The following environment variables are used to configure Virtru Email Gateway Docker image. They can be updated per customer requirements. Variables are split into 2 major categories:
Additional Details
SMTP Variables
These variables control how Gateway receives, processes and sends emails.
Environment Variable | Description | Example |
GATEWAY_DKIM_DOMAINS |
Comma-delimited list of
|
mail._domainkey.example.com, mx._domainkey.examplemail.com |
GATEWAY_HEADER_ALLOW_RULES |
Comma-delimited list of customer header and values to use for whitelisting downstream.
|
X-Platform_Tenant:Example |
GATEWAY_HOSTNAME |
Hostname of Gateway must be populated to match the TLS certificate CN (common name).
|
mail.example.com |
GATEWAY_ORGANIZATION_DOMAIN |
Domain name of organization
|
example.com |
GATEWAY_PROXY_PROTOCOL |
Enable Proxy Protocol for SMTP. Most situations will require this setting to be a 0. A 1 is required only when the Load Balancer supports proxy functionality.
|
0 |
GATEWAY_RELAY_ADDRESSES |
Comma-delimited list of trusted networks in CIDR notation allowed to connect to this Gateway.
|
104.196.26.179/24,173.194.0.0/16 |
GATEWAY_RELAY_DOMAINS |
Comma-delimited set of domains to relay for
|
example.com,examplemail.com |
GATEWAY_SMTP_ALLOW_DOMAINS |
Comma-delimited set of domains to whitelist.
|
example.com,examplemail.com |
GATEWAY_SMTP_SASL_ACCOUNTS |
If enabled, these are the domains and their corresponding users, and passwords.
|
example.com=>user1=>password1 example.com=>user2=>password2 example.net=>user3=>password3 |
GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM | Require SASL authentication for outbound downstream or relay servers attempting to connect this server.
|
0 |
GATEWAY_SMTP_SASL_SECURITY_OPTIONS |
If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here.
|
noanonymous |
GATEWAY_SMTP_SECURITY_LEVEL |
Sets the minimum transport security required for outbound connections from the Gateway.
|
opportunistic |
GATEWAY_SMTP_USE_TLS |
Enable TLS connection outbound from the Gateway.
|
1 |
GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM |
TLS Compliance Level for downstream (outbound) connections. This sets TLS version and cipher list accordingly. Customer is still responsible for following other NIST and/or OWASP recommendations, notably making sure certificates are signed and keys are rotated regularly.
|
HIGH |
GATEWAY_SMTP_TLS_LOGLEVEL |
Outbound TLS Log Level. This is used for outbound connections made from the Gateway.
|
2 |
GATEWAY_SMTP_TLS_POLICY_MAPS |
Outbound Transport Security requirements in a comm-delimited list of domains and TLS requirements for those domains.
|
example1.com=>may example2.com=>none example3.com=>encrypt example4.net=>none |
GATEWAY_SMTPD_SASL_ACCOUNTS |
If enabled, these are the domains and their corresponding users, and passwords.
|
example.com=>user1=>password1 example.com=>user2=>password2 example.net=>user3=>password3 |
GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM |
Require SASL authentication for inbound clients or mail servers upstream attempting to connect this server.
|
0 |
GATEWAY_SMTPD_SASL_MECHANISMS |
Space-delimited list of SASL mechanisms to support for upstream SASL.
|
DIGEST-MD5 LOGIN |
GATEWAY_XHEADER_AUTH_ENABLED |
Inbound X-Header Authentication
|
GATEWAY_XHEADER_AUTH_ENABLED=1 |
GATEWAY_XHEADER_AUTH_SECRET
|
Inbound X-Header Authentication Enable inbound X-Header authentication Shared Secret X-Header-Virtru-Auth=secret Require: No
|
Example: X-Header-Virtru-Auth=123456789
|
GATEWAY_SMTPD_SECURITY_LEVEL |
Sets the minimum transport security required for inbound connections to the Gateway.
|
opportunistic |
GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM |
TLS Compliance Level for upstream (inbound) connections. This sets TLS version and cipher list accordingly. Customer is still responsible for following other NIST and/or OWASP recommendations, notably making sure certificates are signed and keys are rotated regularly.
|
HIGH |
GATEWAY_SMTPD_TLS_LOGLEVEL |
Inbound TLS Log Level. This is used for incoming connections made to the Gateway.
|
2 |
GATEWAY_SMTPD_USE_TLS |
Enable TLS connection inbound to the Gateway.
|
1 |
GATEWAY_TRANSPORT_MAPS |
Comma-delimited set of domains and next-hop destinations and optional ports
|
example.com=>mail.example.com examplemail.com=>mx.examplemail.com:10025 *=>[192.168.1.1]:10026 |
GATEWAY_VERBOSE_LOGGING |
Enable verbose logging in Gateway. Set this to
|
0 |
GATEWAY_LOG_LEVEL |
Sensitivity level of logs above which messages will be displayed.
|
debug |
MAX_BACKOFF_TIME |
The maximal time between attempts to deliver a deferred message. Set to a value greater than or equal to MIN_BACKOFF_TIME. Time units: s (seconds), m (minutes), h (hours), d (days).
|
45s |
MAX_QUEUE_LIFETIME |
Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached the MAX_QUEUE_LIFETIME limit. Time units: s (seconds), m (minutes), h (hours), d (days). Specify 0 when mail delivery should be tried only once.
|
1d 15m 300s |
MIN_BACKOFF_TIME |
The minimal time between attempts to deliver a deferred message. Time units: s (seconds), m (minutes), h (hours), d (days).
|
300s |
QUEUE_RUN_DELAY |
The time between deferred queue scans by the queue manager. Time units: s (seconds), m (minutes), h (hours), d (days).
|
300s |
GATEWAY_SMTP_CACHE_CONNECTIONS |
Whether to cache outgoing connections to mailservers. If "1", use on-demand connection caching. If "0", do not cache. If a list of domains (e.g. |
1 |
GATEWAY_SMTP_CONNECTION_CACHE_TIME_LIMIT |
"Postfix time unit: n(s,m,h,d), e.g. 5m" How long to cache SMTP connections for. Sets smtp_connection_cache_time_limit to the provied value so that the smtp daemon doesn't close the connection and sets connection_cache_ttl_limit to the same value so that the cached value is still valid |
5s |
Virtru Variables
These variables play a role in performing Virtru encryption or decryption.
Environment Variable | Description | Example |
GATEWAY_ACCOUNTS_URL |
URL to Virtru's
|
https://api.virtru.com/accounts |
GATEWAY_ACM_URL |
URL to Virtru's
|
https://api.virtru.com/acm |
GATEWAY_AMPLITUDE_API_KEY |
Amplitude Token is used to authenticate the Virtru tenant in Amplitude. Amplitude is an events platform used to store general performance metrics.
|
Contact Virtru Support to obtain your token. |
GATEWAY_API_TOKEN_NAME |
HMAC Token is used to authenticate the Virtru Gateway.
|
Contact Virtru Support to obtain your token. |
GATEWAY_API_TOKEN_SECRET |
HMAC Token is used to authenticate the Virtru Gateway.
|
Contact Virtru Support to obtain your token. |
GATEWAY_DLP_CACHE_DURATION |
The interval of time between refreshing the DLP rules.
|
30 |
GATEWAY_MODE |
The mode for the Gateway.
|
encrypt-everything |
GATEWAY_ORGANIZATION_DOMAIN |
Domain name of organization
|
example.com |
GATEWAY_REMOTE_CONTENT_BASE_URL |
The base URL for remote content.
|
https://secure.virtru.com/start/ |
GATEWAY_TOPOLOGY | Topology of the gateway.
|
outbound |
GATEWAY_REPLACEMENT_FROM_ENABLED |
|
"0" to disable or "1" to enable |
GATEWAY_REMOTE_CONTENT_BASE_URL |
The base URL for remote content.
|
https://secure.virtru.com/start/ |
GATEWAY_TOPOLOGY | Topology of the gateway.
|
outbound |
GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS |
|
"1" to decrypt attachments that have persistent protection enabled |
GATEWAY_ROUTING_XHEADERS |
|
`X-Header-1: value1, X-Header-2: value2` |
GATEWAY_RECORD_POLICY_OPTIONS |
|
Values: 1 - True 0 - False |
GATEWAY_USE_EXISTING_POLICY_OPTIONS |
|
Values: # ignore # accept |
GATEWAY_DECRYPT_THEN_ENCRYPT |
|
"0" for default, and "1" to activate. |
GATEWAY_ENCRYPTION_KEY_PROVIDER |
|
"CKS" |
GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS |
|
"360" |
GATEWAY_HEADER_REWRITES |
Add a new environment variable `GATEWAY_HEADER_REWRITES` that contains a comma separated
|
GATEWAY_HEADER_REWRITES=From: secure-reply@virtru.com => Reply-To |
Option | Description |
LOW |
|
MEDIUM |
|
HIPAA_2018 |
|
PCI_321 |
|
HIGH |
|
GATEWAY_RELAY_ADDRESSES
default values for Gmail and Office 365:
Mail Provider | CIDR Blocks |
---|---|
Gmail |
35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21, 173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19, 172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22,172.253.56.0/21,172.253.112.0/20 |
Office 365 |
23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14, 40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23, 134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24, 207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23 |