How to generate TLS keys
When making connections to and from the Virtru Email Gateway the session should be secured with Transport Layer Security (TLS). TLS ensures that the information cannot be accessed while in-transit and is a method to further validate the authenticity of the email source.
To enable this capability we must perform a few configuration steps:
Generate TLS Certificates
Postfix requires, and utilize x.509 SSL certificates to ensure it can properly terminate and secure your connections with TLS.
CA Signed Certificate
If your Virtru Email Gateway will be performing final delivery it is recommended that you utilize a publicly signed SSL certificate. If your organization does not already have an SSL cert for your server's fully qualified domain name(or a wildcard cert), you must first generate a Certificate Signing Request(CSR). For postfix, using openssl you can generate this CSR with the following syntax:
Shellopenssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out server.csr
Once you execute this command, openssl will ask you a number of important certificate information. Answer each question based on your organization, contact info and server FQDN. Once complete you will now have your private key(myserver.key) and the CSR(server.csr). Use this CSR to request a CA signed certificate from the CA your organization has approved for use.
Self-Signed Certificate
If you will not be performing final delivery from the Virtru Email Gateway or if you are only testing, you can generate a self-signed certificate. A self-signed certificate does not have the verification chain of a CA signed, but will still secure the connections to/from your Virtru Email Gateway. For postfix, using openssl you can generate your self-signed certificate with the following syntax:
Shellmkdir /var/virtru/vg/tls/<GATEWAY-FQDN>
openssl genrsa -out /var/virtru/vg/tls/<GATEWAY-FQDN>/client.key 2048
openssl req -new -key /var/virtru/vg/tls/<GATEWAY-FQDN>/client.key -x509 -subj /CN=<GATEWAY-FQDN> -days 3650 -out /var/virtru/vg/tls/<GATEWAY-FQDN>/client.pem
You will notice in this syntax the following:
-
<GATEWAY-FQDN>
: This should be the FQDN of your server -
/var/virtru/vg/tls/
: This is the path to the folder that will be mounted for Docker during the startup of the container -
client.key
andclient.pem
: You need to ensure that your private key and certificate have these filenames
Validate TLS
Once you have generated your SSL certificates and following the steps in the Installation section you will have a Virtru Email Gateway instance running with TLS support. Once it is up and running you can use the following openssl syntax to confirm it is utilizing the correct certificates:
Shellopenssl s_client -starttls smtp -crlf -connect <server FQDN or IP>:<port>
Example output from this command sequence can be found below for reference:
Text
--- SSL handshake has read 1528 bytes and written 360 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 06F03A7C2AB0EA3E97cut7CD4A4A6166D551B Session-ID-ctx: Master-Key: 1A2FF452C3E09F9D7B2DECEcutFB67158960BA6 Key-Arg : None Start Time: 1370375286 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) ...
Other Items to Note:
Assumptions: The new CA cert should match the FQDN of the server.
-
-
- In the
/var/virtru/vg/tls/<FQDN-of-your-container>
directory, locate theclient.key
andclient.pem
files. Although not a requirement, we recommend creating a copy of the existingclient.key
andclient.pem
files prior to replacement. Otherwise, you will want to replace the contents of each files with the new private key (generated from the new CSR) and CA cert bundle from your CA cert authority. You may need to ensure the certs are in the correct order, depending on how your cert authority provides the bundle to you. Typically, the formatting and order for both files should be:-
client.key
:-
-----BEGIN RSA PRIVATE KEY-----
(Private Key:secure.customer.com.key)
-----END RSA PRIVATE KEY-----
-
-----BEGIN RSA PRIVATE KEY-----
-
client.pem
:-
-----BEGIN CERTIFICATE-----
(SSL Certificate: <FQDN-of-your-container>)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Optional Intermediate Certificate: intermediate.crt
-----END CERTIFICATE-----
-
-----BEGIN CERTIFICATE-----
-
-
Once both files have been updated, restart your container(s) by running the
docker restart <container-id>
command - Validate the container is using the new CA cert by running the command below:
-
printf 'quit\n' | openssl s_client -connect localhost:<port the container is listening on ex:9001> -starttls smtp | openssl x509 -dates -noout
- Validate the gateway is in service and is able to process and deliver mail. A helpful article is linked here for your reference.
- In the
-
Force Mandatory TLS level HIGH
Inbound and outbound TLS can be set to force minimum TLS 1.2 connections using the supported ciphers
Steps:
- Modify the gateway container(s) env file
-
nano /var/virtru/vg/env/<mode><port.env
-
- Set the following variables to force TLS and set the level to HIGH
Inbound TLS:-
GATEWAY_SMTPD_USE_TLS=1
-
GATEWAY_SMTPD_SECURITY_LEVEL= mandatory
-
GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=HIGH
-
Outbound TLS
-
-
GATEWAY_SMTP_USE_TLS=1
-
GATEWAY_SMTP_SECURITY_LEVEL= mandatory
-
GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=HIGH
-
-
Save and exit the file
-
CTRL+O
-
CTRL+X
-
-
For the changes to take affect you will need to stop, remove, add a new container
-
docker stop <container ID>
-
docker rm <container ID>
-
sh /var/virtru/vg/scripts/setup-<mode>-<port>.sh
-