Skip to:
Install Steps
- Install Docker
- Download Install Script
- Run Install Script
- Run Setup Script
Docker
Gateway is distributed as a docker
image via Virtru's DockerHub Repository.
Warning
If SELinux is in use please reference this article.
Install Docker CE (Recommended)
- Quick Install
mkdir /var/virtru/ mkdir /var/virtru/scripts/ cd /var/virtru/scripts/ #Docker CE sudo curl -sSL https://get.docker.com/ | sh
Reference
Docker CE is not supported on Red Hat Enterprise Linux.
RHEL offers a service called Podman for its container management.
Follow our guide to setup Podman to work with Virtru Gateway
Deploy Script
Virtru deploys the Virtru Gateway setup using a Shell Script.
- Please download the latest version to the Gateway Host.
- Run on Gateway Host to download the latest deploy script.
curl -s https://api.github.com/repos/virtru/gateway-install-script/releases/latest \ | grep "browser_download_url.*sh" \ | cut -d : -f 2,3 \ | tr -d \" \ | sudo wget -qi -
Note
The source for the install script is available at on GitHub. https://github.com/virtru/gateway-install-script
Installation
To install a Virtru Gateway execute the Deploy Script for every gateway desired. The Deploy Script sets up:
- Folder structure
- Certificates
- Configuration Files
Execution
sh deploy-gateway-vX.X.sh
The Deploy Script will walk through the required questions to successfully deploy a Virtru Gateway matching the correct mail flow direction and topology.
- Gateway Version:
- This determines the based gateway image that will be pulled from docker hub, leave blank for default latest version
- Sets gateway version in the docker run script
/var/virtru/vg/scripts/setup-<container>.sh
- Gateway Port:
- Defines listening port for the container, leave blank for default 9001 or specify the port that fits your environment
- Sets listening port in the docker run script
/var/virtru/vg/scripts/setup-<container>.sh
- Gateway Mode:
- Defines mode that the container will run in choose option 1-3
- Sets
GATEWAY_MODE
value in the env file/var/virtru/vg/env/<container>.env
- Encrypt-everything: will encrypt every message sent to the container, logic will need to be defined upstream
- Decrypt-everything: will decrypt every message sent to the container, logic will need to be defined upstream
- DLP: Will use the Security Rules set in your Virtru Control Center to determine encryption and access control policies.
- Gateway Topology:
- Defines how the gateway will process the message depending on mail topology
- Sets
GATEWAY_TOPOLOGY
value in the env file/var/virtru/vg/env/<container>.env
- inbound: For mail originating from outside of your organization, processes mail on behalf of the recipient domain
- outbound: For mail originating from inside of your organization, processes mail on behalf of the sender domain
- Fips requirement:
- If you have a requirement to use Fips validated libraries this will pull down the correct gateway image.
- Inbound Relay Addresses:
- Defines IP address range that the container will accept ingress traffic from.
- Sets
GATEWAY_RELAY_ADDRESSES
value in the env file/var/virtru/vg/env/<container.env>
- G Suite: Pre Populated IP range from Google Workspace
- O365: Pre Populated IP range from Office 365
- All: Allows all traffic (recommended this be controlled by the ingress firewall in the customer environment)
- None: Set if you need to come back and fill this value out later in the .env file
- CKS Enabled:
- If you are using a Virtru Customer Key Server (CKS) and/or you are using Inbound Decrypt Mode then select yes.
- Sets
GATEWAY_ENCRYPTION_KEY_PROVIDER
andGATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS
values in the env file/var/virtru/vg/env/<container.env>
- Gateway FQDN:
- Sets the container to run as this host name by default and creates self signed TLS Certs to match.
- Sets
GATEWAY_HOSTNAME
value in the env file/var/virtru/vg/env/<container.env>
-
Gateway Domain:
- Primary mailing domain of your tenant that matches your Virtru org (if you have multiple ONLY list the primary here)
-
Gateway DKIM Selector:
- Default sets gw. but leaves is commented out, if you need the gateway to do its own dkim signing then define the selector here.
- Sets
GATEWAY_DKIM_DOMAINS
value in the env file/var/virtru/vg/env/<container>.env
-
Outbound Relay:
-
Defines the next hop address or fqdn, if left blank then the gateway will do final delivery based on MX lookup of the destination address over port 25.
- Gmail relay: [smtp-relay.gmail.com]:587
- Office 365: [MX record]:25
- Custom:[1.1.1.1]:25
- Blank (Gateway performs final delivery with mx lookup)
- Sets
GATEWAY_TRANSPORT_MAPS
value in the env file/var/virtru/vg/env/<container>.env
-
Defines the next hop address or fqdn, if left blank then the gateway will do final delivery based on MX lookup of the destination address over port 25.
-
Amplitude Token:
- Provides gateway logs to Virtru, token provided by Virtru
- Sets
GATEWAY_AMPLITUDE_API_KEY
value in the env file/var/virtru/vg/env/<container>..env
-
Token ID:
- Hmac Token ID provided by Virtru
- This Token is unique to your customer org tells our accounts service to allow the gateway to perform functions on behalf of the sender for the organization.
- Sets
GATEWAY_API_TOKEN_NAME
value in the env file/var/virtru/vg/env/<container>.env
-
Token:
- Hmac Token Secret provided by Virtru
- This Token is unique to your customer org tells our accounts service to allow the gateway to perform functions on behalf of the sender for the organization.
- Sets
GATEWAY_API_TOKEN_SECRET
value in the env file/var/virtru/vg/env/<container>.env