Welcome to Virtru's support portal. As we work to make this page more accessible to screen readers, please contact us at support@virtru.com for technical support.

Articles in this section

See more

On-Premises Gateway Reference - TLS

Avatar
Chad Sigler
  • Updated
Follow

How to generate TLS keys

When making connections to and from the Virtru Email Gateway the session should be secured with Transport Layer Security (TLS). TLS ensures that the information cannot be accessed while in-transit and is a method to further validate the authenticity of the email source.

To enable this capability we must perform a few configuration steps:

Generate TLS Certificates

Postfix requires, and utilize x.509 SSL certificates to ensure it can properly terminate and secure your connections with TLS.

CA Signed Certificate

If your Virtru Email Gateway will be performing final delivery it is recommended that you utilize a publicly signed SSL certificate. If your organization does not already have an SSL cert for your server's fully qualified domain name(or a wildcard cert), you must first generate a Certificate Signing Request(CSR). For postfix, using openssl you can generate this CSR with the following syntax:

Shell 
openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out server.csr

Once you execute this command, openssl will ask you a number of important certificate information. Answer each question based on your organization, contact info and server FQDN. Once complete you will now have your private key(myserver.key) and the CSR(server.csr). Use this CSR to request a CA signed certificate from the CA your organization has approved for use.

 

Self-Signed Certificate

If you will not be performing final delivery from the Virtru Email Gateway or if you are only testing, you can generate a self-signed certificate. A self-signed certificate does not have the verification chain of a CA signed, but will still secure the connections to/from your Virtru Email Gateway. For postfix, using openssl you can generate your self-signed certificate with the following syntax:

Shell 
mkdir /var/virtru/tls/<GATEWAY FQDN>
openssl genrsa -out /var/virtru/vg/tls/<GATEWAY FQDN>/client.key 2048

openssl req -new -key /var/virtru/vg/tls/<GATEWAY FQDN>/client.key -x509 -subj /CN=<GATEWAY FQDN> -days 3650 -out /var/virtru/vg/tls/<GATEWAY FQDN>/client.pem

You will notice in this in this syntax the following:

  • <GATEWAY FQDN>: This should be the FQDN of your server
  • /var/virtru/tls/: This is the path to a folder that will be mounted for Docker during the startup of the container
  • client.key and client.pem: You need to ensure that your private key and certificate have these filenames

Validate TLS

Once you have generated your SSL certificates and following the steps in the Installation section you will have a Virtru Email Gateway instance running with TLS support. Once it is up and running you can use the following openssl syntax to confirm it is utilizing the correct certificates:

Shell
 
openssl s_client -starttls smtp -crlf -connect <server FQDN or IP>:<port>

Example output from this command sequence can be found below for reference:

Text

--- SSL handshake has read 1528 bytes and written 360 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 06F03A7C2AB0EA3E97cut7CD4A4A6166D551B Session-ID-ctx: Master-Key: 1A2FF452C3E09F9D7B2DECEcutFB67158960BA6 Key-Arg : None Start Time: 1370375286 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) ...

Related articles