The following environment variables are used to configure Virtru Email Gateway Docker image. They can be updated per customer requirements. Variables are split into 2 major categories:
Additional Details
SMTP Variables
These variables control how Gateway receives, processes and sends emails. Not every variable in this table is used in order for the Virtru gateway to function. The addition variables can be used for a company specific use case. The primary variables used are highlighted in green in the table, the secondary variables that can be used but are initially commented out are highlighted in yellow, the remainder of the vaiables can be used to fit specific use cases for your organizational needs.
| Environment Variable | Variable Value Option(s) |
Example .env Value
|
Explanation of the Variable |
| GATEWAY_DKIM_DOMAINS |
Comma-separated list of domainkey domains to enable and use DKIM.
|
gw._domainkey.yourdomain.com | DKIM signing domain for email validation and mitigating delivery issues. |
| GATEWAY_HEADER_ALLOW_RULES |
Comma-delimited list of customer header and values to use for whitelisting downstream.
|
||
| GATEWAY_HOSTNAME |
Hostname of Gateway must be populated to match the TLS certificate CN (common name).
|
||
| GATEWAY_ORGANIZATION_DOMAIN |
Domain name of organization
|
||
| GATEWAY_PROXY_PROTOCOL |
Enable Proxy Protocol for SMTP. Most situations will require this setting to be a 0. A 1 is required only when the Load Balancer supports proxy functionality.
|
||
| GATEWAY_RELAY_ADDRESSES |
Comma-delimited list of trusted networks in CIDR notation allowed to connect to this Gateway.
|
||
| GATEWAY_RELAY_DOMAINS |
Comma-delimited set of domains to relay for
|
||
| GATEWAY_SMTP_ALLOW_DOMAINS |
Comma-delimited set of domains to whitelist.
|
||
| GATEWAY_SMTP_SASL_ACCOUNTS |
If enabled, these are the domains and their corresponding users, and passwords.
|
||
| GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM |
Require SASL authentication for inbound clients or mail servers upstream attempting to connect this server.
|
||
| GATEWAY_SMTPD_SASL_MECHANISMS |
Space-delimited list of SASL mechanisms to support for upstream SASL.
|
||
| GATEWAY_XHEADER_AUTH_ENABLED |
Inbound X-Header Authentication
|
||
| GATEWAY_XHEADER_AUTH_SECRET |
Inbound X-Header Authentication Enable inbound X-Header authentication Shared Secret X-Header-Virtru-Auth=secret Require: No
|
||
| GATEWAY_SMTPD_SECURITY_LEVEL |
Sets the minimum transport security required for inbound connections to the Gateway.
|
||
| GATEWAY_SMTPD_TLS_COMPLIACE_UPSTREAM |
TLS Compliance Level for upstream (inbound) connections. This sets TLS version and cipher list accordingly. Customer is still responsible for following other NIST and/or OWASP recommendations, notably making sure certificates are signed and keys are rotated regularly.
|
||
| GATEWAY_SMTPD_TLS_LOGLEVEL |
Inbound TLS Log Level. This is used for incoming connections made to the Gateway.
|
||
| GATEWAY_SMTPD_USE_TLS |
Enable TLS connection inbound to the Gateway.
|
||
| GATEWAY_SMTP_SECURITY_LEVEL |
Sets the minimum transport security required for outbound connections from the Gateway.
|
||
| GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM |
TLS Compliance Level for downstream (outbound) connections. This sets TLS version and cipher list accordingly. Customer is still responsible for following other NIST and/or OWASP recommendations, notably making sure certificates are signed and keys are rotated regularly.
|
||
| GATEWAY_SMTP_TLS_LOGLEVEL |
Outbound TLS Log Level. This is used for outbound connections made from the Gateway.
|
||
| GATEWAY_SMTP_TLS_POLICY_MAPS |
Outbound Transport Security requirements in a comm-delimited list of domains and TLS requirements for those domains.
|
||
| GATEWAY_SMTPD_SASL_ACCOUNTS |
If enabled, these are the domains and their corresponding users, and passwords.
|
||
| GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM |
Require SASL authentication for outbound downstream or relay servers attempting to connect this server.
|
||
| GATEWAY_SMTP_SASL_SECURITY_OPTIONS |
If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here.
|
||
| GATEWAY_TRANSPORT_MAPS |
Comma-delimited set of domains and next-hop destinations and optional ports
|
||
| GATEWAY_VERBOSE_LOGGING |
Enable verbose logging in Gateway. Set this to
|
||
| GATEWAY_LOG_LEVEL |
Sensitivity level of logs above which messages will be displayed.
|
||
| MAX_BACKOFF_TIME |
The maximal time between attempts to deliver a deferred message. Set to a value greater than or equal to MIN_BACKOFF_TIME. Time units: s (seconds), m (minutes), h (hours), d (days).
|
||
| MAX_QUEUE_LIFETIME |
Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached the MAX_QUEUE_LIFETIME limit. Time units: s (seconds), m (minutes), h (hours), d (days). Specify 0 when mail delivery should be tried only once.
|
||
| MIN_BACKOFF_TIME |
The minimal time between attempts to deliver a deferred message. Time units: s (seconds), m (minutes), h (hours), d (days).
|
||
| QUEUE_RUN_DELAY |
The time between deferred queue scans by the queue manager. Time units: s (seconds), m (minutes), h (hours), d (days).
|
||
| GATEWAY_SMTP_CACHE_CONNECTIONS | Whether to cache outgoing connections to mailservers. If "1", use on-demand connection caching. If "0", do not cache. If a list of domains (e.g. example.org,hotmail.com,gmail.com) then use per-destination connection caching. |
||
| GATEWAY_SMTP_CONNECTION_CACHE_TIME_LIMIT | "Postfix time unit: n(s,m,h,d), e.g. 5m" How long to cache SMTP connections for. Sets smtp_connection_cache_time_limit to the provied value so that the smtp daemon doesn't close the connection and sets connection_cache_ttl_limit to the same value so that the cached value is still valid |
Virtru Variables
These variables play a role in performing Virtru encryption or decryption.
| Environment Variable | Variable Value Option(s) |
Example .env Value
|
Explanation of the Variable |
| GATEWAY_ACCOUNTS_URL |
URL to Virtru's
|
https://api.virtru.com/accounts | |
| GATEWAY_ACM_URL |
URL to Virtru's
|
https://api.virtru.com/acm | |
GATEWAY_AMPLITUDE_API_KEY |
Amplitude Token is used to authenticate the Virtru tenant in Amplitude. Amplitude is an events platform used to store general performance metrics.
|
Contact Virtru Support to obtain your token. | |
| GATEWAY_API_TOKEN_NAME |
HMAC Token is used to authenticate the Virtru Gateway.
|
Contact Virtru Support to obtain your token. | |
| GATEWAY_API_TOKEN_SECRET |
HMAC Token is used to authenticate the Virtru Gateway.
|
Contact Virtru Support to obtain your token. | |
| GATEWAY_DLP_CACHE_DURATION |
The interval of time between refreshing the Security Rules.
|
30 | |
| GATEWAY_MODE |
The mode for the Gateway.
*Please note: DLP mode correlates to Security Rule scanning |
encrypt-everything | |
| GATEWAY_ORGANIZATION_DOMAIN |
Domain name of organization
|
example.com | |
| GATEWAY_REMOTE_CONTENT_BASE_URL |
The base URL for remote content.
|
https://secure.virtru.com/start/ | |
| GATEWAY_TOPOLOGY |
Topology of the gateway.
|
outbound | |
| GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS |
|
"1" to decrypt attachments that have persistent protection enabled | |
| GATEWAY_ROUTING_XHEADERS |
|
`X-Header-1: value1, X-Header-2: value2` | |
| GATEWAY_DECRYPT_THEN_ENCRYPT |
|
"0" for default, and "1" to activate. | |
| GATEWAY_ENCRYPTION_KEY_PROVIDER |
|
"CKS" | |
| GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS |
|
"360" | |
| GATEWAY_HEADER_REWRITES |
Add a new environment variable `GATEWAY_HEADER_REWRITES` that contains a comma separated
|
GATEWAY_HEADER_REWRITES=From: secure-reply@virtru.com => Reply-To | |
| GATEWAY_HTTP_PROXY_HOST |
HTTP proxy hostname or IP address for Gateway container traffic to reach Virtru endpoints.
|
proxy.example.com | Allows Gateway to route HTTP traffic through a proxy server. Persists through container upgrades. |
| GATEWAY_HTTP_PROXY_PORT |
HTTP proxy port.
|
80 | HTTP proxy port. Defaults to 80 if not specified. |
| GATEWAY_HTTPS_PROXY_HOST |
HTTPS proxy hostname or IP address for Gateway container traffic to reach Virtru endpoints.
|
proxy.example.com | Allows Gateway to route HTTPS traffic through a proxy server. Persists through container upgrades. |
| GATEWAY_HTTPS_PROXY_PORT |
HTTPS proxy port.
|
443 | HTTPS proxy port. Defaults to 443 if not specified. |
TLS Compliance Levels
| Option | Description |
|---|---|
| LOW |
|
| MEDIUM |
|
| HIPAA_2018 |
|
| PCI_321 |
|
| HIGH |
|
GATEWAY_RELAY_ADDRESSES default values for Gmail and Office 365:
| Mail Provider | CIDR Blocks |
|---|---|
| Gmail |
35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21, 173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19, 172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22,172.253.56.0/21,172.253.112.0/20 |
| Office 365 |
23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14, 40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23, 134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24, 207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23 |