How to generate TLS keys
When making connections to and from the Virtru Email Gateway the session should be secured with Transport Layer Security (TLS). TLS ensures that the information cannot be accessed while in-transit and is a method to further validate the authenticity of the email source.
To enable this capability we must perform a few configuration steps:
Generate TLS Certificates
Postfix requires, and utilize x.509 SSL certificates to ensure it can properly terminate and secure your connections with TLS.
CA Signed Certificate
If your Virtru Email Gateway will be performing final delivery it is recommended that you utilize a publicly signed SSL certificate. If your organization does not already have an SSL cert for your server's fully qualified domain name(or a wildcard cert), you must first generate a Certificate Signing Request(CSR). For postfix, using openssl you can generate this CSR with the following syntax:Shell
openssl req -new -newkey rsa:2048 -nodes -keyout myserver.key -out server.csr
Once you execute this command, openssl will ask you a number of important certificate information. Answer each question based on your organization, contact info and server FQDN. Once complete you will now have your private key(myserver.key) and the CSR(server.csr). Use this CSR to request a CA signed certificate from the CA your organization has approved for use.
If you will not be performing final delivery from the Virtru Email Gateway or if you are only testing, you can generate a self-signed certificate. A self-signed certificate does not have the verification chain of a CA signed, but will still secure the connections to/from your Virtru Email Gateway. For postfix, using openssl you can generate your self-signed certificate with the following syntax:Shell
mkdir /var/virtru/vg/tls/<GATEWAY FQDN> openssl genrsa -out /var/virtru/vg/tls/<GATEWAY FQDN>/client.key 2048
openssl req -new -key /var/virtru/vg/tls/<GATEWAY FQDN>/client.key -x509 -subj /CN=<GATEWAY FQDN> -days 3650 -out /var/virtru/vg/tls/<GATEWAY FQDN>/client.pem
You will notice in this in this syntax the following:
<GATEWAY FQDN>: This should be the FQDN of your server
/var/virtru/tls/: This is the path to a folder that will be mounted for Docker during the startup of the container
client.key and client.pem: You need to ensure that your private key and certificate have these filenames
Once you have generated your SSL certificates and following the steps in the Installation section you will have a Virtru Email Gateway instance running with TLS support. Once it is up and running you can use the following openssl syntax to confirm it is utilizing the correct certificates:Shell
openssl s_client -starttls smtp -crlf -connect <server FQDN or IP>:<port>
Example output from this command sequence can be found below for reference:
--- SSL handshake has read 1528 bytes and written 360 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 06F03A7C2AB0EA3E97cut7CD4A4A6166D551B Session-ID-ctx: Master-Key: 1A2FF452C3E09F9D7B2DECEcutFB67158960BA6 Key-Arg : None Start Time: 1370375286 Timeout : 300 (sec) Verify return code: 21 (unable to verify the first certificate) ...