Welcome to Virtru's support portal. As we work to make this page more accessible to screen readers, please contact us at support@virtru.com for technical support.

Articles in this section

See more

On-Premises Gateway - Environment Variables

Avatar
Craig Engle
  • Updated
Follow

The following environment variables are used to configure Virtru Email Gateway Docker image. They can be updated per customer requirements. Variables are split into 2 major categories:

Additional Details

 

SMTP Variables

These variables control how Gateway receives, processes and sends emails.

Environment Variable Description Example
GATEWAY_DKIM_DOMAINS

Comma-delimited list of domainkey domains to enable and use DKIM.

    • Default: N/A
    • Required: No
    • Values: Text
 mail._domainkey.example.com, mx._domainkey.examplemail.com 
GATEWAY_HEADER_ALLOW_RULES

Comma-delimited list of customer header and values to use for whitelisting downstream.

  • Default: N/A
  • Required: No
  • Values: Text
 X-Platform_Tenant:Example
GATEWAY_HOSTNAME

Hostname of Gateway must be populated to match the TLS certificate CN (common name).

  • Default: N/A
  • Required: Yes
  • Values: Text
 mail.example.com
GATEWAY_ORGANIZATION_DOMAIN

Domain name of organization

  • Default: N/A
  • Required: Yes
  • Values: Text
 example.com
GATEWAY_PROXY_PROTOCOL

Enable Proxy Protocol for SMTP.  Most situations will require this setting to be a 0.  A 1 is required only when the Load Balancer supports proxy functionality.

  • Default: 1
  • Required: Yes
  • Values: 0,1
 0
GATEWAY_RELAY_ADDRESSES

Comma-delimited list of trusted networks in CIDR notation allowed to connect to this Gateway.

  • Default: N/A
  • Required: Yes
  • Values: Text
 104.196.26.179/24,173.194.0.0/16 
GATEWAY_RELAY_DOMAINS

Comma-delimited set of domains to relay for

  • Default: N/A
  • Required: No
  • Values: Text
 example.com,examplemail.com
GATEWAY_SMTP_ALLOW_DOMAINS

Comma-delimited set of domains to whitelist.

  • Default: N/A
  • Required: No
  • Values: Text
  • Note: Applicable only when Gateway is used in the inbound mode.
 example.com,examplemail.com 
GATEWAY_SMTP_SASL_ACCOUNTS

If enabled, these are the domains and their corresponding users, and passwords.

  • Default: N/A
  • Required: No
  • Values: Text
  • Note: Applicable only when:
    • GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0

example.com=>user1=>password1

example.com=>user2=>password2

example.net=>user3=>password3
GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM Require SASL authentication for outbound downstream or relay servers attempting to connect this server.
  • Default: 0
  • Required: No
  • Values: 0,1
GATEWAY_SMTP_SASL_SECURITY_OPTIONS

If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here.

  • Default: N/A
  • Required: No
  • Values: Text
 noanonymous
GATEWAY_SMTP_SECURITY_LEVEL

Sets the minimum transport security required for outbound connections from the Gateway.

  • Default: opportunistic.
  • Required: No
  • Values: mandatory or opportunistic
  • Note: Only used when GATEWAY_SMTP_USE_TLS=1
 opportunistic
GATEWAY_SMTP_USE_TLS

Enable TLS connection outbound from the Gateway.

  • Default: 1
  • Required: No
  • Values: 0,1
 1
GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM

TLS Compliance Level for downstream (outbound) connections.  This sets TLS version and cipher list accordingly. Customer is still responsible for following other NIST and/or OWASP recommendations, notably making sure certificates are signed and keys are rotated regularly.

    • Default: N/A
    • Required: No
    • Values:
      • LOW
      • MEDIUM
      • HIPAA_2018
      • PCI_321
      • HIGH
    • Note: If any level above LOW, you must set:
      • GATEWAY_SMTP_SECURITY_LEVEL= mandatory
      • GATEWAY_SMTP_USE_TLS=1
 HIGH
GATEWAY_SMTP_TLS_LOGLEVEL

Outbound TLS Log Level.  This is used for outbound connections made from the Gateway.

  • Default: 2
  • Required: No
  • Values: 0-4
GATEWAY_SMTP_TLS_POLICY_MAPS

Outbound Transport Security requirements in a comm-delimited list of domains and TLS requirements for those domains.

  • Default: N/A
  • Required: No
  • Values: Text

example1.com=>may

example2.com=>none

example3.com=>encrypt

example4.net=>none
GATEWAY_SMTPD_SASL_ACCOUNTS

If enabled, these are the domains and their corresponding users, and passwords.

  • Default: N/A
  • Required: No
  • Values: Text
  • Note: Applicable only when:
    • GATEWAY_SMTP_SASL_ENABLED_UPSTREAM=0

example.com=>user1=>password1

example.com=>user2=>password2

example.net=>user3=>password3 
GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM

Require SASL authentication for inbound clients or mail servers upstream attempting to connect this server.

  • Default: 0
  • Required: No
  • Values: 0,1
GATEWAY_SMTPD_SASL_MECHANISMS

Space-delimited list of SASL mechanisms to support for upstream SASL.

  • Default: N/A
  • Required: No
  • Values:
    • PLAIN
    • LOGIN
    • CRAM-MD5
    • DIGEST-MD5
  • Note: Only required when GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1

DIGEST-MD5 LOGIN

GATEWAY_XHEADER_AUTH_ENABLED

Inbound X-Header Authentication

  • Enable inbound X-Header authentication
  • Values
    • 1 Enabled
    • 0 Disabled
  • Default: 0
  • Require: No

GATEWAY_XHEADER_AUTH_ENABLED=1

GATEWAY_XHEADER_AUTH_SECRET

 

Inbound X-Header Authentication

Enable inbound X-Header authentication Shared Secret

X-Header-Virtru-Auth=secret

Require: No

 

Example:

X-Header-Virtru-Auth=123456789

 
GATEWAY_SMTPD_SECURITY_LEVEL

Sets the minimum transport security required for inbound connections to the Gateway.

  • Default: opportunistic.
  • Required: No
  • Values: mandatory or opportunistic
  • Note: Only used when GATEWAY_SMTPD_USE_TLS=1
 opportunistic
GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM

TLS Compliance Level for upstream (inbound) connections.  This sets TLS version and cipher list accordingly. Customer is still responsible for following other NIST and/or OWASP recommendations, notably making sure certificates are signed and keys are rotated regularly.

    • Default: N/A
    • Required: No
    • Values:
      • LOW
      • MEDIUM
      • HIPAA_2018
      • PCI_321
      • HIGH
    • Note: If any level above LOW, you must set:
      • GATEWAY_SMTPD_SECURITY_LEVEL= mandatory
      • GATEWAY_SMTPD_USE_TLS=1
  HIGH
GATEWAY_SMTPD_TLS_LOGLEVEL

Inbound TLS Log Level.  This is used for incoming connections made to the Gateway.

  • Default: 2
  • Required: No
  • Values: 0-4
 2
GATEWAY_SMTPD_USE_TLS

Enable TLS connection inbound to the Gateway.

  • Default: 1
  • Required: No
  • Values: 0,1
GATEWAY_TRANSPORT_MAPS

Comma-delimited set of domains and next-hop destinations and optional ports

  • Default: N/A
  • Required: No
  • Values: Text

example.com=>mail.example.com

examplemail.com=>mx.examplemail.com:10025

*=>[192.168.1.1]:10026
GATEWAY_VERBOSE_LOGGING

Enable verbose logging in Gateway.  Set this to 0 unless you are debugging something.

  • Default: 0
  • Required: No
  • Values: 0, 1
 0
MAX_BACKOFF_TIME

The maximal time between attempts to deliver a deferred message. Set to a value greater than or equal to MIN_BACKOFF_TIME.  Time units: s (seconds), m (minutes), h (hours), d (days).

  • Default: 4000s
  • Required: No
  • Values: Text
  • Recommend: 45s
 45s 
MAX_QUEUE_LIFETIME

Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue has reached the MAX_QUEUE_LIFETIME limit.  Time units: s (seconds), m (minutes), h (hours), d (days).

Specify 0 when mail delivery should be tried only once.

  • Default: 5d
  • Required: No
  • Values: Time
  • Recommend: 5m

1d

15m

300s 
MIN_BACKOFF_TIME

The minimal time between attempts to deliver a deferred message.  Time units: s (seconds), m (minutes), h (hours), d (days).

  • Default: 300s
  • Required: No
  • Values: Text
  • Recommend: 30s
  300s
QUEUE_RUN_DELAY

The time between deferred queue scans by the queue manager.  Time units: s (seconds), m (minutes), h (hours), d (days).

  • Default: 300s
  • Required: No
  • Values: Text
  • Recommend: 30s

 300s

 

 

Virtru Variables

These variables play a role in performing Virtru encryption or decryption.

Environment Variable Description Example
GATEWAY_ACCOUNTS_URL

URL to Virtru's Accountsservice. 

  • Default: N/A
  • Required: Yes
  • Values: Text
  • Note: Do not change this.
 https://api.virtru.com/accounts
GATEWAY_ACM_URL

URL to Virtru's ACM service

  • Default: N/A
  • Required: Yes
  • Values: Text
  • Note: Do not change this.
 https://api.virtru.com/acm

GATEWAY_AMPLITUDE_API_KEY

Amplitude Token is used to authenticate the Virtru tenant in Amplitude.  Amplitude is an events platform used to store general performance metrics.

  • Default: N/A
  • Required: Yes
  • Values: Text
 Contact Virtru Support to obtain your token.
GATEWAY_API_TOKEN_NAME

HMAC Token is used to authenticate the Virtru Gateway. 

  • Default: N/A
  • Required: Yes
  • Values: Text
 Contact Virtru Support to obtain your token.
GATEWAY_API_TOKEN_SECRET

HMAC Token is used to authenticate the Virtru Gateway.  

  • Default: N/A
  • Required: Yes
  • Values: Text
 Contact Virtru Support to obtain your token.
GATEWAY_DLP_CACHE_DURATION

The interval of time between refreshing the DLP rules.

  • Default: 30
  • Minimum: 0
  • Required: No
  • Values: Number in minutes.  To refresh every request, set to 0.
 30
GATEWAY_MODE

The mode for the Gateway. 

  • Default: encrypt-everything
  • Required: Yes
  • Values:
    • encrypt-everything
    • decrypt-everything
    • dlp
 encrypt-everything
GATEWAY_NEWRELIC_CRED

This can send Gateway metrics data to customer's instance of New Relic.

  • Default: N/A
  • Required: No
  • Values: Text
 New Relic Key
GATEWAY_ORGANIZATION_DOMAIN

Domain name of organization

  • Default: N/A
  • Required: Yes
  • Values: Text
 example.com
GATEWAY_REMOTE_CONTENT_BASE_URL

The base URL for remote content.

  • Default: N/A
  • Required: Yes
  • Values: Text
  • Note: Do not change unless directed by Virtru.  If "Custom Secure Reader URL" is in use the URL should match.
 https://secure.virtru.com/start/
GATEWAY_TOPOLOGY Topology of the gateway.
  • Default: outbound
  • Required: Yes
  • Values:
    • outbound
    • inbound
 outbound
GATEWAY_REPLACEMENT_FROM_ENABLED
  • Enable or disable the "from" address rewriting (inbound topology only) -
  • default "enabled"
 "0" to disable or "1" to enable
GATEWAY_REMOTE_CONTENT_BASE_URL

The base URL for remote content.

  • Default: N/A
  • Required: Yes
  • Values: Text
  • Note: Do not change unless directed by Virtru.  If "Custom Secure Reader URL" is in use the URL should match.
 https://secure.virtru.com/start/
GATEWAY_TOPOLOGY Topology of the gateway.
  • Default: outbound
  • Required: Yes
  • Values:
    • outbound
    • inbound
 outbound
GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS
  • Enable decryption of `persistent protection` files in *decrypt* mode - default will not decrypt
  • default "enabled"
 "1" to decrypt attachments that have persistent protection enabled
GATEWAY_ROUTING_XHEADERS

 

  • SMTP XHeaders for the Gateway to set on all mail it processes
 `X-Header-1: value1, X-Header-2: value2`

 

 

Option Description
LOW
  • TLS Level Minimum
    • TLS 1.0
  • TLS Requirement
    • Opportunistic
MEDIUM
  • TLS Level Minimum
    • TLS 1.1
  • TLS Requirement
    • Mandatory
HIPAA_2018
  • TLS Level Minimum
    • TLS 1.0
  • TLS Requirement
    • Mandatory
  • Ciphers
    • RSA-WITH-3DES-EDE-CBC-SHA
    • RSA-WITH-AES-128-CBC-SHA
    • RSA-WITH-AES-256-CBC-SHA
    • ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA
    • ECDHE-ECDSA-WITH-AES-128-CBC-SHA
    • ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
    • ECDHE-RSA-WITH-AES-128-CBC-SHA
    • RSA-WITH-AES-128-GCM-SHA256
    • RSA-WITH-AES-256-GCM-SHA384
    • ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
    • ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
    • ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
    • ECDHE-RSA-WITH-AES-128-CBC-SHA256
    • ECDHE-RSA-WITH-AES-128-GCM-SHA256
PCI_321
  • TLS Level Minimum
    • TLS 1.2
  • TLS Requirement
    • Mandatory
  • Ciphers
    • DHE-RSA-AES256-GCM-SHA384
    • DHE-RSA-AES128-GCM-SHA256
    • ECDHE-RSA-AES256-GCM-SHA384
    • ECDHE-RSA-AES128-GCM-SHA256
    • DHE-RSA-AES256-SHA256
    • DHE-RSA-AES128-SHA256
    • ECDHE-RSA-AES256-SHA384
    • ECDHE-RSA-AES128-SHA256
HIGH
  • TLS Level Minimum
    • TLS 1.2
  • TLS Requirement
    • Mandatory
  • Ciphers
    • ADH-AES256-GCM-SHA384
    • ADH-AES256-SHA256
    • ECDHE-RSA-AES256-GCM-SHA384
    • ECDHE-ECDSA-AES256-GCM-SHA384
    • ECDHE-RSA-AES256-SHA384
    • ECDHE-ECDSA-AES256-SHA384
    • DH-DSS-AES256-GCM-SHA384
    • DHE-DSS-AES256-GCM-SHA384
    • DH-RSA-AES256-GCM-SHA384
    • DHE-RSA-AES256-GCM-SHA384
    • DHE-RSA-AES256-SHA256
    • DHE-DSS-AES256-SHA256
    • DH-RSA-AES256-SHA256
    • DH-DSS-AES256-SHA256
    • ECDH-RSA-AES256-GCM-SHA384
    • ECDH-ECDSA-AES256-GCM-SHA384
    • ECDH-RSA-AES256-SHA384
    • ECDH-ECDSA-AES256-SHA384
    • AES256-GCM-SHA384
    • AES256-SHA256
    • ADH-AES128-GCM-SHA256
    • ADH-AES128-SHA256
    • ECDHE-RSA-AES128-GCM-SHA256
    • ECDHE-ECDSA-AES128-GCM-SHA256
    • ECDHE-RSA-AES128-SHA256
    • ECDHE-ECDSA-AES128-SHA256
    • DH-DSS-AES128-GCM-SHA256
    • DHE-DSS-AES128-GCM-SHA256
    • DH-RSA-AES128-GCM-SHA256
    • DHE-RSA-AES128-GCM-SHA256
    • DHE-RSA-AES128-SHA256
    • DHE-DSS-AES128-SHA256
    • DH-RSA-AES128-SHA256
    • DH-DSS-AES128-SHA256
    • ECDH-RSA-AES128-GCM-SHA256
    • ECDH-ECDSA-AES128-GCM-SHA256
    • ECDH-RSA-AES128-SHA256
    • ECDH-ECDSA-AES128-SHA256
    • AES128-GCM-SHA256
    • AES128-SHA256

 

Sample Environment Variables Files

The snippet below shows an Environment Variables File used to run Gateway docker image. Copy the contents of this snippet into your Environment Variables File and edit it accordingly.

Syntax Rules
These syntax rules apply to the .env file:

  • Each line in an .env file must be in VARIABLE=VALUE format.
  • Lines beginning with # (i.e. comments) are ignored.
  • Blank lines are ignored.
  • Any quotation marks (' and ") are not ignored for VALUE.

Related articles