence can be found below for reference:

Text

--- SSL handshake has read 1528 bytes and written 360 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 06F03A7C2AB0EA3E97cut7CD4A4A6166D551B Session-ID-ctx: Master-Key: 1A2FF452C3E09F9D7B2DECEcutFB67158960BA6 Key-Arg : None Start Time: 1370375286 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) ...

Other Items to Note:

The step below is optional, however if you prefer to use a CA cert in place of the existing Self-Signed cert that the gateway deploy script generates by default, you can follow the steps below:

Assumptions: The new CA cert should match the FQDN of the server. 

      • In the/var/virtru/tls/<FQDN-of-your-container> directory, locate the client.keyand client.pemfiles. Although not a requirement, we recommend creating a copy of the existing client.keyand client.pemfiles prior to replacement. Otherwise, you will want to replace the contents of each files with the new private key (generated from the new CSR) and CA cert bundle from your CA cert authority. You may need to ensure the certs are in the correct order, depending on how your cert authority provides the bundle to you. Typically, the formatting and order for both files should be:
        • client.key:
          • -----BEGIN RSA PRIVATE KEY-----
            (Private Key:secure.customer.com.key)
            -----END RSA PRIVATE KEY-----
        • client.pem:
          • -----BEGIN CERTIFICATE-----
            (SSL Certificate: <FQDN-of-your-container>)
            -----END CERTIFICATE-----
            -----BEGIN CERTIFICATE-----
            (Optional Intermediate Certificate: intermediate.crt
            -----END CERTIFICATE-----
      • Once both files have been updated, restart your container(s) by running the docker restart <container-id> command
      • Validate the container is using the new CA cert by running the command below:
      • printf 'quit\n' | openssl s_client -connect localhost:<port the container is listening on ex:9001> -starttls smtp | openssl x509 -dates -noout
      • Validate the gateway is in service and is able to process and deliver mail. A helpful article is linked here for your reference.

 

Related articles