Open in app

Sign in

Write

Sign in

Virtru Part 16: Cheat Sheet!

KWJ
3 min readJul 28, 2023

Hopefully you found the series for deploying a Virtru Data Protection Gateway that is…

  • Customer Hosted,
  • for Google Workspace,
  • in Amazon Web Services,
  • running Amazon Linux 2,
  • using Docker

useful. Below is the cheat sheet for the instance and configuration. This article goes directly with the 15 other articles.

sudo yum update
sudo yum search docker
sudo yum info docker
sudo yum install docker

sudo usermod -a -G docker ec2-user
newgrp docker

sudo systemctl enable docker.service
sudo systemctl start docker.service

sudo systemctl status docker.service

sudo bash 
yum install iptables-services
systemctl enable iptables
systemctl enable ip6tables
systemctl start iptables
systemctl start ip6tables

sudo iptables -I INPUT -p tcp -m tcp --dport 10000 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 9002 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 9003 -j ACCEPT
sudo iptables -I INPUT -p tcp -m tcp --dport 25 -j ACCEPT
sudo service iptables save 
# vim /etc/yum.repos.d/webmin.repo
[Webmin]
name=Webmin Distribution Neutral
#baseurl=http://download.webmin.com/download/yum
mirrorlist=http://download.webmin.com/download/yum/mirrorlist
enabled=1
wget http://www.webmin.com/jcameron-key.asc
rpm -import jcameron-key.asc

yum install webmin

# vim /etc/webmin/miniserv.conf
ssl=0
no_ssl2=1
no_ssl3=1
no_tls1=1
no_tls1_1=1

service webmin restart

/usr/libexec/webmin/changepass.pl /etc/webmin root NEWPASSWORD
curl -s https://api.github.com/repos/virtru/gateway-install-script/releases/latest \
| grep "browser_download_url.*sh" \
| cut -d : -f 2,3 \
| tr -d \" \
| sudo wget -qi -

hmod +x deploy-gateway-v2.39.0.sh
./deploy-gateway-v2.39.0.sh

# At this point you need to run the SH file three times, one for each Gateway.  
# Refer to the Diagram for the correct settings as it easy to be lost.
Since we are running all three on the same host we will use

* 9001 for outbound decryption
    * Receives mail from Google Gmail
    * Sends Mail via it's own relay  - it will only be sending to Smarsh
    * DKIM is "virtrugw"
* 9002 for inbound decryption
    * Receives mail from Google Gmail
    * Sends Mail via it's own relay  - it will only be sending to Smarsh
    * DKIM is "virtrugw"
* 9003 for DLP outbound
    * Receives mail from Google Gmail
    * Sends Mail via it's own relay  - it will send all messages to final recipients, thus most risk 
    * DKIM is "virtrugw"

Each time we add a gateway we

* Run the deploy-gateway-vX.XX.X.sh script (or whichever version exists)
* Specify the correct settings for the deployment.  Based on the Outbound you should be able to easily discern the rest and therefore I am omitting them.
* Run the setup script
    * sh /var/virtru/vg/scripts/setup-id-9001.sh for outbound
    * sh /var/virtru/vg/scripts/setup-id-9002.sh for inbound
    * sh /var/virtru/vg/scripts/setup-id-9003.sh for DLP

DKIM

Create a “dlim-keys.sh” file in “/var/virtru/vg/dkim”


gwDomain=<yourdomain.com>
gwDkimSelector=gw
dkimPath="/var/virtru/vg/dkim"
dkimPrivateFull="$dkimPath/$gwDkimSelector"
dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem"
dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem"
openssl genrsa -out $dkimPrivateFull 1024
openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM
cd /var/virtru/vg/dkim
chmod 644 *
This shell script will generate public keys for the customer’s DKIM use. Run it. 

Read your public key into your terminal and copy everything between  
-----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY-----
Create your DKIM TXT record:
v=DKIM1; k=rsa; p=<your copied public key>

Overrides

The content here is meant to be done manually, it’s in code format for easy reference only. It’s not code.


FOR EACH SCRIPT IN /scripts
Search:
--log-driver json-file \
--log-opt max-size=10m \
--log-opt max-file=100 \

Replace:
--log-driver syslog \ 
--log-opt syslog-address=udp://logs4.papertrailapp.com:46283 \ 

FOR EACH ENV IN /env 
- MAX_QUEUE_LIFETIME=48h

Restart Docker

service docker restart

Start, Restart, Rebuild

sudo bash
docker rm -f $(docker ps -a -q)
{WAIT:2000}
cd /var/virtru/vg/scripts/
./setup-od-9001.sh
{WAIT:1200}
./setup-id-9002.sh
{WAIT:1200}
./setup-dlp-out-9003.sh
{WAIT:1200}
docker container ls
sudo systemctl status docker.service
docker container ls --format "table {{.ID}}\t{{.Names}}\t{{.Ports}}" -a

Google Compliance Rules in a nutshell

Virtru Outbound Decrypt and Archive
Outbound
 Internal-Sending

Any match body contains text
--- START PROTECTED MESSAGE TDF
Require TLS (this is true for all the rules)

Also Deliver
Change Route
Virtru Outbound Gateway
Change envelope > replace recipient
emailarchive@you.journaltosmarsh.com
Add Custom Headers
SMARSH-DECRYPT-COPY:1
Prepend Custom Subject
DECRYPTED-
Virtru Inbound Decrypt and Archive
Inbound
 Internal-Receiving
All of the following 
Full headers NOT CONTAIN TEXT
X-MSGDECRYPT
Body Contains text
--- START PROTECTED MESSAGE TDF


Also Deliver
Change Route
Virtru Inbound Gateway
Change envelope > replace recipient
emailarchive@you.journaltosmarsh.com
Add Custom Headers
MSGDECRYPT:1
Prepend Custom Subject
DECRYPTED-
Virtru Outbound DLP Reroute
Outbound
Internal-Sending
Body NOT CONTAINS TEXT
NO-ENCRYPTION-REQUIRED
Body NOT CONTAINS TEXT
 --- START PROTECTED MESSAGE TDF
Route > Change Route
Virtru DLP Gateway

Also Deliver
Change Route
Normal Routing
Change envelope > replace recipient
emailarchive@you.journaltosmarsh.com
Virtru

--

--

KWJ

Written by KWJ

19 Followers

Technologist, aviator, dog-owner, dad, environmentalist, and hell-bent on redefining oneself for the next chapter of life.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams