Background
This guide outlines the steps to deploy the Virtru Gateway on Kubernetes using Helm. The Virtru Gateway facilitates secure email flow, offering encryption, decryption, and data loss prevention (DLP) capabilities. Follow these guidelines and ensure your values.yaml
file is correctly formatted.
Prerequisites
Follow the Customer Hosted Kubernetes cluster prerequisites guide and ensure you have the following:
- Access to Virtru's container repository to pull the Gateway image.
- Necessary credentials and tokens are needed to configure the Gateway.
Installation Steps
Pulling the helm chart
To get started with your helm chart, create a local directory to store your chart. Then run the following command to add Virtru's helm charts to your local helm repo:
helm repo add virtru-charts https://virtru-corp.github.io/virtru-charts/
To view your helm repos, run:
helm repo list
You should see virtru-charts
added from the URL https://virtru-corp.github.io/virtru-charts/
.
To download a chart for editing, run the following command:
helm pull virtru-charts/gateway --untar
You should see a directory called gateway
created inside of your working directory.
Use cases
The first step will be to determine which gateway modes and functions you wish to utilize. The options are as follows:
- Outbound Encrypt (default option)
- Outbound Decrypt
- Outbound DLP (leverage Virtru's content scanning and DLP engine to determine if emails should be encrypted and if any additional security options should be leveraged)
- Inbound Encrypt
- Inbound Decrypt
Create secrets
There are a number of ways that Kubernetes secrets can be managed. If you do not have an existing external secret manager for your Kubernetes clusters, you can create secrets by using the appSecrets
section of the values.yaml
file.
Please note we strongly advise you consider using an external secrets manager. Creating secrets via the values.yaml
is a default option to help get your gateway up and running more quickly.
values.yaml
file
UpdatingThis section will detail potential changes that you will need to make to your values.yaml
file.
gatewayModes
For each gateway use case identified above, ensure that the specific mode's enabled
key is toggled to true. The default ports are non-standard custom ports, but any port can be used as they all translate to port 25 internally on the pod.
standardConfig
-
gatewayHostname
- FQDN of the gateway -
primaryMailingDomain
- Your primary email domain -
gatewayTransportMaps
- Next hop for your gateway, defaults to Google SMTP Relay service -
inboundRelayAddresses
- Determine IPs you wish to allow traffic into the gateway container from (default is open at the container level and to build firewall rules to only allow specific source IPs into the pod)- Default values for Gmail and Office 365 sending IPs included in the Reference section linked here: Reference- Kubernetes Variables
-
headers.xHeaderAuthEnabled
- Defaults to true. If enabled, you must also set xHeaderAuthSecret and add the secret value to messages prior to hitting the gateway
appSecrets
Set the values based on the information below:
- Required
-
gateway-amplitude-api-key
- Provided by Virtru -
gateway-api-token-name
- Provided by Virtru -
gateway-api-token-secret
- Provided by Virtru
-
- Optional (configuration specific)
- If using X Header Authentication (default
true
)-
gateway-xheader-auth-secret
- The secret value to be added in your headers before sending mail to the gateway (example:123456789
would mean you have to have a header on every email sent to the gateway ofX-Header-Virtru-Auth:123456789
)
-
- If using SASL authentication upstream
-
gateway-sasl-auth-upstream
- The auth path for your SMTP authentication to the next hop (example:smtp-relay.gmail.com=>gateway-service-account@example.com=>appSpecificPassword
)
-
- If using SASL authentication downstream
-
gateway-sasl-auth-downstream
- The auth path for your SMTP authentication from the previous hop to the Virtru gateway (example:smtp-relay.gmail.com=>gateway-service-account@example.com=>appSpecificPassword
)
-
- If using X Header Authentication (default
additionalConfig
You may, depending on your email needs, wish to update a few values in this section. Below are a few of the primary variables you may wish to adjust:
-
saslAuth.smtpDownstream.enabled
- This will enable SASL auth for your next hop. If you choose to enable this, you will need to create thegateway-sasl-auth-upstream
file in your secret detailed above -
decryptThenEncrypt
- If you are using a multi gateway approach (ex: decrypt email => Scan content => re-encrypt email), this should be set to 1 (true)
The values.yaml
file contains all the configurable parameters for the Helm chart. You'll need to edit this file to match your deployment requirements. Key sections include:
-
Image Configuration: Specifies the Docker image for the Gateway.
image:
repository: containers.virtru.com/gateway
pullPolicy: Always
# Overrides the image tag whose default is the chart appVersion.
tag: "" # Use a specific tag or leave empty for latest -
Service Configuration: Defines how the Gateway service is exposed.
service:
type: LoadBalancer
port: 25 -
Gateway Modes: This setting enables specific functionalities of the Gateway. The Virtru Gateway can operate in multiple modes. To enable a mode, set its enabled attribute to true. Each mode functions independently, catering to different aspects of email security.
# Gateway Modes to enable, each enabled mode will create a separate
# deployment, service, and configmap
gatewayModes:
outboundEncrypt:
enabled: true
name: outbound-encrypt
port: 9001 # Repeat for other modes as necessary -
Persistent Volumes: Configures storage to maintain the email queue.
# This will create a persistent volume for each
# enabled gateway mode. This will keep your postfix queue
# intact when pods are destroyed and recreated.
# You can modify the size of the volume below.
persistentVolumes:
storageClassName: standard
volumeSize: 1Gi -
SASL Authentication: Enable SASL (Simple Authentication and Security Layer) Authentication only if SMTP submissions require authenticated connections. Read more here.
additionalConfig:
saslAuth:
smtpDownstream:
enabled: false # Enable as needed -
X-Header Authentication: For added security, enable X-Header Authentication. Configure the secret in appSecrets.
standardConfig:
headers:
xHeaderAuthEnabled: false # Enable as needed -
Gateway Host and Mail Domain Configuration: Configure the gateway hostname and primary mailing domain to align with your organization's domain settings.
gatewayHostname: fqdn.youdomain.com
primaryMailingDomain: yourdomain.com -
Mail Routing: Set up mail routing and inbound IP restrictions based on your email provider's requirements.
gatewayTransportMaps
specifies the next hop for emails processed by the Virtru Gateway. Use the MX record of your mail server.
gatewayTransportMaps: "*=>[smtp-relay.gmail.com]:587"
gatewayTransportMaps: "*=>[MX record]:25"
# Next hop for Virtru gateway, typical mail flow is:
# mail server => Virtru gateway => back to your mail server => final delivery -
IP Restrictions: Set the IP ranges that are allowed to relay emails through the gateway. Use
0.0.0.0/0
for open configuration or specify specific IP ranges for controlled access.
# See README.md for Google or Microsoft relaying IPs,
# default is open and to lock down firewall on the VPC
inboundRelayAddresses: 0.0.0.0/0 -
DKIM Signing: Enable DKIM Signing to verify sender identity and ensure email integrity. For DKIM keys or any other multiline secrets, ensure they are correctly.
dkimSigning:
publicKey: |
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiGI1vP7v3A3f2q+H5B5P...
-----END PUBLIC KEY-----
privateKey: |
-----BEGIN PRIVATE KEY-----
MZM2...a whole lot of characters...
-----END PRIVATE KEY-----
Deploying with Helm
Once your values.yaml
file is correctly configured, deploy the Virtru Gateway using the following Helm command:
helm install virtru-gateway ./path-to-virtru-gateway-helm-chart -f ./values.yaml --namespace your-namespace --create-namespace
Replace./path-to-virtru-gateway-helm-chart
with the actual path to the Helm chart and your-namespace
with the desired Kubernetes namespace.
Installing the gateway
Use a standard helm install command to deploy your gateway(s). An example command is listed below:
helm install -n virtru -f ./values.yaml gateway ./ --create-namespace
Additional Config to go live
Refer to standard documentation for Gateway configuration. You can get your endpoints to set as smart hosts by running the following command:
kubectl -n virtru get services
And there should be public endpoints you can use when relaying mail to your new gateways.
Post-Deployment
After successfully deploying the Virtru Gateway, monitor the status of your pods to ensure they are running correctly. Use kubectl
commands to check pod statuses and review logs for any errors or warnings.
helm list -n virtru
kubectl get pods -n virtru
kubectl logs <pod-name> -n virtru
Conclusion
Following this guide, you can deploy the Virtru Gateway to secure your email communications through Kubernetes. Remember to review and adjust the values.yaml
file according to your specific requirements, especially regarding secret management for enhanced security.