This guide provides step-by-step instructions to configure your Virtru Customer-Hosted Gateway using Podman as an alternative to Docker.
Podman
Gateway is distributed as a podman
image via Virtru's Google Artifact Registry.
- Quick Install
mkdir /var/virtru/
mkdir /var/virtru/scripts/
cd /var/virtru/scripts/
#Podman
yum install podman
Create alias to align Docker and Podman commands
Follow the steps below to add an alias and reload your .bashrc
file.
- Run the following command to add the alias to your
.bashrc
file:printf "\nalias docker=podman\n" >> ~/.bashrc
- Reload your bash config:
source ~/.bashrc
Deploy Script
Virtru deploys the Virtru Gateway setup using a Shell Script.
- Please download the latest version to the Gateway Host.
- Run on Gateway Host to download the latest deploy script.
curl -s https://api.github.com/repos/virtru/gateway-install-script/releases/latest \
| grep "browser_download_url.*sh" \
| cut -d : -f 2,3 \
| tr -d \" \
| sudo wget -qi -
Note: The source for the install script is available at on GitHub. https://github.com/virtru/gateway-install-script
Installation
To install a Virtru Gateway execute the Deploy Script for every gateway desired. The Deploy Script sets up:
- Folder structure
- Certificates
- Configuration Files
Execution
sh deploy-gateway-vX.X.sh
The Deploy Script will walk through the required questions to successfully deploy a Virtru Gateway matching the correct mail flow direction and topology.
- Gateway Version:
- This determines the based gateway image that will be pulled from Google Artifact Registry, leave blank for default latest version
- Sets gateway version in the podman run script
/var/virtru/vg/scripts/setup-<container>.sh
- Gateway Port:
- Defines listening port for the container, leave blank for default 9001 or specify the port that fits your environment
- Sets listening port in the podman run script
/var/virtru/vg/scripts/setup-<container>.sh
- Gateway Mode:
- Defines mode that the container will run in choose option 1-3
- Sets
GATEWAY_MODE
value in the env file/var/virtru/vg/env/<container>.env
- Encrypt-everything: will encrypt every message sent to the container, logic will need to be defined upstream
- Decrypt-everything: will decrypt every message sent to the container, logic will need to be defined upstream
- DLP: Will use the email rules set in your Virtru Control Center to determine encryption and access control policies.
- Gateway Topology:
- Defines how the gateway will process the message depending on mail topology
- Sets
GATEWAY_TOPOLOGY
value in the env file/var/virtru/vg/env/<container>.env
- inbound: For mail originating from outside of your organization, processes mail on behalf of the recipient domain
- outbound: For mail originating from inside of your organization, processes mail on behalf of the sender domain
- Fips requirement:
- If you have a requirement to use Fips validated libraries this will pull down the correct gateway image.
- Inbound Relay Addresses:
- Defines IP address range that the container will accept ingress traffic from.
- Sets
GATEWAY_RELAY_ADDRESSES
value in the env file/var/virtru/vg/env/<container.env>
- G Suite: Pre Populated IP range from Google Workspace
- O365: Pre Populated IP range from Office 365
- All: Allows all traffic (recommended this be controlled by the ingress firewall in the customer environment)
- None: Set if you need to come back and fill this value out later in the .env file
- CKS Enabled:
- If you are using a Virtru Customer Key Server (CKS) and/or you are using Inbound Decrypt Mode then select yes.
- Sets
GATEWAY_ENCRYPTION_KEY_PROVIDER
andGATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS
values in the env file/var/virtru/vg/env/<container.env>
- Gateway FQDN:
- Sets the container to run as this host name by default and creates self signed TLS Certs to match.
- Sets
GATEWAY_HOSTNAME
value in the env file/var/virtru/vg/env/<container.env>
-
Gateway Domain:
- Primary mailing domain of your tenant that matches your Virtru org (if you have multiple ONLY list the primary here)
-
Gateway DKIM Selector:
- Default sets gw. but leaves is commented out, if you need the gateway to do its own dkim signing then define the selector here.
- Sets
GATEWAY_DKIM_DOMAINS
value in the env file/var/virtru/vg/env/<container>.env
-
Outbound Relay:
-
Defines the next hop address or fqdn, if left blank then the gateway will do final delivery based on MX lookup of the destination address over port 25.
- Gmail relay: [smtp-relay.gmail.com]:587
- Office 365: [MX record]:25
- Custom:[1.1.1.1]:25
- Blank (Gateway performs final delivery with mx lookup)
- Sets
GATEWAY_TRANSPORT_MAPS
value in the env file/var/virtru/vg/env/<container>.env
-
Defines the next hop address or fqdn, if left blank then the gateway will do final delivery based on MX lookup of the destination address over port 25.
-
Amplitude Token:
- Provides gateway logs to Virtru, token provided by Virtru
- Sets
GATEWAY_AMPLITUDE_API_KEY
value in the env file/var/virtru/vg/env/<container>..env
-
Token ID:
- Hmac Token ID provided by Virtru
- This Token is unique to your customer org tells our accounts service to allow the gateway to perform functions on behalf of the sender for the organization.
- Sets
GATEWAY_API_TOKEN_NAME
value in the env file/var/virtru/vg/env/<container>.env
-
Token:
- Hmac Token Secret provided by Virtru
- This Token is unique to your customer org tells our accounts service to allow the gateway to perform functions on behalf of the sender for the organization.
- Sets
GATEWAY_API_TOKEN_SECRET
value in the env file/var/virtru/vg/env/<container>.env
Modify Scripts
Note: In this example, we used the container name oe-9001
. However, your configuration may vary; Be sure to adjust the container name and other settings according to your specific requirements.
- Navigate to the scripts folder, open the setup script in Vim, nano or any editor of your choice, and replace 'docker' commands with 'podman';
cd /var/virtru/vg/scripts
vim setup-oe-9001.sh
- Add the bolded text(s) to your existing
setup-oe-9001.sh
file. This is the file path to the container log. - Use the following 'podman run' command to deploy a Virtru Gateway:
podman run \
--env-file /var/virtru/vg/env/oe-9001.env \
-v /var/virtru/vg/tls/:/etc/postfix/tls \
-v /var/virtru/vg/queue/oe-9001/:/var/spool/postfix \
-v /var/virtru/vg/dkim/:/etc/opendkim/keys \
--name oe-9001 \
--publish 9001:25 \
--interactive --tty --detach \
--restart unless-stopped \
--log-opt path=/var/log/podman-oe-9001.log \
containers.virtru.com/gateway:v<new version number> - Run the setup script to create the container.
sh setup-oe-9001.sh
Managing Your Podman Container
Here are commands to help you view, manage logs, stop, start, and remove your Podman container:
- To list all running containers:
podman ps
- To list all containers (including stopped ones):
podman ps -a
- To view and follow logs for a specific container:
podman logs -f <container-name>
- If you set up a log file, use:
tail -f /var/log/podman-<container-name>.log
- To stop a running container:
podman stop <container-name>
- To start a stopped container:
podman start <container-name>
- Remove a stopped container:
podman rm <container-name>
- To forcefully remove a container (running or stopped):
podman rm -f <container-name>
Additional Tips
- Check Container Logs from Start: View all logs from the beginning by omitting the '-f' flag:
podman logs <container-name>
- Check Resource Usage: Monitor container stats with:
podman stats <container-name>
This setup will guide you through managing your Virtru Gateway container on a Podman-hosted Linux server effectively.
SELinux Configurations
If your host is running on SELinux, refer to this article for additional configurations that may need to be applied:
Additional Podman References
- https://www.redhat.com/sysadmin/behind-scenes-podman
- https://www.redhat.com/sysadmin/user-namespaces-selinux-rootless-containers