The following environment variables are used to configure Virtru Email Gateway Docker image. They can be updated per customer requirements. Variables are split into 2 major categories:
Additional Details
SMTP Variables
These variables control how Gateway receives, processes and sends emails.
Environment Variable | Description | Example |
GATEWAY_DKIM_DOMAINS |
Comma-delimited list of
|
mail._domainkey.example.com, mx._domainkey.examplemail.com |
GATEWAY_HEADER_ALLOW_RULES |
Comma-delimited list of customer header and values to use for whitelisting downstream.
|
X-Platform_Tenant:Example |
GATEWAY_HOSTNAME |
Hostname of Gateway must be populated to match the TLS certificate CN (common name).
|
mail.example.com |
GATEWAY_ORGANIZATION_DOMAIN |
Domain name of organization
|
example.com |
GATEWAY_PROXY_PROTOCOL |
Enable Proxy Protocol for SMTP. Most situations will require this setting to be a 0. A 1 is required only when the Load Balancer supports proxy functionality.
|
0 |
GATEWAY_RELAY_ADDRESSES |
Comma-delimited list of trusted networks in CIDR notation allowed to connect to this Gateway.
|
104.196.26.179/24,173.194.0.0/16 |
GATEWAY_RELAY_DOMAINS |
Comma-delimited set of domains to relay for
|
example.com,examplemail.com |
GATEWAY_SMTP_ALLOW_DOMAINS |
Comma-delimited set of domains to whitelist.
|
example.com,examplemail.com |
GATEWAY_SMTP_SASL_ACCOUNTS |
If enabled, these are the domains and their corresponding users, and passwords.
|
example.com=>user1=>password1 example.com=>user2=>password2 example.net=>user3=>password3 |
GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM | Require SASL authentication for outbound downstream or relay servers attempting to connect this server.
|
0 |
GATEWAY_SMTP_SASL_SECURITY_OPTIONS |
If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here.
|
noanonymous |
GATEWAY_SMTP_SECURITY_LEVEL |
Sets the minimum transport security required for outbound connections from the Gateway.
|
opportunistic |
GATEWAY_SMTP_USE_TLS |
Enable TLS connection outbound from the Gateway.
|
1 |
GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM |
TLS Compliance Level for downstream (outbound) connections. This sets TLS version and cipher list accordingly. Customer is still responsible for following other NIST and/or OWASP recommendations, notably making sure certificates are signed and keys are rotated regularly.
|
HIGH |
GATEWAY_SMTP_TLS_LOGLEVEL |
Outbound TLS Log Level. This is used for outbound connections made from the Gateway.
|
2 |
GATEWAY_SMTP_TLS_POLICY_MAPS |
Outbound Transport Security requirements in a comm-delimited list of domains and TLS requirements for those domains.
|
example1.com=>may example2.com=>none example3.com=>encrypt example4.net=>none |
GATEWAY_SMTPD_SASL_ACCOUNTS |
If enabled, these are the domains and their corresponding users, and passwords.
|
example.com=>user1=>password1 example.com=>user2=>password2 example.net=>user3=>password3 |
GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM |
Require SASL authentication for inbound clients or mail servers upstream attempting to connect this server.
|
0 |
GATEWAY_SMTPD_SASL_MECHANISMS |
Space-delimited list of SASL mechanisms to support for upstream SASL.
|
DIGEST-MD5 LOGIN |
GATEWAY_XHEADER_AUTH_ENABLED |
Inbound X-Header Authentication
|
GATEWAY_XHEADER_AUTH_ENABLED=1 |
GATEWAY_XHEADER_AUTH_SECRET
|
Inbound X-Header Authentication Enable inbound X-Header authentication Shared Secret X-Header-Virtru-Auth=secret Require: No
|
Example: X-Header-Virtru-Auth=123456789
|
GATEWAY_SMTPD_SECURITY_LEVEL |
Sets the minimum transport security required for inbound connections to the Gateway.
|
opportunistic |
GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM |
TLS Compliance Level for upstream (inbound) connections. This sets TLS version and cipher list accordingly. Customer is still responsible for following other NIST and/or OWASP recommendations, notably making sure certificates are signed and keys are rotated regularly.
|
HIGH |
GATEWAY_SMTPD_TLS_LOGLEVEL |
Inbound TLS Log Level. This is used for incoming connections made to the Gateway.
|
2 |
GATEWAY_SMTPD_USE_TLS |
Enable TLS connection inbound to the Gateway.
|
1 |
GATEWAY_TRANSPORT_MAPS |
Comma-delimited set of domains and next-hop destinations and optional ports
|
example.com=>mail.example.com examplemail.com=>mx.examplemail.com:10025 *=>[192.168.1.1]:10026 |
GATEWAY_VERBOSE_LOGGING |
Enable verbose logging in Gateway. Set this to
|
0 |
MAX_BACKOFF_TIME |
The maximal time between attempts to deliver a deferred message. Set to a value greater than or equal to MIN_BACKOFF_TIME. Time units: s (seconds), m (minutes), h (hours), d (days).
|
45s |
MAX_QUEUE_LIFETIME |
Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached the MAX_QUEUE_LIFETIME limit. Time units: s (seconds), m (minutes), h (hours), d (days). Specify 0 when mail delivery should be tried only once.
|
1d 15m 300s |
MIN_BACKOFF_TIME |
The minimal time between attempts to deliver a deferred message. Time units: s (seconds), m (minutes), h (hours), d (days).
|
300s |
QUEUE_RUN_DELAY |
The time between deferred queue scans by the queue manager. Time units: s (seconds), m (minutes), h (hours), d (days).
|
300s |
Virtru Variables
These variables play a role in performing Virtru encryption or decryption.
Environment Variable | Description | Example |
GATEWAY_ACCOUNTS_URL |
URL to Virtru's
|
https://accounts.virtru.com/ |
GATEWAY_ACM_URL |
URL to Virtru's
|
https://acm.virtru.com |
GATEWAY_AMPLITUDE_API_KEY |
Amplitude Token is used to authenticate the Virtru tenant in Amplitude. Amplitude is an events platform used to store general performance metrics.
|
Contact Virtru Support to obtain your token. |
GATEWAY_API_TOKEN_NAME |
HMAC Token is used to authenticate the Virtru Gateway.
|
Contact Virtru Support to obtain your token. |
GATEWAY_API_TOKEN_SECRET |
HMAC Token is used to authenticate the Virtru Gateway.
|
Contact Virtru Support to obtain your token. |
GATEWAY_DLP_CACHE_DURATION |
The interval of time between refreshing the DLP rules.
|
30 |
GATEWAY_MODE |
The mode for the Gateway.
|
encrypt-everything |
GATEWAY_NEWRELIC_CRED |
This can send Gateway metrics data to customer's instance of New Relic.
|
New Relic Key |
GATEWAY_ORGANIZATION_DOMAIN |
Domain name of organization
|
example.com |
GATEWAY_REMOTE_CONTENT_BASE_URL |
The base URL for remote content.
|
https://secure.virtru.com/start/ |
GATEWAY_TOPOLOGY | Topology of the gateway.
|
outbound |
GATEWAY_REPLACEMENT_FROM_ENABLED |
|
"0" to disable or "1" to enable |
GATEWAY_REMOTE_CONTENT_BASE_URL |
The base URL for remote content.
|
https://secure.virtru.com/start/ |
GATEWAY_TOPOLOGY | Topology of the gateway.
|
outbound |
GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS |
|
"1" to decrypt attachments that have persistent protection enabled |
GATEWAY_ROUTING_XHEADERS |
|
`X-Header-1: value1, X-Header-2: value2` |
Option | Description |
LOW |
|
MEDIUM |
|
HIPAA_2018 |
|
PCI_321 |
|
HIGH |
|
Sample Environment Variables Files
The snippet below shows an Environment Variables File used to run
Gateway docker image. Copy the contents of this snippet into your Environment Variables File and edit it accordingly.
Syntax Rules
These syntax rules apply to the .env file:
- Each line in an
.env
file must be inVARIABLE
=VALUE
format. - Lines beginning with # (i.e. comments) are ignored.
- Blank lines are ignored.
- Any quotation marks (
'
and"
) are not ignored forVALUE
.