diff --git a/deploy-gateway-v2.11.0.sh b/deploy-gateway-v2.11.0.sh deleted file mode 100644 index e98b183..0000000 --- a/deploy-gateway-v2.11.0.sh +++ /dev/null @@ -1,1266 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -gwVersionDefault="2.11.0" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay - Next Hop in SMTP mailflow after the gateway." - echo " Gmail Relay" - echo " [smtp-relay.gmail.com]:587" - echo " " - echo " Office 365" - echo " [MX Record]:25" - echo " " - echo " Custom" - echo " [1.1.1.1]:25" - echo " " - echo " Blank (Gateway performs final delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "Token ID (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/vg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://events.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://events.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://storage.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://storage.virtru.com -echo "" - -echo https://encrypted-storage.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://encrypted-storage.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://repo.maven.apache.org -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://repo.maven.apache.org -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - - - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " S i m p l e E m a i l P r i v a c y" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Required to match the CN (Common Name) on the certificate. -# TLS will not function unless this matches. -# -GATEWAY_HOSTNAME=$gwFqdn - - -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# -# Gmail Relay -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# -# Office 365 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# -# Custom -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.1]:25 -# -$gwOutboundRelay - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://acm.virtru.com - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://accounts.virtru.com - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change unless directed by Virtru. If Custom Secure Reader URL is in use the URL should match. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Required: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - -# TLS Compliance Level for upstream (inbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTPD_SECURITY_LEVEL= mandatory -# GATEWAY_SMTPD_USE_TLS=1 -# -# -# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# Note: Only used when: -# GATEWAY_SMTPD_USE_TLS=1 -# -GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -GATEWAY_SMTP_SECURITY_LEVEL=opportunistic - - - -# TLS Compliance Level for downstream (outbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTP_SECURITY_LEVEL= mandatory -# GATEWAY_SMTP_USE_TLS=1 -# -# -# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM - - - -# Gateway Outbound -# If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here. -# Default: N/A -# Required: No -# Values: Text -# -# GATEWAY_SMTP_SASL_SECURITY_OPTIONS=noanonymous -# - - - -# Gateway Outbound -# Require SASL authentication for outbound downstream or relay servers attempting to connect this server. -# Default: 0 -# Required: No -# Values: -# 0 (Disabled) -# 1 (Enabled) -# -# GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0 -# - - - -# Gateway Outbound -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_GATEWAY_SMTPD_SASL_ACCOUNTS=example.com=>user1=>password1,example.net=>user2=>password2 -# Required: No -# -# GATEWAY_SMTP_SASL_ACCOUNTS= -# - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - -# New Relic Key -# Customer provided key to log events in customer's New Relic Tenant -# Values -# Provided by New Relic -# Required: No -# -# GATEWAY_NEWRELIC_CRED= - - - -# Inbound Authentication enablement. -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - - -# Inbound Authentication mechanisms. -# Space-delimited list of SASL mechanisms to support for upstream SASL. -# -# Default: N/A -# Required: No -# Values: -# PLAIN -# LOGIN -# CRAM-MD5 -# DIGEST-MD5 -# Note: Only required when: -# GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1 -# -# GATEWAY_SMTPD_SASL_MECHANISMS= -# - - -# Inbound Authentication -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.net=>user1=>password1,example.com=>user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example variable: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# Example of applied header with secret -# X-Header-Virtru-Auth=123456789 -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - -# Time to Cache DLP rule. -# The interval of time between refreshing the DLP rules in minutes. -# -# Required: No -# Default: 30 -# Minimum: 0 -# -# Note: Number in minutes. To refresh every request, set to 0. -# -# GATEWAY_DLP_CACHE_DURATION=30 - - -# Inbound FROM address rewrite. -# Enable or disable from address rewriting (inbound topology only). This feature allows the Virtru Gateway to support DKIM. -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_REPLACEMENT_FROM_ENABLED=1 - - - -# Enable decryption of PFP protected files -# The feature to enable/disable the option to decrypt Virtru Persistent File Protection -# protected files (DECRYPT mode only) -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS=1 - - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-driver json-file \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/gateway:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: docker login" - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint diff --git a/deploy-gateway-v2.12.0.sh b/deploy-gateway-v2.12.0.sh deleted file mode 100644 index 011d305..0000000 --- a/deploy-gateway-v2.12.0.sh +++ /dev/null @@ -1,1252 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -gwVersionDefault="2.12.0" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay - Next Hop in SMTP mailflow after the gateway." - echo " Gmail Relay" - echo " [smtp-relay.gmail.com]:587" - echo " " - echo " Office 365" - echo " [MX Record]:25" - echo " " - echo " Custom" - echo " [1.1.1.1]:25" - echo " " - echo " Blank (Gateway performs final delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "Token ID (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/vg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://api.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " S i m p l e E m a i l P r i v a c y" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Required to match the CN (Common Name) on the certificate. -# TLS will not function unless this matches. -# -GATEWAY_HOSTNAME=$gwFqdn - - -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# -# Gmail Relay -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# -# Office 365 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# -# Custom -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.1]:25 -# -$gwOutboundRelay - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://api.virtru.com/acm - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://api.virtru.com/accounts - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change unless directed by Virtru. If Custom Secure Reader URL is in use the URL should match. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Required: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - -# TLS Compliance Level for upstream (inbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTPD_SECURITY_LEVEL= mandatory -# GATEWAY_SMTPD_USE_TLS=1 -# -# -# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# Note: Only used when: -# GATEWAY_SMTPD_USE_TLS=1 -# -GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -GATEWAY_SMTP_SECURITY_LEVEL=opportunistic - - - -# TLS Compliance Level for downstream (outbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTP_SECURITY_LEVEL= mandatory -# GATEWAY_SMTP_USE_TLS=1 -# -# -# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM - - - -# Gateway Outbound -# If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here. -# Default: N/A -# Required: No -# Values: Text -# -# GATEWAY_SMTP_SASL_SECURITY_OPTIONS=noanonymous -# - - - -# Gateway Outbound -# Require SASL authentication for outbound downstream or relay servers attempting to connect this server. -# Default: 0 -# Required: No -# Values: -# 0 (Disabled) -# 1 (Enabled) -# -# GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0 -# - - - -# Gateway Outbound -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_GATEWAY_SMTPD_SASL_ACCOUNTS=example.com=>user1=>password1,example.net=>user2=>password2 -# Required: No -# -# GATEWAY_SMTP_SASL_ACCOUNTS= -# - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - -# New Relic Key -# Customer provided key to log events in customer's New Relic Tenant -# Values -# Provided by New Relic -# Required: No -# -# GATEWAY_NEWRELIC_CRED= - - - -# Inbound Authentication enablement. -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - - -# Inbound Authentication mechanisms. -# Space-delimited list of SASL mechanisms to support for upstream SASL. -# -# Default: N/A -# Required: No -# Values: -# PLAIN -# LOGIN -# CRAM-MD5 -# DIGEST-MD5 -# Note: Only required when: -# GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1 -# -# GATEWAY_SMTPD_SASL_MECHANISMS= -# - - -# Inbound Authentication -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.net=>user1=>password1,example.com=>user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example variable: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# Example of applied header with secret -# X-Header-Virtru-Auth=123456789 -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - -# Time to Cache DLP rule. -# The interval of time between refreshing the DLP rules in minutes. -# -# Required: No -# Default: 30 -# Minimum: 0 -# -# Note: Number in minutes. To refresh every request, set to 0. -# -# GATEWAY_DLP_CACHE_DURATION=30 - - -# Inbound FROM address rewrite. -# Enable or disable from address rewriting (inbound topology only). This feature allows the Virtru Gateway to support DKIM. -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_REPLACEMENT_FROM_ENABLED=1 - - - -# Enable decryption of PFP protected files -# The feature to enable/disable the option to decrypt Virtru Persistent File Protection -# protected files (DECRYPT mode only) -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS=1 - - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-driver json-file \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/gateway:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: docker login" - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint diff --git a/deploy-gateway-v2.14.0.sh b/deploy-gateway-v2.14.0.sh deleted file mode 100644 index 92af409..0000000 --- a/deploy-gateway-v2.14.0.sh +++ /dev/null @@ -1,1320 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -gwVersionDefault="2.14.0" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" -gwDefaultFips="No" - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" -gwType="" -gwSmtpdTlsCompliance="" -gwSmtpdSecurityLevel="" -gwSmtpTlsCompliance="" -gwSmtpSecurityLevel="" - - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwFips $gwDefaultFips -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - -GetGwFips() { - local input="" - echo "Do you have a FIPS requirement?" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - 1 ) - gwType="gateway-fips" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=mandatory" - gwSmtpdTlsCompliance="GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=HIGH" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=mandatory" - gwSmtpTlsCompliance="GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=HIGH" - - - ;; - 2 ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - * ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay - Next Hop in SMTP mailflow after the gateway." - echo " Gmail Relay" - echo " [smtp-relay.gmail.com]:587" - echo " " - echo " Office 365" - echo " [MX Record]:25" - echo " " - echo " Custom" - echo " [1.1.1.1]:25" - echo " " - echo " Blank (Gateway performs final delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "Token ID (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - chown -R 149:149 /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/vg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://api.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " S i m p l e E m a i l P r i v a c y" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Required to match the CN (Common Name) on the certificate. -# TLS will not function unless this matches. -# -GATEWAY_HOSTNAME=$gwFqdn - - -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# -# Gmail Relay -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# -# Office 365 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# -# Custom -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.1]:25 -# -$gwOutboundRelay - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://api.virtru.com/acm - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://api.virtru.com/accounts - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change unless directed by Virtru. If Custom Secure Reader URL is in use the URL should match. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Required: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - -# TLS Compliance Level for upstream (inbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTPD_SECURITY_LEVEL= mandatory -# GATEWAY_SMTPD_USE_TLS=1 -# -# -$gwSmtpdTlsCompliance - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# Note: Only used when: -# GATEWAY_SMTPD_USE_TLS=1 -# -$gwSmtpdSecurityLevel - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -$gwSmtpSecurityLevel - - - -# TLS Compliance Level for downstream (outbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTP_SECURITY_LEVEL= mandatory -# GATEWAY_SMTP_USE_TLS=1 -# -# -$gwSmtpTlsCompliance - - - -# Gateway Outbound -# If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here. -# Default: N/A -# Required: No -# Values: Text -# -# GATEWAY_SMTP_SASL_SECURITY_OPTIONS=noanonymous -# - - - -# Gateway Outbound -# Require SASL authentication for outbound downstream or relay servers attempting to connect this server. -# Default: 0 -# Required: No -# Values: -# 0 (Disabled) -# 1 (Enabled) -# -# GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0 -# - - - -# Gateway Outbound -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_GATEWAY_SMTPD_SASL_ACCOUNTS=example.com=>user1=>password1,example.net=>user2=>password2 -# Required: No -# -# GATEWAY_SMTP_SASL_ACCOUNTS= -# - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - -# New Relic Key -# Customer provided key to log events in customer's New Relic Tenant -# Values -# Provided by New Relic -# Required: No -# -# GATEWAY_NEWRELIC_CRED= - - - -# Inbound Authentication enablement. -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - - -# Inbound Authentication mechanisms. -# Space-delimited list of SASL mechanisms to support for upstream SASL. -# -# Default: N/A -# Required: No -# Values: -# PLAIN -# LOGIN -# CRAM-MD5 -# DIGEST-MD5 -# Note: Only required when: -# GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1 -# -# GATEWAY_SMTPD_SASL_MECHANISMS= -# - - -# Inbound Authentication -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.net=>user1=>password1,example.com=>user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example variable: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# Example of applied header with secret -# X-Header-Virtru-Auth=123456789 -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - -# Time to Cache DLP rule. -# The interval of time between refreshing the DLP rules in minutes. -# -# Required: No -# Default: 30 -# Minimum: 0 -# -# Note: Number in minutes. To refresh every request, set to 0. -# -# GATEWAY_DLP_CACHE_DURATION=30 - - -# Inbound FROM address rewrite. -# Enable or disable from address rewriting (inbound topology only). This feature allows the Virtru Gateway to support DKIM. -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_REPLACEMENT_FROM_ENABLED=1 - - - -# Enable decryption of PFP protected files -# The feature to enable/disable the option to decrypt Virtru Persistent File Protection -# protected files (DECRYPT mode only) -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS=1 - - -# SMTP XHeaders for the Gateway to set on all mail it processes -# Example Header Values -# X-Header-1: value1, X-Header-2: value2 -# GATEWAY_ROUTING_XHEADERS= - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-driver json-file \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/$gwType:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: docker login" - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint diff --git a/deploy-gateway-v2.15.0.sh b/deploy-gateway-v2.15.0.sh deleted file mode 100644 index 12ec5f1..0000000 --- a/deploy-gateway-v2.15.0.sh +++ /dev/null @@ -1,1343 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -gwVersionDefault="2.15.0" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" -gwDefaultFips="No" - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" -gwType="" -gwSmtpdTlsCompliance="" -gwSmtpdSecurityLevel="" -gwSmtpTlsCompliance="" -gwSmtpSecurityLevel="" - - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwFips $gwDefaultFips -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - -GetGwFips() { - local input="" - echo "Do you have a FIPS requirement?" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - 1 ) - gwType="gateway-fips" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=mandatory" - gwSmtpdTlsCompliance="GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=HIGH" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=mandatory" - gwSmtpTlsCompliance="GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=HIGH" - - - ;; - 2 ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - * ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay - Next Hop in SMTP mailflow after the gateway." - echo " Gmail Relay" - echo " [smtp-relay.gmail.com]:587" - echo " " - echo " Office 365" - echo " [MX Record]:25" - echo " " - echo " Custom" - echo " [1.1.1.1]:25" - echo " " - echo " Blank (Gateway performs final delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "Token ID (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - chown -R 149:149 /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/vg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://api.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " S i m p l e E m a i l P r i v a c y" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Required to match the CN (Common Name) on the certificate. -# TLS will not function unless this matches. -# -GATEWAY_HOSTNAME=$gwFqdn - - -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# -# Gmail Relay -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# -# Office 365 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# -# Custom -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.1]:25 -# -$gwOutboundRelay - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://api.virtru.com/acm - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://api.virtru.com/accounts - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change unless directed by Virtru. If Custom Secure Reader URL is in use the URL should match. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Required: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - -# TLS Compliance Level for upstream (inbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTPD_SECURITY_LEVEL= mandatory -# GATEWAY_SMTPD_USE_TLS=1 -# -# -$gwSmtpdTlsCompliance - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# Note: Only used when: -# GATEWAY_SMTPD_USE_TLS=1 -# -$gwSmtpdSecurityLevel - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -$gwSmtpSecurityLevel - - - -# TLS Compliance Level for downstream (outbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTP_SECURITY_LEVEL= mandatory -# GATEWAY_SMTP_USE_TLS=1 -# -# -$gwSmtpTlsCompliance - - - -# Gateway Outbound -# If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here. -# Default: N/A -# Required: No -# Values: Text -# -# GATEWAY_SMTP_SASL_SECURITY_OPTIONS=noanonymous -# - - - -# Gateway Outbound -# Require SASL authentication for outbound downstream or relay servers attempting to connect this server. -# Default: 0 -# Required: No -# Values: -# 0 (Disabled) -# 1 (Enabled) -# -# GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0 -# - - - -# Gateway Outbound -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_GATEWAY_SMTPD_SASL_ACCOUNTS=example.com=>user1=>password1,example.net=>user2=>password2 -# Required: No -# -# GATEWAY_SMTP_SASL_ACCOUNTS= -# - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - -# New Relic Key -# Customer provided key to log events in customer's New Relic Tenant -# Values -# Provided by New Relic -# Required: No -# -# GATEWAY_NEWRELIC_CRED= - - - -# Inbound Authentication enablement. -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - - -# Inbound Authentication mechanisms. -# Space-delimited list of SASL mechanisms to support for upstream SASL. -# -# Default: N/A -# Required: No -# Values: -# PLAIN -# LOGIN -# CRAM-MD5 -# DIGEST-MD5 -# Note: Only required when: -# GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1 -# -# GATEWAY_SMTPD_SASL_MECHANISMS= -# - - -# Inbound Authentication -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.net=>user1=>password1,example.com=>user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example variable: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# Example of applied header with secret -# X-Header-Virtru-Auth=123456789 -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - -# Time to Cache DLP rule. -# The interval of time between refreshing the DLP rules in minutes. -# -# Required: No -# Default: 30 -# Minimum: 0 -# -# Note: Number in minutes. To refresh every request, set to 0. -# -# GATEWAY_DLP_CACHE_DURATION=30 - - -# Inbound FROM address rewrite. -# Enable or disable from address rewriting (inbound topology only). This feature allows the Virtru Gateway to support DKIM. -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_REPLACEMENT_FROM_ENABLED=1 - - - -# Enable decryption of PFP protected files -# The feature to enable/disable the option to decrypt Virtru Persistent File Protection -# protected files (DECRYPT mode only) -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS=1 - - -# SMTP XHeaders for the Gateway to set on all mail it processes -# Example Header Values -# X-Header-1: value1, X-Header-2: value2 -# GATEWAY_ROUTING_XHEADERS= - -# Record policy security options upon decrypt -# Only available on outbound decrypt modes -# -# Required: Yes -# Default: 0 -# Values: -# 1 - True -# 0 - False -# -GATEWAY_RECORD_POLICY_OPTIONS=0 - -# Use existing policy security options -# Only available on outbound encrypt mode, will use the additional policy security settings -# based on the security settings of the original policy before decryption -# -# Required: Yes -# Default: ignore -# Values: -# ignore -# accept -# -GATEWAY_USE_EXISTING_POLICY_OPTIONS=ignore - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-driver json-file \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/$gwType:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: docker login" - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint diff --git a/deploy-gateway-v2.17.0.sh b/deploy-gateway-v2.17.0.sh deleted file mode 100644 index bffa15c..0000000 --- a/deploy-gateway-v2.17.0.sh +++ /dev/null @@ -1,1344 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -gwVersionDefault="2.17.0" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" -gwDefaultFips="2" - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" -gwType="" -gwSmtpdTlsCompliance="" -gwSmtpdSecurityLevel="" -gwSmtpTlsCompliance="" -gwSmtpSecurityLevel="" - - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwFips $gwDefaultFips -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - -GetGwFips() { - local input="" - echo "Do you have a FIPS requirement?" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - 1 ) - gwType="gateway-fips" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=mandatory" - gwSmtpdTlsCompliance="GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=HIGH" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=mandatory" - gwSmtpTlsCompliance="GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=HIGH" - - - ;; - 2 ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - * ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay - Next Hop in SMTP mailflow after the gateway." - echo " Gmail Relay" - echo " [smtp-relay.gmail.com]:587" - echo " " - echo " Office 365" - echo " [MX Record]:25" - echo " " - echo " Custom" - echo " [1.1.1.1]:25" - echo " " - echo " Blank (Gateway performs final delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "Token ID (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - chown -R 149:149 /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/vg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://api.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " S i m p l e E m a i l P r i v a c y" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Required to match the CN (Common Name) on the certificate. -# TLS will not function unless this matches. -# -GATEWAY_HOSTNAME=$gwFqdn - - -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# -# Gmail Relay -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# -# Office 365 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# -# Custom -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.1]:25 -# -$gwOutboundRelay - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://api.virtru.com/acm - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://api.virtru.com/accounts - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change unless directed by Virtru. If Custom Secure Reader URL is in use the URL should match. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Required: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - -# TLS Compliance Level for upstream (inbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTPD_SECURITY_LEVEL= mandatory -# GATEWAY_SMTPD_USE_TLS=1 -# -# -$gwSmtpdTlsCompliance - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# Note: Only used when: -# GATEWAY_SMTPD_USE_TLS=1 -# -$gwSmtpdSecurityLevel - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -$gwSmtpSecurityLevel - - - -# TLS Compliance Level for downstream (outbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTP_SECURITY_LEVEL= mandatory -# GATEWAY_SMTP_USE_TLS=1 -# -# -$gwSmtpTlsCompliance - - - -# Gateway Outbound -# If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here. -# Default: N/A -# Required: No -# Values: Text -# -# GATEWAY_SMTP_SASL_SECURITY_OPTIONS=noanonymous -# - - - -# Gateway Outbound -# Require SASL authentication for outbound downstream or relay servers attempting to connect this server. -# Default: 0 -# Required: No -# Values: -# 0 (Disabled) -# 1 (Enabled) -# -# GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0 -# - - - -# Gateway Outbound -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_GATEWAY_SMTPD_SASL_ACCOUNTS=example.com=>user1=>password1,example.net=>user2=>password2 -# Required: No -# -# GATEWAY_SMTP_SASL_ACCOUNTS= -# - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - -# New Relic Key -# Customer provided key to log events in customer's New Relic Tenant -# Values -# Provided by New Relic -# Required: No -# -# GATEWAY_NEWRELIC_CRED= - - - -# Inbound Authentication enablement. -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - - -# Inbound Authentication mechanisms. -# Space-delimited list of SASL mechanisms to support for upstream SASL. -# -# Default: N/A -# Required: No -# Values: -# PLAIN -# LOGIN -# CRAM-MD5 -# DIGEST-MD5 -# Note: Only required when: -# GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1 -# -# GATEWAY_SMTPD_SASL_MECHANISMS= -# - - -# Inbound Authentication -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.net=>user1=>password1,example.com=>user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example variable: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# Example of applied header with secret -# X-Header-Virtru-Auth=123456789 -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - -# Time to Cache DLP rule. -# The interval of time between refreshing the DLP rules in minutes. -# -# Required: No -# Default: 30 -# Minimum: 0 -# -# Note: Number in minutes. To refresh every request, set to 0. -# -# GATEWAY_DLP_CACHE_DURATION=30 - - -# Inbound FROM address rewrite. -# Enable or disable from address rewriting (inbound topology only). This feature allows the Virtru Gateway to support DKIM. -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_REPLACEMENT_FROM_ENABLED=1 - - - -# Enable decryption of PFP protected files -# The feature to enable/disable the option to decrypt Virtru Persistent File Protection -# protected files (DECRYPT mode only) -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS=1 - - -# SMTP XHeaders for the Gateway to set on all mail it processes -# Example Header Values -# X-Header-1: value1, X-Header-2: value2 -# GATEWAY_ROUTING_XHEADERS= - -# Record policy security options upon decrypt -# Only available on outbound decrypt modes -# -# Required: Yes -# Default: 0 -# Values: -# 1 - True -# 0 - False -# -GATEWAY_RECORD_POLICY_OPTIONS=0 - -# Use existing policy security options -# Only available on outbound encrypt mode, will use the additional policy security settings -# based on the security settings of the original policy before decryption -# -# Required: Yes -# Default: ignore -# Values: -# ignore -# accept -# -GATEWAY_USE_EXISTING_POLICY_OPTIONS=ignore - - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-driver json-file \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/$gwType:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: docker login" - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint diff --git a/deploy-gateway-v2.18.0.sh b/deploy-gateway-v2.18.0.sh deleted file mode 100644 index 8ab6702..0000000 --- a/deploy-gateway-v2.18.0.sh +++ /dev/null @@ -1,1371 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -gwVersionDefault="latest" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" -gwDefaultFips="2" - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" -gwType="" -gwSmtpdTlsCompliance="" -gwSmtpdSecurityLevel="" -gwSmtpTlsCompliance="" -gwSmtpSecurityLevel="" - - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwFips $gwDefaultFips -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - -GetGwFips() { - local input="" - echo "Do you have a FIPS requirement?" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - 1 ) - gwType="gateway-fips" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=mandatory" - gwSmtpdTlsCompliance="GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=HIGH" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=mandatory" - gwSmtpTlsCompliance="GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=HIGH" - - - ;; - 2 ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - * ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay - Next Hop in SMTP mailflow after the gateway." - echo " Gmail Relay" - echo " [smtp-relay.gmail.com]:587" - echo " " - echo " Office 365" - echo " [MX Record]:25" - echo " " - echo " Custom" - echo " [1.1.1.1]:25" - echo " " - echo " Blank (Gateway performs final delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "Token ID (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - chown -R 149:149 /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/vg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://api.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " S i m p l e E m a i l P r i v a c y" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Required to match the CN (Common Name) on the certificate. -# TLS will not function unless this matches. -# -GATEWAY_HOSTNAME=$gwFqdn - - -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# -# Gmail Relay -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# -# Office 365 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# -# Custom -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.1]:25 -# -$gwOutboundRelay - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://api.virtru.com/acm - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://api.virtru.com/accounts - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change unless directed by Virtru. If Custom Secure Reader URL is in use the URL should match. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Required: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - -# TLS Compliance Level for upstream (inbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTPD_SECURITY_LEVEL= mandatory -# GATEWAY_SMTPD_USE_TLS=1 -# -# -$gwSmtpdTlsCompliance - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# Note: Only used when: -# GATEWAY_SMTPD_USE_TLS=1 -# -$gwSmtpdSecurityLevel - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -$gwSmtpSecurityLevel - - - -# TLS Compliance Level for downstream (outbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTP_SECURITY_LEVEL= mandatory -# GATEWAY_SMTP_USE_TLS=1 -# -# -$gwSmtpTlsCompliance - - - -# Gateway Outbound -# If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here. -# Default: N/A -# Required: No -# Values: Text -# -# GATEWAY_SMTP_SASL_SECURITY_OPTIONS=noanonymous -# - - - -# Gateway Outbound -# Require SASL authentication for outbound downstream or relay servers attempting to connect this server. -# Default: 0 -# Required: No -# Values: -# 0 (Disabled) -# 1 (Enabled) -# -# GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0 -# - - - -# Gateway Outbound -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_GATEWAY_SMTPD_SASL_ACCOUNTS=example.com=>user1=>password1,example.net=>user2=>password2 -# Required: No -# -# GATEWAY_SMTP_SASL_ACCOUNTS= -# - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - -# New Relic Key -# Customer provided key to log events in customer's New Relic Tenant -# Values -# Provided by New Relic -# Required: No -# -# GATEWAY_NEWRELIC_CRED= - - - -# Inbound Authentication enablement. -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - - -# Inbound Authentication mechanisms. -# Space-delimited list of SASL mechanisms to support for upstream SASL. -# -# Default: N/A -# Required: No -# Values: -# PLAIN -# LOGIN -# CRAM-MD5 -# DIGEST-MD5 -# Note: Only required when: -# GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1 -# -# GATEWAY_SMTPD_SASL_MECHANISMS= -# - - -# Inbound Authentication -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.net=>user1=>password1,example.com=>user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example variable: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# Example of applied header with secret -# X-Header-Virtru-Auth=123456789 -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - -# Time to Cache DLP rule. -# The interval of time between refreshing the DLP rules in minutes. -# -# Required: No -# Default: 30 -# Minimum: 0 -# -# Note: Number in minutes. To refresh every request, set to 0. -# -# GATEWAY_DLP_CACHE_DURATION=30 - - -# Inbound FROM address rewrite. -# Enable or disable from address rewriting (inbound topology only). This feature allows the Virtru Gateway to support DKIM. -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_REPLACEMENT_FROM_ENABLED=1 - - - -# Enable decryption of PFP protected files -# The feature to enable/disable the option to decrypt Virtru Persistent File Protection -# protected files (DECRYPT mode only) -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS=1 - - -# SMTP XHeaders for the Gateway to set on all mail it processes -# Example Header Values -# X-Header-1: value1, X-Header-2: value2 -# GATEWAY_ROUTING_XHEADERS= - -# Record policy security options upon decrypt -# Only available on outbound decrypt modes -# -# Required: Yes -# Default: 0 -# Values: -# 1 - True -# 0 - False -# -GATEWAY_RECORD_POLICY_OPTIONS=0 - -# Use existing policy security options -# Only available on outbound encrypt mode, will use the additional policy security settings -# based on the security settings of the original policy before decryption -# -# Required: Yes -# Default: ignore -# Values: -# ignore -# accept -# -GATEWAY_USE_EXISTING_POLICY_OPTIONS=ignore - -# Cache Outgoing SMTP Connections -# Whether to cache outgoing connections to mailservers. -# If "1", use on-demand connection caching. If "0", do not cache. -# If a list of domains (e.g. example.org,hotmail.com,gmail.com) -# then use per-destination connection caching. -# -# Required: No -# Default: 0 -# Values: -# 1 - True -# 0 - False - -# GATEWAY_SMTP_CACHE_CONNECTIONS=0 -# Outgoing SMTP Connection Cache Time Limit -# How long to cache SMTP connections for. -# Sets smtp_connection_cache_time_limit to the provied value -# so that the smtp daemon doesn't close the connection and -# sets connection_cache_ttl_limit to the same value so that the cached value is still valid -# -# Required: No -# Default: None -# Example Values: -# 30s -# 2m -# -# GATEWAY_SMTP_CONNECTION_CACHE_TIME_LIMIT=30s - - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-driver json-file \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/$gwType:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: docker login" - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint diff --git a/deploy-gateway-v2.19.1.sh b/deploy-gateway-v2.19.1.sh deleted file mode 100644 index f51a001..0000000 --- a/deploy-gateway-v2.19.1.sh +++ /dev/null @@ -1,1371 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -gwVersionDefault="2.19.1" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" -gwDefaultFips="2" - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" -gwType="" -gwSmtpdTlsCompliance="" -gwSmtpdSecurityLevel="" -gwSmtpTlsCompliance="" -gwSmtpSecurityLevel="" - - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwFips $gwDefaultFips -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - -GetGwFips() { - local input="" - echo "Do you have a FIPS requirement?" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - 1 ) - gwType="gateway-fips" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=mandatory" - gwSmtpdTlsCompliance="GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=HIGH" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=mandatory" - gwSmtpTlsCompliance="GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=HIGH" - - - ;; - 2 ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - * ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay - Next Hop in SMTP mailflow after the gateway." - echo " Gmail Relay" - echo " [smtp-relay.gmail.com]:587" - echo " " - echo " Office 365" - echo " [MX Record]:25" - echo " " - echo " Custom" - echo " [1.1.1.1]:25" - echo " " - echo " Blank (Gateway performs final delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "Token ID (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - chown -R 149:149 /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/vg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://api.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " S i m p l e E m a i l P r i v a c y" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Required to match the CN (Common Name) on the certificate. -# TLS will not function unless this matches. -# -GATEWAY_HOSTNAME=$gwFqdn - - -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# -# Gmail Relay -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# -# Office 365 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# -# Custom -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.1]:25 -# -$gwOutboundRelay - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://api.virtru.com/acm - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://api.virtru.com/accounts - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change unless directed by Virtru. If Custom Secure Reader URL is in use the URL should match. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Required: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - -# TLS Compliance Level for upstream (inbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTPD_SECURITY_LEVEL= mandatory -# GATEWAY_SMTPD_USE_TLS=1 -# -# -$gwSmtpdTlsCompliance - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# Note: Only used when: -# GATEWAY_SMTPD_USE_TLS=1 -# -$gwSmtpdSecurityLevel - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -$gwSmtpSecurityLevel - - - -# TLS Compliance Level for downstream (outbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTP_SECURITY_LEVEL= mandatory -# GATEWAY_SMTP_USE_TLS=1 -# -# -$gwSmtpTlsCompliance - - - -# Gateway Outbound -# If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here. -# Default: N/A -# Required: No -# Values: Text -# -# GATEWAY_SMTP_SASL_SECURITY_OPTIONS=noanonymous -# - - - -# Gateway Outbound -# Require SASL authentication for outbound downstream or relay servers attempting to connect this server. -# Default: 0 -# Required: No -# Values: -# 0 (Disabled) -# 1 (Enabled) -# -# GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0 -# - - - -# Gateway Outbound -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_GATEWAY_SMTPD_SASL_ACCOUNTS=example.com=>user1=>password1,example.net=>user2=>password2 -# Required: No -# -# GATEWAY_SMTP_SASL_ACCOUNTS= -# - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - -# New Relic Key -# Customer provided key to log events in customer's New Relic Tenant -# Values -# Provided by New Relic -# Required: No -# -# GATEWAY_NEWRELIC_CRED= - - - -# Inbound Authentication enablement. -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - - -# Inbound Authentication mechanisms. -# Space-delimited list of SASL mechanisms to support for upstream SASL. -# -# Default: N/A -# Required: No -# Values: -# PLAIN -# LOGIN -# CRAM-MD5 -# DIGEST-MD5 -# Note: Only required when: -# GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1 -# -# GATEWAY_SMTPD_SASL_MECHANISMS= -# - - -# Inbound Authentication -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.net=>user1=>password1,example.com=>user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example variable: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# Example of applied header with secret -# X-Header-Virtru-Auth=123456789 -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - -# Time to Cache DLP rule. -# The interval of time between refreshing the DLP rules in minutes. -# -# Required: No -# Default: 30 -# Minimum: 0 -# -# Note: Number in minutes. To refresh every request, set to 0. -# -# GATEWAY_DLP_CACHE_DURATION=30 - - -# Inbound FROM address rewrite. -# Enable or disable from address rewriting (inbound topology only). This feature allows the Virtru Gateway to support DKIM. -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_REPLACEMENT_FROM_ENABLED=1 - - - -# Enable decryption of PFP protected files -# The feature to enable/disable the option to decrypt Virtru Persistent File Protection -# protected files (DECRYPT mode only) -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS=1 - - -# SMTP XHeaders for the Gateway to set on all mail it processes -# Example Header Values -# X-Header-1: value1, X-Header-2: value2 -# GATEWAY_ROUTING_XHEADERS= - -# Record policy security options upon decrypt -# Only available on outbound decrypt modes -# -# Required: Yes -# Default: 0 -# Values: -# 1 - True -# 0 - False -# -GATEWAY_RECORD_POLICY_OPTIONS=0 - -# Use existing policy security options -# Only available on outbound encrypt mode, will use the additional policy security settings -# based on the security settings of the original policy before decryption -# -# Required: Yes -# Default: ignore -# Values: -# ignore -# accept -# -GATEWAY_USE_EXISTING_POLICY_OPTIONS=ignore - -# Cache Outgoing SMTP Connections -# Whether to cache outgoing connections to mailservers. -# If "1", use on-demand connection caching. If "0", do not cache. -# If a list of domains (e.g. example.org,hotmail.com,gmail.com) -# then use per-destination connection caching. -# -# Required: No -# Default: 0 -# Values: -# 1 - True -# 0 - False - -# GATEWAY_SMTP_CACHE_CONNECTIONS=0 -# Outgoing SMTP Connection Cache Time Limit -# How long to cache SMTP connections for. -# Sets smtp_connection_cache_time_limit to the provied value -# so that the smtp daemon doesn't close the connection and -# sets connection_cache_ttl_limit to the same value so that the cached value is still valid -# -# Required: No -# Default: None -# Example Values: -# 30s -# 2m -# -# GATEWAY_SMTP_CONNECTION_CACHE_TIME_LIMIT=30s - - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-driver json-file \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/$gwType:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: docker login" - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint diff --git a/deploy-gateway-v2.19.2.sh b/deploy-gateway-v2.19.2.sh deleted file mode 100644 index a8dfeee..0000000 --- a/deploy-gateway-v2.19.2.sh +++ /dev/null @@ -1,1371 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -gwVersionDefault="2.19.2" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" -gwDefaultFips="2" - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" -gwType="" -gwSmtpdTlsCompliance="" -gwSmtpdSecurityLevel="" -gwSmtpTlsCompliance="" -gwSmtpSecurityLevel="" - - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwFips $gwDefaultFips -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - -GetGwFips() { - local input="" - echo "Do you have a FIPS requirement?" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - 1 ) - gwType="gateway-fips" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=mandatory" - gwSmtpdTlsCompliance="GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=HIGH" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=mandatory" - gwSmtpTlsCompliance="GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=HIGH" - - - ;; - 2 ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - * ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay - Next Hop in SMTP mailflow after the gateway." - echo " Gmail Relay" - echo " [smtp-relay.gmail.com]:587" - echo " " - echo " Office 365" - echo " [MX Record]:25" - echo " " - echo " Custom" - echo " [1.1.1.1]:25" - echo " " - echo " Blank (Gateway performs final delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "Token ID (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - chown -R 149:149 /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/vg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://api.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " S i m p l e E m a i l P r i v a c y" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Required to match the CN (Common Name) on the certificate. -# TLS will not function unless this matches. -# -GATEWAY_HOSTNAME=$gwFqdn - - -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# -# Gmail Relay -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# -# Office 365 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# -# Custom -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.1]:25 -# -$gwOutboundRelay - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://api.virtru.com/acm - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://api.virtru.com/accounts - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change unless directed by Virtru. If Custom Secure Reader URL is in use the URL should match. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Required: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - -# TLS Compliance Level for upstream (inbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTPD_SECURITY_LEVEL= mandatory -# GATEWAY_SMTPD_USE_TLS=1 -# -# -$gwSmtpdTlsCompliance - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# Note: Only used when: -# GATEWAY_SMTPD_USE_TLS=1 -# -$gwSmtpdSecurityLevel - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -$gwSmtpSecurityLevel - - - -# TLS Compliance Level for downstream (outbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTP_SECURITY_LEVEL= mandatory -# GATEWAY_SMTP_USE_TLS=1 -# -# -$gwSmtpTlsCompliance - - - -# Gateway Outbound -# If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here. -# Default: N/A -# Required: No -# Values: Text -# -# GATEWAY_SMTP_SASL_SECURITY_OPTIONS=noanonymous -# - - - -# Gateway Outbound -# Require SASL authentication for outbound downstream or relay servers attempting to connect this server. -# Default: 0 -# Required: No -# Values: -# 0 (Disabled) -# 1 (Enabled) -# -# GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0 -# - - - -# Gateway Outbound -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_GATEWAY_SMTPD_SASL_ACCOUNTS=example.com=>user1=>password1,example.net=>user2=>password2 -# Required: No -# -# GATEWAY_SMTP_SASL_ACCOUNTS= -# - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - -# New Relic Key -# Customer provided key to log events in customer's New Relic Tenant -# Values -# Provided by New Relic -# Required: No -# -# GATEWAY_NEWRELIC_CRED= - - - -# Inbound Authentication enablement. -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - - -# Inbound Authentication mechanisms. -# Space-delimited list of SASL mechanisms to support for upstream SASL. -# -# Default: N/A -# Required: No -# Values: -# PLAIN -# LOGIN -# CRAM-MD5 -# DIGEST-MD5 -# Note: Only required when: -# GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1 -# -# GATEWAY_SMTPD_SASL_MECHANISMS= -# - - -# Inbound Authentication -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.net=>user1=>password1,example.com=>user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example variable: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# Example of applied header with secret -# X-Header-Virtru-Auth=123456789 -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - -# Time to Cache DLP rule. -# The interval of time between refreshing the DLP rules in minutes. -# -# Required: No -# Default: 30 -# Minimum: 0 -# -# Note: Number in minutes. To refresh every request, set to 0. -# -# GATEWAY_DLP_CACHE_DURATION=30 - - -# Inbound FROM address rewrite. -# Enable or disable from address rewriting (inbound topology only). This feature allows the Virtru Gateway to support DKIM. -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_REPLACEMENT_FROM_ENABLED=1 - - - -# Enable decryption of PFP protected files -# The feature to enable/disable the option to decrypt Virtru Persistent File Protection -# protected files (DECRYPT mode only) -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS=1 - - -# SMTP XHeaders for the Gateway to set on all mail it processes -# Example Header Values -# X-Header-1: value1, X-Header-2: value2 -# GATEWAY_ROUTING_XHEADERS= - -# Record policy security options upon decrypt -# Only available on outbound decrypt modes -# -# Required: Yes -# Default: 0 -# Values: -# 1 - True -# 0 - False -# -GATEWAY_RECORD_POLICY_OPTIONS=0 - -# Use existing policy security options -# Only available on outbound encrypt mode, will use the additional policy security settings -# based on the security settings of the original policy before decryption -# -# Required: Yes -# Default: ignore -# Values: -# ignore -# accept -# -GATEWAY_USE_EXISTING_POLICY_OPTIONS=ignore - -# Cache Outgoing SMTP Connections -# Whether to cache outgoing connections to mailservers. -# If "1", use on-demand connection caching. If "0", do not cache. -# If a list of domains (e.g. example.org,hotmail.com,gmail.com) -# then use per-destination connection caching. -# -# Required: No -# Default: 0 -# Values: -# 1 - True -# 0 - False - -# GATEWAY_SMTP_CACHE_CONNECTIONS=0 -# Outgoing SMTP Connection Cache Time Limit -# How long to cache SMTP connections for. -# Sets smtp_connection_cache_time_limit to the provied value -# so that the smtp daemon doesn't close the connection and -# sets connection_cache_ttl_limit to the same value so that the cached value is still valid -# -# Required: No -# Default: None -# Example Values: -# 30s -# 2m -# -# GATEWAY_SMTP_CONNECTION_CACHE_TIME_LIMIT=30s - - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-driver json-file \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/$gwType:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: docker login" - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint diff --git a/deploy-gateway-v2.19.3.sh b/deploy-gateway-v2.19.3.sh deleted file mode 100644 index 07a0de5..0000000 --- a/deploy-gateway-v2.19.3.sh +++ /dev/null @@ -1,1371 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -gwVersionDefault="2.19.3" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" -gwDefaultFips="2" - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" -gwType="" -gwSmtpdTlsCompliance="" -gwSmtpdSecurityLevel="" -gwSmtpTlsCompliance="" -gwSmtpSecurityLevel="" - - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwFips $gwDefaultFips -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - -GetGwFips() { - local input="" - echo "Do you have a FIPS requirement?" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - 1 ) - gwType="gateway-fips" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=mandatory" - gwSmtpdTlsCompliance="GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=HIGH" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=mandatory" - gwSmtpTlsCompliance="GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=HIGH" - - - ;; - 2 ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - * ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay - Next Hop in SMTP mailflow after the gateway." - echo " Gmail Relay" - echo " [smtp-relay.gmail.com]:587" - echo " " - echo " Office 365" - echo " [MX Record]:25" - echo " " - echo " Custom" - echo " [1.1.1.1]:25" - echo " " - echo " Blank (Gateway performs final delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "Token ID (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - chown -R 149:149 /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/vg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://api.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " S i m p l e E m a i l P r i v a c y" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Required to match the CN (Common Name) on the certificate. -# TLS will not function unless this matches. -# -GATEWAY_HOSTNAME=$gwFqdn - - -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# -# Gmail Relay -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# -# Office 365 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# -# Custom -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.1]:25 -# -$gwOutboundRelay - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://api.virtru.com/acm - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://api.virtru.com/accounts - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change unless directed by Virtru. If Custom Secure Reader URL is in use the URL should match. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Required: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - -# TLS Compliance Level for upstream (inbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTPD_SECURITY_LEVEL= mandatory -# GATEWAY_SMTPD_USE_TLS=1 -# -# -$gwSmtpdTlsCompliance - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# Note: Only used when: -# GATEWAY_SMTPD_USE_TLS=1 -# -$gwSmtpdSecurityLevel - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -$gwSmtpSecurityLevel - - - -# TLS Compliance Level for downstream (outbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTP_SECURITY_LEVEL= mandatory -# GATEWAY_SMTP_USE_TLS=1 -# -# -$gwSmtpTlsCompliance - - - -# Gateway Outbound -# If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here. -# Default: N/A -# Required: No -# Values: Text -# -# GATEWAY_SMTP_SASL_SECURITY_OPTIONS=noanonymous -# - - - -# Gateway Outbound -# Require SASL authentication for outbound downstream or relay servers attempting to connect this server. -# Default: 0 -# Required: No -# Values: -# 0 (Disabled) -# 1 (Enabled) -# -# GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0 -# - - - -# Gateway Outbound -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_GATEWAY_SMTPD_SASL_ACCOUNTS=example.com=>user1=>password1,example.net=>user2=>password2 -# Required: No -# -# GATEWAY_SMTP_SASL_ACCOUNTS= -# - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - -# New Relic Key -# Customer provided key to log events in customer's New Relic Tenant -# Values -# Provided by New Relic -# Required: No -# -# GATEWAY_NEWRELIC_CRED= - - - -# Inbound Authentication enablement. -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - - -# Inbound Authentication mechanisms. -# Space-delimited list of SASL mechanisms to support for upstream SASL. -# -# Default: N/A -# Required: No -# Values: -# PLAIN -# LOGIN -# CRAM-MD5 -# DIGEST-MD5 -# Note: Only required when: -# GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1 -# -# GATEWAY_SMTPD_SASL_MECHANISMS= -# - - -# Inbound Authentication -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.net=>user1=>password1,example.com=>user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example variable: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# Example of applied header with secret -# X-Header-Virtru-Auth=123456789 -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - -# Time to Cache DLP rule. -# The interval of time between refreshing the DLP rules in minutes. -# -# Required: No -# Default: 30 -# Minimum: 0 -# -# Note: Number in minutes. To refresh every request, set to 0. -# -# GATEWAY_DLP_CACHE_DURATION=30 - - -# Inbound FROM address rewrite. -# Enable or disable from address rewriting (inbound topology only). This feature allows the Virtru Gateway to support DKIM. -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_REPLACEMENT_FROM_ENABLED=1 - - - -# Enable decryption of PFP protected files -# The feature to enable/disable the option to decrypt Virtru Persistent File Protection -# protected files (DECRYPT mode only) -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS=1 - - -# SMTP XHeaders for the Gateway to set on all mail it processes -# Example Header Values -# X-Header-1: value1, X-Header-2: value2 -# GATEWAY_ROUTING_XHEADERS= - -# Record policy security options upon decrypt -# Only available on outbound decrypt modes -# -# Required: Yes -# Default: 0 -# Values: -# 1 - True -# 0 - False -# -GATEWAY_RECORD_POLICY_OPTIONS=0 - -# Use existing policy security options -# Only available on outbound encrypt mode, will use the additional policy security settings -# based on the security settings of the original policy before decryption -# -# Required: Yes -# Default: ignore -# Values: -# ignore -# accept -# -GATEWAY_USE_EXISTING_POLICY_OPTIONS=ignore - -# Cache Outgoing SMTP Connections -# Whether to cache outgoing connections to mailservers. -# If "1", use on-demand connection caching. If "0", do not cache. -# If a list of domains (e.g. example.org,hotmail.com,gmail.com) -# then use per-destination connection caching. -# -# Required: No -# Default: 0 -# Values: -# 1 - True -# 0 - False - -# GATEWAY_SMTP_CACHE_CONNECTIONS=0 -# Outgoing SMTP Connection Cache Time Limit -# How long to cache SMTP connections for. -# Sets smtp_connection_cache_time_limit to the provied value -# so that the smtp daemon doesn't close the connection and -# sets connection_cache_ttl_limit to the same value so that the cached value is still valid -# -# Required: No -# Default: None -# Example Values: -# 30s -# 2m -# -# GATEWAY_SMTP_CONNECTION_CACHE_TIME_LIMIT=30s - - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-driver json-file \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/$gwType:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: docker login" - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint diff --git a/deploy-gateway-v2.2.sh b/deploy-gateway-v2.2.sh deleted file mode 100644 index 25e3e3a..0000000 --- a/deploy-gateway-v2.2.sh +++ /dev/null @@ -1,1236 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -#gwNameDefault="oe" -gwVersionDefault="2.2.18" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" - - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay" - echo "\tBlank (Gateway performs final delivery)" - echo "\t[smtp-relay.example.com]:587 (Gateway sends all mail to relay for delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "HMAC Name (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "HMAC Secret (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/bg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - - - - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://events.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://events.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://storage.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://storage.virtru.com -echo "" - -echo https://encrypted-storage.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://encrypted-storage.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://repo.maven.apache.org -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://repo.maven.apache.org -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - - - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " S i m p l e E m a i l P r i v a c y" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - - - - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - - - - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - - - - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - - - - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.]:25 -# -$gwOutboundRelay - - - - - - - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - - - - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - - - - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://acm.virtru.com - - - - - - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://accounts.virtru.com - - - - - - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - - - - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - - - - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - - - - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - - - - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - - - - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - - - - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - - - - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - - - - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - - - - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - - - - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic - - - - - - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - - - - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -GATEWAY_SMTP_SECURITY_LEVEL=opportunistic - - - - - - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - - - - - - -# New Relic Key -# Customer provided key to log events in customer's New Relic Tenant -# Values -# Provided by New Relic -# Required: No -# -# GATEWAY_NEWRELIC_CRED= - - - - -# Inbound Authentication -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - -# Inbound Authentication -# Accounts for Authentication -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=user1=>password1,user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - - - - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---hostname $gwFqdn \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/gateway:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: docker login" - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint diff --git a/deploy-gateway-v2.20.0.sh b/deploy-gateway-v2.20.0.sh deleted file mode 100644 index b2ee4a1..0000000 --- a/deploy-gateway-v2.20.0.sh +++ /dev/null @@ -1,1362 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -gwVersionDefault="2.20.0" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" -gwDefaultFips="2" - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" -gwType="" -gwSmtpdTlsCompliance="" -gwSmtpdSecurityLevel="" -gwSmtpTlsCompliance="" -gwSmtpSecurityLevel="" - - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwFips $gwDefaultFips -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - -GetGwFips() { - local input="" - echo "Do you have a FIPS requirement?" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - 1 ) - gwType="gateway-fips" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=mandatory" - gwSmtpdTlsCompliance="GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=HIGH" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=mandatory" - gwSmtpTlsCompliance="GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=HIGH" - - - ;; - 2 ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - * ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay - Next Hop in SMTP mailflow after the gateway." - echo " Gmail Relay" - echo " [smtp-relay.gmail.com]:587" - echo " " - echo " Office 365" - echo " [MX Record]:25" - echo " " - echo " Custom" - echo " [1.1.1.1]:25" - echo " " - echo " Blank (Gateway performs final delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "Token ID (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - chown -R 149:149 /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/vg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://api.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " S i m p l e E m a i l P r i v a c y" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Required to match the CN (Common Name) on the certificate. -# TLS will not function unless this matches. -# -GATEWAY_HOSTNAME=$gwFqdn - - -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# -# Gmail Relay -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# -# Office 365 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# -# Custom -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.1]:25 -# -$gwOutboundRelay - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://api.virtru.com/acm - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://api.virtru.com/accounts - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change unless directed by Virtru. If Custom Secure Reader URL is in use the URL should match. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Required: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - -# TLS Compliance Level for upstream (inbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTPD_SECURITY_LEVEL= mandatory -# GATEWAY_SMTPD_USE_TLS=1 -# -# -$gwSmtpdTlsCompliance - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# Note: Only used when: -# GATEWAY_SMTPD_USE_TLS=1 -# -$gwSmtpdSecurityLevel - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -$gwSmtpSecurityLevel - - - -# TLS Compliance Level for downstream (outbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTP_SECURITY_LEVEL= mandatory -# GATEWAY_SMTP_USE_TLS=1 -# -# -$gwSmtpTlsCompliance - - - -# Gateway Outbound -# If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here. -# Default: N/A -# Required: No -# Values: Text -# -# GATEWAY_SMTP_SASL_SECURITY_OPTIONS=noanonymous -# - - - -# Gateway Outbound -# Require SASL authentication for outbound downstream or relay servers attempting to connect this server. -# Default: 0 -# Required: No -# Values: -# 0 (Disabled) -# 1 (Enabled) -# -# GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0 -# - - - -# Gateway Outbound -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_GATEWAY_SMTPD_SASL_ACCOUNTS=example.com=>user1=>password1,example.net=>user2=>password2 -# Required: No -# -# GATEWAY_SMTP_SASL_ACCOUNTS= -# - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - -# New Relic Key -# Customer provided key to log events in customer's New Relic Tenant -# Values -# Provided by New Relic -# Required: No -# -# GATEWAY_NEWRELIC_CRED= - - - -# Inbound Authentication enablement. -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - - -# Inbound Authentication mechanisms. -# Space-delimited list of SASL mechanisms to support for upstream SASL. -# -# Default: N/A -# Required: No -# Values: -# PLAIN -# LOGIN -# CRAM-MD5 -# DIGEST-MD5 -# Note: Only required when: -# GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1 -# -# GATEWAY_SMTPD_SASL_MECHANISMS= -# - - -# Inbound Authentication -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.net=>user1=>password1,example.com=>user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example variable: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# Example of applied header with secret -# X-Header-Virtru-Auth=123456789 -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - -# Time to Cache DLP rule. -# The interval of time between refreshing the DLP rules in minutes. -# -# Required: No -# Default: 30 -# Minimum: 0 -# -# Note: Number in minutes. To refresh every request, set to 0. -# -# GATEWAY_DLP_CACHE_DURATION=30 - - -# Inbound FROM address rewrite. -# Enable or disable from address rewriting (inbound topology only). This feature allows the Virtru Gateway to support DKIM. -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_REPLACEMENT_FROM_ENABLED=1 - - - -# Enable decryption of PFP protected files -# The feature to enable/disable the option to decrypt Virtru Persistent File Protection -# protected files (DECRYPT mode only) -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS=1 - - -# SMTP XHeaders for the Gateway to set on all mail it processes -# Example Header Values -# X-Header-1: value1, X-Header-2: value2 -# GATEWAY_ROUTING_XHEADERS= - -# Cache Outgoing SMTP Connections -# Whether to cache outgoing connections to mailservers. -# If "1", use on-demand connection caching. If "0", do not cache. -# If a list of domains (e.g. example.org,hotmail.com,gmail.com) -# then use per-destination connection caching. -# -# Required: No -# Default: 0 -# Values: -# 1 - True -# 0 - False -# -# GATEWAY_SMTP_CACHE_CONNECTIONS=0 - -# Outgoing SMTP Connection Cache Time Limit -# How long to cache SMTP connections for. -# Sets smtp_connection_cache_time_limit to the provied value -# so that the smtp daemon doesn't close the connection and -# sets connection_cache_ttl_limit to the same value so that the cached value is still valid -# -# Required: No -# Default: None -# Example Values: -# 30s -# 2m -# -# GATEWAY_SMTP_CONNECTION_CACHE_TIME_LIMIT=30s - -# Decrypt Then Re-Encrypt Workflow -# If you use a multi-gateway approach for sending email. -# I.e. your workflow looks something like -# (Decrypt -> Scan -> Encrypt) before sending/receiving email. -# -# Required: No -# Default: Disabled -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_THEN_ENCRYPT=0 - - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-driver json-file \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/$gwType:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: docker login" - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint diff --git a/deploy-gateway-v2.21.0.sh b/deploy-gateway-v2.21.0.sh deleted file mode 100644 index 2833a85..0000000 --- a/deploy-gateway-v2.21.0.sh +++ /dev/null @@ -1,1351 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -gwVersionDefault="2.21.0" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" -gwDefaultFips="2" - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" -gwType="" -gwSmtpdTlsCompliance="" -gwSmtpdSecurityLevel="" -gwSmtpTlsCompliance="" -gwSmtpSecurityLevel="" - - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwFips $gwDefaultFips -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - -GetGwFips() { - local input="" - echo "Do you have a FIPS requirement?" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - 1 ) - gwType="gateway-fips" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=mandatory" - gwSmtpdTlsCompliance="GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=HIGH" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=mandatory" - gwSmtpTlsCompliance="GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=HIGH" - - - ;; - 2 ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - * ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay - Next Hop in SMTP mailflow after the gateway." - echo " Gmail Relay" - echo " [smtp-relay.gmail.com]:587" - echo " " - echo " Office 365" - echo " [MX Record]:25" - echo " " - echo " Custom" - echo " [1.1.1.1]:25" - echo " " - echo " Blank (Gateway performs final delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "Token ID (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - chown -R 149:149 /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/vg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://api.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " S i m p l e E m a i l P r i v a c y" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Required to match the CN (Common Name) on the certificate. -# TLS will not function unless this matches. -# -GATEWAY_HOSTNAME=$gwFqdn - - -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# -# Gmail Relay -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# -# Office 365 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# -# Custom -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.1]:25 -# -$gwOutboundRelay - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://api.virtru.com/acm - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://api.virtru.com/accounts - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change unless directed by Virtru. If Custom Secure Reader URL is in use the URL should match. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Required: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - -# TLS Compliance Level for upstream (inbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTPD_SECURITY_LEVEL= mandatory -# GATEWAY_SMTPD_USE_TLS=1 -# -# -$gwSmtpdTlsCompliance - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# Note: Only used when: -# GATEWAY_SMTPD_USE_TLS=1 -# -$gwSmtpdSecurityLevel - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -$gwSmtpSecurityLevel - - - -# TLS Compliance Level for downstream (outbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTP_SECURITY_LEVEL= mandatory -# GATEWAY_SMTP_USE_TLS=1 -# -# -$gwSmtpTlsCompliance - - - -# Gateway Outbound -# If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here. -# Default: N/A -# Required: No -# Values: Text -# -# GATEWAY_SMTP_SASL_SECURITY_OPTIONS=noanonymous -# - - - -# Gateway Outbound -# Require SASL authentication for outbound downstream or relay servers attempting to connect this server. -# Default: 0 -# Required: No -# Values: -# 0 (Disabled) -# 1 (Enabled) -# -# GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0 -# - - - -# Gateway Outbound -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_GATEWAY_SMTPD_SASL_ACCOUNTS=example.com=>user1=>password1,example.net=>user2=>password2 -# Required: No -# -# GATEWAY_SMTP_SASL_ACCOUNTS= -# - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - -# Inbound Authentication enablement. -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - - -# Inbound Authentication mechanisms. -# Space-delimited list of SASL mechanisms to support for upstream SASL. -# -# Default: N/A -# Required: No -# Values: -# PLAIN -# LOGIN -# CRAM-MD5 -# DIGEST-MD5 -# Note: Only required when: -# GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1 -# -# GATEWAY_SMTPD_SASL_MECHANISMS= -# - - -# Inbound Authentication -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.net=>user1=>password1,example.com=>user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example variable: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# Example of applied header with secret -# X-Header-Virtru-Auth=123456789 -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - -# Time to Cache DLP rule. -# The interval of time between refreshing the DLP rules in minutes. -# -# Required: No -# Default: 30 -# Minimum: 0 -# -# Note: Number in minutes. To refresh every request, set to 0. -# -# GATEWAY_DLP_CACHE_DURATION=30 - - -# Inbound FROM address rewrite. -# Enable or disable from address rewriting (inbound topology only). This feature allows the Virtru Gateway to support DKIM. -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_REPLACEMENT_FROM_ENABLED=1 - - - -# Enable decryption of PFP protected files -# The feature to enable/disable the option to decrypt Virtru Persistent File Protection -# protected files (DECRYPT mode only) -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS=1 - - -# SMTP XHeaders for the Gateway to set on all mail it processes -# Example Header Values -# X-Header-1: value1, X-Header-2: value2 -# GATEWAY_ROUTING_XHEADERS= - -# Cache Outgoing SMTP Connections -# Whether to cache outgoing connections to mailservers. -# If "1", use on-demand connection caching. If "0", do not cache. -# If a list of domains (e.g. example.org,hotmail.com,gmail.com) -# then use per-destination connection caching. -# -# Required: No -# Default: 0 -# Values: -# 1 - True -# 0 - False -# -# GATEWAY_SMTP_CACHE_CONNECTIONS=0 - -# Outgoing SMTP Connection Cache Time Limit -# How long to cache SMTP connections for. -# Sets smtp_connection_cache_time_limit to the provied value -# so that the smtp daemon doesn't close the connection and -# sets connection_cache_ttl_limit to the same value so that the cached value is still valid -# -# Required: No -# Default: None -# Example Values: -# 30s -# 2m -# -# GATEWAY_SMTP_CONNECTION_CACHE_TIME_LIMIT=30s - -# Decrypt Then Re-Encrypt Workflow -# If you use a multi-gateway approach for sending email. -# I.e. your workflow looks something like -# (Decrypt -> Scan -> Encrypt) before sending/receiving email. -# -# Required: No -# Default: Disabled -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_THEN_ENCRYPT=0 - - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-driver json-file \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/$gwType:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint diff --git a/deploy-gateway-v2.23.0.sh b/deploy-gateway-v2.23.0.sh deleted file mode 100644 index c36b649..0000000 --- a/deploy-gateway-v2.23.0.sh +++ /dev/null @@ -1,1351 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -gwVersionDefault="2.23.0" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" -gwDefaultFips="2" - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" -gwType="" -gwSmtpdTlsCompliance="" -gwSmtpdSecurityLevel="" -gwSmtpTlsCompliance="" -gwSmtpSecurityLevel="" - - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwFips $gwDefaultFips -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - -GetGwFips() { - local input="" - echo "Do you have a FIPS requirement?" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - 1 ) - gwType="gateway-fips" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=mandatory" - gwSmtpdTlsCompliance="GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=HIGH" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=mandatory" - gwSmtpTlsCompliance="GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=HIGH" - - - ;; - 2 ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - * ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay - Next Hop in SMTP mailflow after the gateway." - echo " Gmail Relay" - echo " [smtp-relay.gmail.com]:587" - echo " " - echo " Office 365" - echo " [MX Record]:25" - echo " " - echo " Custom" - echo " [1.1.1.1]:25" - echo " " - echo " Blank (Gateway performs final delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "Token ID (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - chown -R 149:149 /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/vg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://api.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " R e s p e c t t h e D a t a" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Required to match the CN (Common Name) on the certificate. -# TLS will not function unless this matches. -# -GATEWAY_HOSTNAME=$gwFqdn - - -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# -# Gmail Relay -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# -# Office 365 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# -# Custom -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.1]:25 -# -$gwOutboundRelay - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://api.virtru.com/acm - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://api.virtru.com/accounts - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change unless directed by Virtru. If Custom Secure Reader URL is in use the URL should match. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Required: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - -# TLS Compliance Level for upstream (inbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTPD_SECURITY_LEVEL= mandatory -# GATEWAY_SMTPD_USE_TLS=1 -# -# -$gwSmtpdTlsCompliance - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# Note: Only used when: -# GATEWAY_SMTPD_USE_TLS=1 -# -$gwSmtpdSecurityLevel - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -$gwSmtpSecurityLevel - - - -# TLS Compliance Level for downstream (outbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTP_SECURITY_LEVEL= mandatory -# GATEWAY_SMTP_USE_TLS=1 -# -# -$gwSmtpTlsCompliance - - - -# Gateway Outbound -# If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here. -# Default: N/A -# Required: No -# Values: Text -# -# GATEWAY_SMTP_SASL_SECURITY_OPTIONS=noanonymous -# - - - -# Gateway Outbound -# Require SASL authentication for outbound downstream or relay servers attempting to connect this server. -# Default: 0 -# Required: No -# Values: -# 0 (Disabled) -# 1 (Enabled) -# -# GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0 -# - - - -# Gateway Outbound -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_GATEWAY_SMTPD_SASL_ACCOUNTS=example.com=>user1=>password1,example.net=>user2=>password2 -# Required: No -# -# GATEWAY_SMTP_SASL_ACCOUNTS= -# - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - -# Inbound Authentication enablement. -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - - -# Inbound Authentication mechanisms. -# Space-delimited list of SASL mechanisms to support for upstream SASL. -# -# Default: N/A -# Required: No -# Values: -# PLAIN -# LOGIN -# CRAM-MD5 -# DIGEST-MD5 -# Note: Only required when: -# GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1 -# -# GATEWAY_SMTPD_SASL_MECHANISMS= -# - - -# Inbound Authentication -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.net=>user1=>password1,example.com=>user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example variable: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# Example of applied header with secret -# X-Header-Virtru-Auth=123456789 -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - -# Time to Cache DLP rule. -# The interval of time between refreshing the DLP rules in minutes. -# -# Required: No -# Default: 30 -# Minimum: 0 -# -# Note: Number in minutes. To refresh every request, set to 0. -# -# GATEWAY_DLP_CACHE_DURATION=30 - - -# Inbound FROM address rewrite. -# Enable or disable from address rewriting (inbound topology only). This feature allows the Virtru Gateway to support DKIM. -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_REPLACEMENT_FROM_ENABLED=1 - - - -# Enable decryption of PFP protected files -# The feature to enable/disable the option to decrypt Virtru Persistent File Protection -# protected files (DECRYPT mode only) -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS=1 - - -# SMTP XHeaders for the Gateway to set on all mail it processes -# Example Header Values -# X-Header-1: value1, X-Header-2: value2 -# GATEWAY_ROUTING_XHEADERS= - -# Cache Outgoing SMTP Connections -# Whether to cache outgoing connections to mailservers. -# If "1", use on-demand connection caching. If "0", do not cache. -# If a list of domains (e.g. example.org,hotmail.com,gmail.com) -# then use per-destination connection caching. -# -# Required: No -# Default: 0 -# Values: -# 1 - True -# 0 - False -# -# GATEWAY_SMTP_CACHE_CONNECTIONS=0 - -# Outgoing SMTP Connection Cache Time Limit -# How long to cache SMTP connections for. -# Sets smtp_connection_cache_time_limit to the provied value -# so that the smtp daemon doesn't close the connection and -# sets connection_cache_ttl_limit to the same value so that the cached value is still valid -# -# Required: No -# Default: None -# Example Values: -# 30s -# 2m -# -# GATEWAY_SMTP_CONNECTION_CACHE_TIME_LIMIT=30s - -# Decrypt Then Re-Encrypt Workflow -# If you use a multi-gateway approach for sending email. -# I.e. your workflow looks something like -# (Decrypt -> Scan -> Encrypt) before sending/receiving email. -# -# Required: No -# Default: Disabled -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_THEN_ENCRYPT=0 - - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-driver json-file \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/$gwType:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint diff --git a/deploy-gateway-v2.27.0.sh b/deploy-gateway-v2.27.0.sh deleted file mode 100644 index 68c09e9..0000000 --- a/deploy-gateway-v2.27.0.sh +++ /dev/null @@ -1,1351 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -gwVersionDefault="2.27.0" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" -gwDefaultFips="2" - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" -gwType="" -gwSmtpdTlsCompliance="" -gwSmtpdSecurityLevel="" -gwSmtpTlsCompliance="" -gwSmtpSecurityLevel="" - - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwFips $gwDefaultFips -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - -GetGwFips() { - local input="" - echo "Do you have a FIPS requirement?" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - 1 ) - gwType="gateway-fips" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=mandatory" - gwSmtpdTlsCompliance="GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=HIGH" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=mandatory" - gwSmtpTlsCompliance="GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=HIGH" - - - ;; - 2 ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - * ) - gwType="gateway" - gwSmtpdSecurityLevel="GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic" - gwSmtpdTlsCompliance="# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM" - gwSmtpSecurityLevel="GATEWAY_SMTP_SECURITY_LEVEL=opportunistic" - gwSmtpTlsCompliance="# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM" - - - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay - Next Hop in SMTP mailflow after the gateway." - echo " Gmail Relay" - echo " [smtp-relay.gmail.com]:587" - echo " " - echo " Office 365" - echo " [MX Record]:25" - echo " " - echo " Custom" - echo " [1.1.1.1]:25" - echo " " - echo " Blank (Gateway performs final delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "Token ID (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - chown -R 149:149 /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/vg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://api.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " R e s p e c t t h e D a t a" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Required to match the CN (Common Name) on the certificate. -# TLS will not function unless this matches. -# -GATEWAY_HOSTNAME=$gwFqdn - - -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# -# Gmail Relay -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# -# Office 365 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# -# Custom -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.1]:25 -# -$gwOutboundRelay - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://api.virtru.com/acm - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://api.virtru.com/accounts - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change unless directed by Virtru. If Custom Secure Reader URL is in use the URL should match. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Required: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - -# TLS Compliance Level for upstream (inbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTPD_SECURITY_LEVEL= mandatory -# GATEWAY_SMTPD_USE_TLS=1 -# -# -$gwSmtpdTlsCompliance - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# Note: Only used when: -# GATEWAY_SMTPD_USE_TLS=1 -# -$gwSmtpdSecurityLevel - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -$gwSmtpSecurityLevel - - - -# TLS Compliance Level for downstream (outbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTP_SECURITY_LEVEL= mandatory -# GATEWAY_SMTP_USE_TLS=1 -# -# -$gwSmtpTlsCompliance - - - -# Gateway Outbound -# If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here. -# Default: N/A -# Required: No -# Values: Text -# -# GATEWAY_SMTP_SASL_SECURITY_OPTIONS=noanonymous -# - - - -# Gateway Outbound -# Require SASL authentication for outbound downstream or relay servers attempting to connect this server. -# Default: 0 -# Required: No -# Values: -# 0 (Disabled) -# 1 (Enabled) -# -# GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0 -# - - - -# Gateway Outbound -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_GATEWAY_SMTPD_SASL_ACCOUNTS=example.com=>user1=>password1,example.net=>user2=>password2 -# Required: No -# -# GATEWAY_SMTP_SASL_ACCOUNTS= -# - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - -# Inbound Authentication enablement. -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - - -# Inbound Authentication mechanisms. -# Space-delimited list of SASL mechanisms to support for upstream SASL. -# -# Default: N/A -# Required: No -# Values: -# PLAIN -# LOGIN -# CRAM-MD5 -# DIGEST-MD5 -# Note: Only required when: -# GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1 -# -# GATEWAY_SMTPD_SASL_MECHANISMS= -# - - -# Inbound Authentication -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.net=>user1=>password1,example.com=>user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example variable: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# Example of applied header with secret -# X-Header-Virtru-Auth=123456789 -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - -# Time to Cache DLP rule. -# The interval of time between refreshing the DLP rules in minutes. -# -# Required: No -# Default: 30 -# Minimum: 0 -# -# Note: Number in minutes. To refresh every request, set to 0. -# -# GATEWAY_DLP_CACHE_DURATION=30 - - -# Inbound FROM address rewrite. -# Enable or disable from address rewriting (inbound topology only). This feature allows the Virtru Gateway to support DKIM. -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_REPLACEMENT_FROM_ENABLED=1 - - - -# Enable decryption of PFP protected files -# The feature to enable/disable the option to decrypt Virtru Persistent File Protection -# protected files (DECRYPT mode only) -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS=1 - - -# SMTP XHeaders for the Gateway to set on all mail it processes -# Example Header Values -# X-Header-1: value1, X-Header-2: value2 -# GATEWAY_ROUTING_XHEADERS= - -# Cache Outgoing SMTP Connections -# Whether to cache outgoing connections to mailservers. -# If "1", use on-demand connection caching. If "0", do not cache. -# If a list of domains (e.g. example.org,hotmail.com,gmail.com) -# then use per-destination connection caching. -# -# Required: No -# Default: 0 -# Values: -# 1 - True -# 0 - False -# -# GATEWAY_SMTP_CACHE_CONNECTIONS=0 - -# Outgoing SMTP Connection Cache Time Limit -# How long to cache SMTP connections for. -# Sets smtp_connection_cache_time_limit to the provied value -# so that the smtp daemon doesn't close the connection and -# sets connection_cache_ttl_limit to the same value so that the cached value is still valid -# -# Required: No -# Default: None -# Example Values: -# 30s -# 2m -# -# GATEWAY_SMTP_CONNECTION_CACHE_TIME_LIMIT=30s - -# Decrypt Then Re-Encrypt Workflow -# If you use a multi-gateway approach for sending email. -# I.e. your workflow looks something like -# (Decrypt -> Scan -> Encrypt) before sending/receiving email. -# -# Required: No -# Default: Disabled -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_THEN_ENCRYPT=0 - - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-driver json-file \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/$gwType:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint diff --git a/deploy-gateway-v2.4.sh b/deploy-gateway-v2.4.sh deleted file mode 100644 index 76e0a16..0000000 --- a/deploy-gateway-v2.4.sh +++ /dev/null @@ -1,1242 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -#gwNameDefault="oe" -gwVersionDefault="2.4" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" - - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay - Next Hop in SMTP mailflow after the gateway." - echo " Gmail Relay" - echo " [smtp-relay.gmail.com]:587" - echo " " - echo " Office 365" - echo " [MX Record]:25" - echo " " - echo " Custom" - echo " [1.1.1.1]:25" - echo " " - echo " Blank (Gateway performs final delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "HMAC Name (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "HMAC Secret (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/bg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - - - - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://events.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://events.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://storage.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://storage.virtru.com -echo "" - -echo https://encrypted-storage.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://encrypted-storage.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://repo.maven.apache.org -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://repo.maven.apache.org -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - - - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " S i m p l e E m a i l P r i v a c y" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# -# Gmail Relay -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# -# Office 365 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# -# Custom -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.1]:25 -# -$gwOutboundRelay - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://acm.virtru.com - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://accounts.virtru.com - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change unless directed by Virtru. If Custom Secure Reader URL is in use the URL should match. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Required: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - -# TLS Compliance Level for upstream (inbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTPD_SECURITY_LEVEL= mandatory -# GATEWAY_SMTPD_USE_TLS=1 -# -# -# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# Note: Only used when: -# GATEWAY_SMTPD_USE_TLS=1 -# -GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -GATEWAY_SMTP_SECURITY_LEVEL=opportunistic - - - -# TLS Compliance Level for downstream (outbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTP_SECURITY_LEVEL= mandatory -# GATEWAY_SMTP_USE_TLS=1 -# -# -# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM - - - -# Gateway Outbound -# If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here. -# Default: N/A -# Required: No -# Values: Text -# -# GATEWAY_SMTP_SASL_SECURITY_OPTIONS=noanonymous -# - - - -# Gateway Outbound -# Require SASL authentication for outbound downstream or relay servers attempting to connect this server. -# Default: 0 -# Required: No -# Values: -# 0 (Disabled) -# 1 (Enabled) -# -# GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0 -# - - - -# Gateway Outbound -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.com=>user1=>password1,example.net=>user2=>password2 -# Required: No -# -# GATEWAY_SMTP_SASL_ACCOUNTS= -# - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - -# New Relic Key -# Customer provided key to log events in customer's New Relic Tenant -# Values -# Provided by New Relic -# Required: No -# -# GATEWAY_NEWRELIC_CRED= - - - -# Inbound Authentication enablement. -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - - -# Inbound Authentication mechanisms. -# Space-delimited list of SASL mechanisms to support for upstream SASL. -# -# Default: N/A -# Required: No -# Values: -# PLAIN -# LOGIN -# CRAM-MD5 -# DIGEST-MD5 -# Note: Only required when: -# GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1 -# -# GATEWAY_SMTPD_SASL_MECHANISMS= -# - - -# Inbound Authentication -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.net=>user1=>password1,example.com=>user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - -# Time to Cache DLP rule. -# The interval of time between refreshing the DLP rules in minutes. -# -# Required: No -# Default: 30 -# Minimum: 0 -# -# Note: Number in minutes. To refresh every request, set to 0. -# -# GATEWAY_DLP_CACHE_DURATION=30 - - - - - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---hostname $gwFqdn \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/gateway:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: docker login" - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint - diff --git a/deploy-gateway-v2.28.0.sh b/deploy-gateway-v2.40.0.sh similarity index 98% rename from deploy-gateway-v2.28.0.sh rename to deploy-gateway-v2.40.0.sh index 835893d..42cff20 100644 --- a/deploy-gateway-v2.28.0.sh +++ b/deploy-gateway-v2.40.0.sh @@ -7,7 +7,7 @@ EntryPoint() { # Default Variables blank="" -gwVersionDefault="2.28.0" +gwVersionDefault="2.40.0" gwPortDefault="9001" gwModeDefault="encrypt-everything" gwTopologyDefault="outbound" @@ -791,7 +791,7 @@ GATEWAY_PROXY_PROTOCOL=0 -# Comma delimited set of domains and next-hop destinations and optional ports +# Define the next-hop destination and port, supports FQDN and IPV4 address # Values # Not defined/Commented out - Final delivery by MX # GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port @@ -1145,7 +1145,7 @@ $gwSmtpTlsCompliance # Enable inbound X-Header authentication Shared Secret # Example variable: # GATEWAY_XHEADER_AUTH_SECRET=123456789 -# Example of applied header with secret +# Example of applied header with secret # X-Header-Virtru-Auth=123456789 # Require: No # @@ -1210,7 +1210,7 @@ $gwCksKey # # Required: No # Default: 1 -# Values: +# Values: # 1 - Enabled # 0 - Disabled # @@ -1220,11 +1220,11 @@ $gwCksKey # SMTP XHeaders for the Gateway to set on all mail it processes # Example Header Values # X-Header-1: value1, X-Header-2: value2 -# GATEWAY_ROUTING_XHEADERS= +# GATEWAY_ROUTING_XHEADERS= # Cache Outgoing SMTP Connections -# Whether to cache outgoing connections to mailservers. -# If "1", use on-demand connection caching. If "0", do not cache. +# Whether to cache outgoing connections to mailservers. +# If "1", use on-demand connection caching. If "0", do not cache. # If a list of domains (e.g. example.org,hotmail.com,gmail.com) # then use per-destination connection caching. # @@ -1237,9 +1237,9 @@ $gwCksKey # GATEWAY_SMTP_CACHE_CONNECTIONS=0 # Outgoing SMTP Connection Cache Time Limit -# How long to cache SMTP connections for. +# How long to cache SMTP connections for. # Sets smtp_connection_cache_time_limit to the provied value -# so that the smtp daemon doesn't close the connection and +# so that the smtp daemon doesn't close the connection and # sets connection_cache_ttl_limit to the same value so that the cached value is still valid # # Required: No @@ -1251,8 +1251,8 @@ $gwCksKey # GATEWAY_SMTP_CONNECTION_CACHE_TIME_LIMIT=30s # Decrypt Then Re-Encrypt Workflow -# If you use a multi-gateway approach for sending email. -# I.e. your workflow looks something like +# If you use a multi-gateway approach for sending email. +# I.e. your workflow looks something like # (Decrypt -> Scan -> Encrypt) before sending/receiving email. # # Required: No diff --git a/deploy-gateway-v2.30.0.sh b/deploy-gateway-v2.41.0.sh similarity index 98% rename from deploy-gateway-v2.30.0.sh rename to deploy-gateway-v2.41.0.sh index 94e0f1e..9079960 100644 --- a/deploy-gateway-v2.30.0.sh +++ b/deploy-gateway-v2.41.0.sh @@ -7,7 +7,7 @@ EntryPoint() { # Default Variables blank="" -gwVersionDefault="2.30.0" +gwVersionDefault="2.41.0" gwPortDefault="9001" gwModeDefault="encrypt-everything" gwTopologyDefault="outbound" @@ -791,7 +791,7 @@ GATEWAY_PROXY_PROTOCOL=0 -# Comma delimited set of domains and next-hop destinations and optional ports +# Define the next-hop destination and port, supports FQDN and IPV4 address # Values # Not defined/Commented out - Final delivery by MX # GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port @@ -1145,7 +1145,7 @@ $gwSmtpTlsCompliance # Enable inbound X-Header authentication Shared Secret # Example variable: # GATEWAY_XHEADER_AUTH_SECRET=123456789 -# Example of applied header with secret +# Example of applied header with secret # X-Header-Virtru-Auth=123456789 # Require: No # @@ -1210,7 +1210,7 @@ $gwCksKey # # Required: No # Default: 1 -# Values: +# Values: # 1 - Enabled # 0 - Disabled # @@ -1220,11 +1220,11 @@ $gwCksKey # SMTP XHeaders for the Gateway to set on all mail it processes # Example Header Values # X-Header-1: value1, X-Header-2: value2 -# GATEWAY_ROUTING_XHEADERS= +# GATEWAY_ROUTING_XHEADERS= # Cache Outgoing SMTP Connections -# Whether to cache outgoing connections to mailservers. -# If "1", use on-demand connection caching. If "0", do not cache. +# Whether to cache outgoing connections to mailservers. +# If "1", use on-demand connection caching. If "0", do not cache. # If a list of domains (e.g. example.org,hotmail.com,gmail.com) # then use per-destination connection caching. # @@ -1237,9 +1237,9 @@ $gwCksKey # GATEWAY_SMTP_CACHE_CONNECTIONS=0 # Outgoing SMTP Connection Cache Time Limit -# How long to cache SMTP connections for. +# How long to cache SMTP connections for. # Sets smtp_connection_cache_time_limit to the provied value -# so that the smtp daemon doesn't close the connection and +# so that the smtp daemon doesn't close the connection and # sets connection_cache_ttl_limit to the same value so that the cached value is still valid # # Required: No @@ -1251,8 +1251,8 @@ $gwCksKey # GATEWAY_SMTP_CONNECTION_CACHE_TIME_LIMIT=30s # Decrypt Then Re-Encrypt Workflow -# If you use a multi-gateway approach for sending email. -# I.e. your workflow looks something like +# If you use a multi-gateway approach for sending email. +# I.e. your workflow looks something like # (Decrypt -> Scan -> Encrypt) before sending/receiving email. # # Required: No diff --git a/deploy-gateway-v2.5.1.sh b/deploy-gateway-v2.5.1.sh deleted file mode 100644 index aac4db3..0000000 --- a/deploy-gateway-v2.5.1.sh +++ /dev/null @@ -1,1252 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -gwVersionDefault="2.5.1" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay - Next Hop in SMTP mailflow after the gateway." - echo " Gmail Relay" - echo " [smtp-relay.gmail.com]:587" - echo " " - echo " Office 365" - echo " [MX Record]:25" - echo " " - echo " Custom" - echo " [1.1.1.1]:25" - echo " " - echo " Blank (Gateway performs final delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "Token ID (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/vg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://events.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://events.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://storage.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://storage.virtru.com -echo "" - -echo https://encrypted-storage.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://encrypted-storage.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://repo.maven.apache.org -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://repo.maven.apache.org -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - - - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " S i m p l e E m a i l P r i v a c y" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Required to match the CN (Common Name) on the certificate. -# TLS will not function unless this matches. -# -GATEWAY_HOSTNAME=$gwFqdn - - -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# -# Gmail Relay -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# -# Office 365 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# -# Custom -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.1]:25 -# -$gwOutboundRelay - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://acm.virtru.com - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://accounts.virtru.com - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change unless directed by Virtru. If Custom Secure Reader URL is in use the URL should match. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Required: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - -# TLS Compliance Level for upstream (inbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTPD_SECURITY_LEVEL= mandatory -# GATEWAY_SMTPD_USE_TLS=1 -# -# -# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# Note: Only used when: -# GATEWAY_SMTPD_USE_TLS=1 -# -GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -GATEWAY_SMTP_SECURITY_LEVEL=opportunistic - - - -# TLS Compliance Level for downstream (outbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTP_SECURITY_LEVEL= mandatory -# GATEWAY_SMTP_USE_TLS=1 -# -# -# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM - - - -# Gateway Outbound -# If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here. -# Default: N/A -# Required: No -# Values: Text -# -# GATEWAY_SMTP_SASL_SECURITY_OPTIONS=noanonymous -# - - - -# Gateway Outbound -# Require SASL authentication for outbound downstream or relay servers attempting to connect this server. -# Default: 0 -# Required: No -# Values: -# 0 (Disabled) -# 1 (Enabled) -# -# GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0 -# - - - -# Gateway Outbound -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_GATEWAY_SMTPD_SASL_ACCOUNTS=example.com=>user1=>password1,example.net=>user2=>password2 -# Required: No -# -# GATEWAY_SMTP_SASL_ACCOUNTS= -# - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - -# New Relic Key -# Customer provided key to log events in customer's New Relic Tenant -# Values -# Provided by New Relic -# Required: No -# -# GATEWAY_NEWRELIC_CRED= - - - -# Inbound Authentication enablement. -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - - -# Inbound Authentication mechanisms. -# Space-delimited list of SASL mechanisms to support for upstream SASL. -# -# Default: N/A -# Required: No -# Values: -# PLAIN -# LOGIN -# CRAM-MD5 -# DIGEST-MD5 -# Note: Only required when: -# GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1 -# -# GATEWAY_SMTPD_SASL_MECHANISMS= -# - - -# Inbound Authentication -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.net=>user1=>password1,example.com=>user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - -# Time to Cache DLP rule. -# The interval of time between refreshing the DLP rules in minutes. -# -# Required: No -# Default: 30 -# Minimum: 0 -# -# Note: Number in minutes. To refresh every request, set to 0. -# -# GATEWAY_DLP_CACHE_DURATION=30 - - -# Inbound FROM address rewrite. -# Enable or disable from address rewriting (inbound topology only). This feature allows the Virtru Gateway to support DKIM. -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_REPLACEMENT_FROM_ENABLED=1 - - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-driver json-file \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/gateway:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: docker login" - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint - diff --git a/deploy-gateway-v2.8.1.sh b/deploy-gateway-v2.8.1.sh deleted file mode 100644 index 25d33e3..0000000 --- a/deploy-gateway-v2.8.1.sh +++ /dev/null @@ -1,1265 +0,0 @@ -#!/bin/bash - - - - -EntryPoint() -{ -# Default Variables -blank="" -gwVersionDefault="2.8.1" -gwPortDefault="9001" -gwModeDefault="encrypt-everything" -gwTopologyDefault="outbound" -gwCksDefault="2" -gwInboundRelayDefault="" -gwFqdnDefault="gw.example.com" -gwDomainDefault="example.com" -gwDkimSelectorDefault="gw" -gwOutboundRelayDefault="" -gwAmplitudeTokenDefault="0000000000" -gwHmacNameDefault="0000000000" -gwHmacSecretDefault="0000000000" - - - - - - - -# Final Variables -gwName="" -gwVersion="" -gwPort="" -gwMode="" -gwTopology="" -gwInboundRelay="" -gwCks="" -gwCksKey="" -gwFqdn="" -gwDkimSelector="" -gwOutboundRelay="" -gwAmplitudeToken="" -gwHmacName="" -gwHmacSecret="" - - - - - - - - -# Working Variables -tlsPath="" -tlsKeyFile="" -tlsKeyFull="" -tlsPemFile="" -tlsPemFull="" -dkimPath="" -dkimPrivateFull="" -dkimPublicFull="" -scriptFile="" - - - - - - - - -# Actions -ShowLogo -GetGwVersion $gwVersionDefault -GetGwPort $gwPortDefault -GetGwMode $gwModeDefault -GetGwTopology $gwTopologyDefault -GetGwName -GetGwInboundRelay $gwInboundRelayDefault -GetGwCks $gwCksDefault -GetGwFqdn $gwFqdnDefault -GetGwDomain $gwDomainDefault -GetGwDkimSelector $gwDkimSelectorDefault -GetGwOutboundRelay $gwOutboundRelayDefault -GetGwAmplitudeToken $gwAmplitudeTokenDefault -GetGwHmacName $gwHmacNameDefault -GetGwHmacSecret $gwHmacSecretDefault - - - - - - - - -MakeTlsPathVariables -MakeDkimPathVariables -MakeDirectories -MakeTlsCert -MakeDkimCert -WriteEnv -WriteScript -WriteTestScripts -clear -ShowLogo -ShowNextSteps - - - - -} - - - - - - - - - - - - -## Functions -GetGwName() { - if [ $gwTopology = "outbound" ] - then - if [ $gwMode = "encrypt-everything" ] - then - gwName="oe-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="od-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-out-$gwPort" - fi - else - if [ $gwMode = "encrypt-everything" ] - then - gwName="ie-$gwPort" - fi - if [ $gwMode = "decrypt-everything" ] - then - gwName="id-$gwPort" - fi - if [ $gwMode = "dlp" ] - then - gwName="dlp-in-$gwPort" - fi - fi - - -} - - - - -GetGwVersion() { - local input="" - read -p "Gateway Version [$1]: " input - - - - - case "$input" in - $blank ) - gwVersion=$1 - ;; - * ) - gwVersion=$input - ;; - esac - echo " " -} - - - - -GetGwPort() { -local input="" - read -p "Gateway Port [$1]: " input - - - - - case "$input" in - $blank ) - gwPort=$1 - ;; - * ) - gwPort=$input - ;; - esac - echo " " -} - - - - -GetGwMode() { - local input="" - echo "Gateway Mode" - echo " Options" - echo " 1 - encrypt-everything" - echo " 2 - decrypt-everything" - echo " 3 - dlp" - echo " " - read -p "Enter 1-3 [$1]: " input - - - - - case "$input" in - $blank ) - gwMode=$1 - ;; - 1 ) - gwMode="encrypt-everything" - ;; - 2 ) - gwMode="decrypt-everything" - ;; - 3 ) - gwMode="dlp" - ;; - * ) - gwMode=$1 - ;; - esac - echo " " -} - - - - -GetGwTopology() { - local input="" - echo "Gateway Topology" - echo " Options" - echo " 1 - inbound" - echo " 2 - outbound" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwTopology=$1 - ;; - 1 ) - gwTopology="inbound" - ;; - 2 ) - gwTopology="outbound" - ;; - * ) - gwTopology=$1 - ;; - esac - echo " " -} - - - - -GetGwInboundRelay() { - local input="" - echo "Inbound Relay Addresses" - echo " Options" - echo " 1 - G Suite" - echo " 2 - O365" - echo " 3 - All" - echo " 4 - None" - read -p "Enter (1-4) [$1]: " input - - - - - case "$input" in - $blank ) - gwInboundRelay=$1 - ;; - 1 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=35.190.247.0/24,64.233.160.0/19,66.102.0.0/20,66.249.80.0/20,72.14.192.0/18,74.125.0.0/16,108.177.8.0/21,173.194.0.0/16,209.85.128.0/17,216.58.192.0/19,216.239.32.0/19,172.217.0.0/19,172.217.32.0/20,172.217.128.0/19,172.217.160.0/20,172.217.192.0/19,108.177.96.0/19,35.191.0.0/16,130.211.0.0/22" - ;; - 2 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=23.103.132.0/22,23.103.136.0/21,23.103.144.0/20,23.103.198.0/23,23.103.200.0/22,23.103.212.0/22,40.92.0.0/14,40.107.0.0/17,40.107.128.0/18,52.100.0.0/14,65.55.88.0/24,65.55.169.0/24,94.245.120.64/26,104.47.0.0/17,104.212.58.0/23,134.170.132.0/24,134.170.140.0/24,157.55.234.0/24,157.56.110.0/23,157.56.112.0/24,207.46.51.64/26,207.46.100.0/24,207.46.163.0/24,213.199.154.0/24,213.199.180.128/26,216.32.180.0/23" - ;; - 3 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=0.0.0.0/0" - ;; - 4 ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=" - ;; - * ) - gwInboundRelay="GATEWAY_RELAY_ADDRESSES=$1" - ;; - esac - echo " " -} - - - - -GetGwCks() { - local input="" - echo "CKS Enabled" - echo " Options" - echo " 1 - Yes" - echo " 2 - No" - echo " " - read -p "Enter 1-2 [$1]: " input - - - - - case "$input" in - $blank ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - - - ;; - 1 ) - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - 2 ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - * ) - gwCks="# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - ;; - esac - echo " " - - - if [ $gwMode = "decrypt-everything" ] - then - gwCks="GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS" - gwCksKey="GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360" - fi -} - - - - -GetGwFqdn() { - local input="" - read -p "Gateway FQDN [$1]: " input - - - - - case "$input" in - $blank ) - gwFqdn=$1 - ;; - * ) - gwFqdn=$input - ;; - esac - echo " " -} - - - - -GetGwDomain() { - local input="" - read -p "Gateway Domain [$1]: " input - - - - - case "$input" in - $blank ) - gwDomain=$1 - ;; - * ) - gwDomain=$input - ;; - esac - echo " " -} - - - - -GetGwOutboundRelay() { - local input="" - echo "Outbound Relay - Next Hop in SMTP mailflow after the gateway." - echo " Gmail Relay" - echo " [smtp-relay.gmail.com]:587" - echo " " - echo " Office 365" - echo " [MX Record]:25" - echo " " - echo " Custom" - echo " [1.1.1.1]:25" - echo " " - echo " Blank (Gateway performs final delivery)" - read -p "Enter Relay Address []: " input - - - - - case "$input" in - $blank ) - gwOutboundRelay="# GATEWAY_TRANSPORT_MAPS=*=>$1" - ;; - * ) - gwOutboundRelay="GATEWAY_TRANSPORT_MAPS=*=>$input" - ;; - esac - echo " " -} - - - - -GetGwDkimSelector() { - local input="" - read -p "Gateway DKIM Selector [$1]: " input - - - - - case "$input" in - $blank ) - gwDkimSelector=$1 - ;; - * ) - gwDkimSelector=$input - ;; - esac - echo " " -} - - - - -GetGwAmplitudeToken() { - local input="" - read -p "Amplitude Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwAmplitudeToken=$1 - ;; - * ) - gwAmplitudeToken=$input - ;; - esac - echo " " -} - - - - -GetGwHmacName() { - local input="" - read -p "Token ID (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacName=$1 - ;; - * ) - gwHmacName=$input - ;; - esac - echo " " -} - - - - -GetGwHmacSecret() { - local input="" - read -p "Token (Provided by Virtru) [$1]: " input - - - - - case "$input" in - $blank ) - gwHmacSecret=$1 - ;; - * ) - gwHmacSecret=$input - ;; - esac - echo " " -} - - - - - - - - -MakeTlsPathVariables() { - tlsPath="/var/virtru/vg/tls/$gwFqdn" - tlsKeyFile="client.key" - tlsKeyFull="$tlsPath/$tlsKeyFile" - tlsPemFile="client.pem" - tlsPemFull="$tlsPath/$tlsPemFile" -} - - - - -MakeDkimPathVariables() { - dkimPath="/var/virtru/vg/dkim" - dkimPrivateFull="$dkimPath/$gwDkimSelector" - dkimPrivateFull="$dkimPrivateFull._domainkey.$gwDomain.pem" - dkimPublicFull="$dkimPath/$gwDkimSelector._domainkey.$gwDomain-public.pem" -} - - - - -MakeDirectories(){ - mkdir -p /var/virtru/vg/ - mkdir -p /var/virtru/vg/env - mkdir -p /var/virtru/vg/scripts - mkdir -p /var/virtru/vg/tls - mkdir -p /var/virtru/vg/queue - mkdir -p /var/virtru/vg/queue/$gwName - mkdir -p /var/virtru/vg/test - mkdir -p $tlsPath - mkdir -p /var/virtru/vg/dkim -} - - - - -MakeTlsCert(){ -## Make TLS Certs -openssl genrsa -out $tlsKeyFull 2048 -openssl req -new -key $tlsKeyFull -x509 -subj /CN=$gwFqdn -days 3650 -out $tlsPemFull - -} - - - - -MakeDkimCert(){ -openssl genrsa -out $dkimPrivateFull 1024 -outform PEM -openssl rsa -in $dkimPrivateFull -out $dkimPublicFull -pubout -outform PEM -} - -WriteTestScripts(){ - testScript1=/var/virtru/vg/test/checkendpoints.sh -/bin/cat <$testScript1 -#!/bin/bash - -echo https://google.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://google.com -echo "" - -echo https://acm.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://acm.virtru.com -echo "" - -echo https://events.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://events.virtru.com -echo "" - -echo https://accounts.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://accounts.virtru.com -echo "" - -echo https://secure.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://secure.virtru.com -echo "" - -echo https://storage.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://storage.virtru.com -echo "" - -echo https://encrypted-storage.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://encrypted-storage.virtru.com -echo "" - -echo https://api.amplitude.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://api.amplitude.com -echo "" - -echo https://cdn.virtru.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://cdn.virtru.com -echo "" - -echo https://repo.maven.apache.org -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://repo.maven.apache.org -echo "" - -echo https://hub.docker.com -curl --connect-timeout 10 -o /dev/null --silent --head --write-out '%{http_code}\n' https://hub.docker.com -echo "" - - - -EOM - - - testScript2=/var/virtru/vg/test/runall.sh -/bin/cat <$testScript2 -#!/bin/bash - -for container in \`docker ps -q\`; do - # show the name of the container - docker inspect --format='{{.Name}}' \$container; - # run the command (date in the case) - docker exec -it \$container \$1 -done - - -EOM - - - testScript3=/var/virtru/vg/test/sendtestmessage.sh -/bin/cat <$testScript3 -#!/bin/bash - -echo "Update Virtru Gateway ENV file to include the lan ip of the Gateway." -echo "Use the lan IP and not the loopback (127.0.0.1)" -read -p "SMTP Server: " server -read -p "SMTP Port: " port -read -p "FROM: " from -read -p "TO: " to - -swaks --To \$to --From \$from --header "Subject: Test mail" --body "This is a test mail" --server \$server --port \$port -tls -4 - - - - -EOM - - -} - - -ShowLogo() { -echo " " -echo " +++ '++." -echo " +++ ++++" -echo " ++++" -echo " ,::: +++ +++ :+++++++ +++++++ .+++++++ .++ '++" -echo " ++++ .+++. '+++ ++++++++++ ++++++++ ++++++++++ ++++ ++++" -echo " ++++ ++++ ++++ +++++''++ +++++++ +++++++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ .++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++ ++++ ++++ ++++ ++++ ++++ ++++ ++++" -echo " ++++++ ;+++ ++++ ++++ ++++ ++++++++" -echo " ++++ +++ ++' ++ ++' .++++" -echo " " -echo " S i m p l e E m a i l P r i v a c y" -echo " " -echo " " - - - - - - - - -} -WriteEnv() { - envFile=/var/virtru/vg/env/$gwName.env - - - - - - - - -/bin/cat <$envFile -# Required to match the CN (Common Name) on the certificate. -# TLS will not function unless this matches. -# -GATEWAY_HOSTNAME=$gwFqdn - - -# Enable verbose logging in Gateway. -# Values -# Enable: 1 -# Disable: 0 -# Default: 0 -# Required: No -# Note: Set this to 0 unless you are debugging something. -# -GATEWAY_VERBOSE_LOGGING=0 - - - -# Domain name of organization -# Values -# Domain -# Required: Yes -# -GATEWAY_ORGANIZATION_DOMAIN=$gwDomain - - - -# Comma delimited list of trusted networks in CIDR formate. -# Inbound addresses allowed to connect to the gateway -# Values (examples) -# All IP: 0.0.0.0/0 -# 2 IP: 2.2.2.2/32,2.2.2.3/32 -# Required: Yes -# -$gwInboundRelay - - - -# Enable Proxy Protocol for SMTP. -# For use behind a load balancer. -# Values -# Enable: 1 -# Disable: 0 -# Default: 1 -# Required: No -# -GATEWAY_PROXY_PROTOCOL=0 - - - -# Comma delimited set of domains and next-hop destinations and optional ports -# Values -# Not defined/Commented out - Final delivery by MX -# GATEWAY_TRANSPORT_MAPS=*=>[Next hop FQDN]:port -# Default: Not defined/Commented out - Final delivery by MX -# Required: No -# -# Examples: -# -# Gmail Relay -# GATEWAY_TRANSPORT_MAPS=*=>[smtp-relay.gmail.com]:587 -# -# Office 365 -# GATEWAY_TRANSPORT_MAPS=*=>[MX Record]:25 -# -# Custom -# GATEWAY_TRANSPORT_MAPS=*=>[1.1.1.1]:25 -# -$gwOutboundRelay - - -# The mode for the Gateway. -# Values -# decrypt-everything -# encrypt-everything -# dlp - Use rules defined on Virtru Dashboard (https://secure.virtru.com/dashboard) -# Default: encrypt-everything -# Required: Yes -# -GATEWAY_MODE=$gwMode - - - -# Topology of the gateway. -# Values -# outbound -# inbound -# Default: outbound -# Required: Yes -GATEWAY_TOPOLOGY=$gwTopology - - - -# URL to Virtru's ACM service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACM_URL=https://acm.virtru.com - - - -# URL to Virtru's Accounts service. -# Required: Yes -# Note: Do not change this. -# -GATEWAY_ACCOUNTS_URL=https://accounts.virtru.com - - - -# The base URL for remote content. -# Required: Yes -# Note: Do not change unless directed by Virtru. If Custom Secure Reader URL is in use the URL should match. -# -GATEWAY_REMOTE_CONTENT_BASE_URL=https://secure.virtru.com/start - - - -# DKIM certificate information -# Values -# Not defined/Commented out - Gateway will not perform any DKIM signing -# Complete record for DKIM signing -# Required: No -# Example: -# GATEWAY_DKIM_DOMAINS=gw._domainkey.example.com -# -# GATEWAY_DKIM_DOMAINS=$gwDkimSelector._domainkey.$gwDomain - - - -# HMAC Token Name to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your token Name. -# -GATEWAY_API_TOKEN_NAME=$gwHmacName - - - -# HMAC Token Secret to connect to Virtru services such as Accounts and ACM. -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token Secret. -# -GATEWAY_API_TOKEN_SECRET=$gwHmacSecret - - - -# Amplitude Token to connect to the Virtru Events platform -# Values -# Value provided by Virtru -# Required: Yes -# Note:Contact Virtru Support for getting your Token. -# -GATEWAY_AMPLITUDE_API_KEY=$gwAmplitudeToken - - - -# Consider a message as undeliverable, when delivery fails with a temporary error, and the time in the queue -# has reached the maximal_queue_lifetime limit. -# Time units: s (seconds), m (minutes), h (hours), d (days), w (weeks). The default time unit is d (days). -# Postfix default is '5d'. Set this ENV variable if default does not work. -# Values -# NumberUnits -# Default: 5d -# Required: No -# Note: Specify 0 when mail delivery should be tried only once. -# -MAX_QUEUE_LIFETIME=5m - - - -# The maximal time between attempts to deliver a deferred message. -# Values -# NumberUnits -# Default: 4000s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MAX_BACKOFF_TIME=45s - - - -# The minimal time between attempts to deliver a deferred message -# Values -# NumberUnits -# Default: 300s -# Required: No -# Note: Set to a value greater than or equal to MIN_BACKOFF_TIME -# -MIN_BACKOFF_TIME=30s - - - -# The time between deferred queue scans by the queue manager -# Values -# NumberUnits -# Default: 300s -# Required: No -# -QUEUE_RUN_DELAY=30s - - - -# Gateway Inbound -# Enable Inbound TLS to the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Required: No -# -GATEWAY_SMTPD_USE_TLS=1 - - - -# TLS Compliance Level for upstream (inbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTPD_SECURITY_LEVEL= mandatory -# GATEWAY_SMTPD_USE_TLS=1 -# -# -# GATEWAY_SMTPD_TLS_COMPLIANCE_UPSTREAM=MEDIUM - - - -# Gateway Inbound -# TLS level for inbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# Note: Only used when: -# GATEWAY_SMTPD_USE_TLS=1 -# -GATEWAY_SMTPD_SECURITY_LEVEL=opportunistic - - - -# Gateway Outbound -# Enable TLS at the Gateway. -# Values -# 1 Enabled -# 0 Disabled -# Default: 1 -# Require: No -# -GATEWAY_SMTP_USE_TLS=1 - - - -# Gateway Outbound -# TLS level for outbound connections -# Values -# none -# mandatory -# opportunistic -# Require: No -# -GATEWAY_SMTP_SECURITY_LEVEL=opportunistic - - - -# TLS Compliance Level for downstream (outbound) connections. -# This sets TLS version and cipher list accordingly. -# Customer is still responsible for following other NIST and/or OWASP recommendations, -# notably making sure certificates are signed and keys are rotated regularly. -# Values: -# LOW -# MEDIUM -# HIPPA_2018 -# PCI_321 -# HIGH -# -# Default: N/A -# Required: No -# Note: If any level above LOW, you must set: -# GATEWAY_SMTP_SECURITY_LEVEL= mandatory -# GATEWAY_SMTP_USE_TLS=1 -# -# -# GATEWAY_SMTP_TLS_COMPLIANCE_DOWNSTREAM=MEDIUM - - - -# Gateway Outbound -# If SASL_ENABLED_DOWNSTREAM enabled, specify Postfix SMTP client SASL security options here. -# Default: N/A -# Required: No -# Values: Text -# -# GATEWAY_SMTP_SASL_SECURITY_OPTIONS=noanonymous -# - - - -# Gateway Outbound -# Require SASL authentication for outbound downstream or relay servers attempting to connect this server. -# Default: 0 -# Required: No -# Values: -# 0 (Disabled) -# 1 (Enabled) -# -# GATEWAY_SMTP_SASL_ENABLED_DOWNSTREAM=0 -# - - - -# Gateway Outbound -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_GATEWAY_SMTPD_SASL_ACCOUNTS=example.com=>user1=>password1,example.net=>user2=>password2 -# Required: No -# -# GATEWAY_SMTP_SASL_ACCOUNTS= -# - - - -# Gateway Outbound -# Outbound TLS requirements for a domain. Comma separated list. -# Example -# example.com=>none -# example.net=>maybe -# example.org=>encrypt -# GATEWAY_SMTP_TLS_POLICY_MAPS=example.com=>none,example.net=>maybe -# -# GATEWAY_SMTP_TLS_POLICY_MAPS= - - - -# New Relic Key -# Customer provided key to log events in customer's New Relic Tenant -# Values -# Provided by New Relic -# Required: No -# -# GATEWAY_NEWRELIC_CRED= - - - -# Inbound Authentication enablement. -# Enable inbound authentication. -# Supported modes: CRAM-MD5 or DIGEST-MD5 -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_SMTPD_SASL_ENABLED=0 - - - -# Inbound Authentication mechanisms. -# Space-delimited list of SASL mechanisms to support for upstream SASL. -# -# Default: N/A -# Required: No -# Values: -# PLAIN -# LOGIN -# CRAM-MD5 -# DIGEST-MD5 -# Note: Only required when: -# GATEWAY_SMTPD_SASL_ENABLED_UPSTREAM=1 -# -# GATEWAY_SMTPD_SASL_MECHANISMS= -# - - -# Inbound Authentication -# Accounts for Authentication -# Example: -# GATEWAY_SMTPD_SASL_ACCOUNTS=example.net=>user1=>password1,example.com=>user2=>password2 -# Required: No -# -# GATEWAY_SMTPD_SASL_ACCOUNTS= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication -# Values -# 1 Enabled -# 0 Disabled -# Default: 0 -# Require: No -# -# GATEWAY_XHEADER_AUTH_ENABLED= -# - - - -# Inbound X-Header Authentication -# Enable inbound X-Header authentication Shared Secret -# Example: -# GATEWAY_XHEADER_AUTH_SECRET=123456789 -# -# Require: No -# -# GATEWAY_XHEADER_AUTH_SECRET= -# - - - -# CKS Enabled Organization -# -# If Gateway is in Decrypt Mode Required -# Required: Yes -# If Gateway is in Encrypt Mode Required only if the Organization is CKS enabled. -# Required: No -# -# GATEWAY_ENCRYPTION_KEY_PROVIDER=CKS -# -$gwCks - - - -# CKS Key Intergenerational Period -# Time between Gateway CKS public/private client Key Generation -# -# Required: No -# Default: 360 -# -# GATEWAY_CKS_SESSION_KEY_EXPIRY_IN_MINS=360 -# -$gwCksKey - - - -# Time to Cache DLP rule. -# The interval of time between refreshing the DLP rules in minutes. -# -# Required: No -# Default: 30 -# Minimum: 0 -# -# Note: Number in minutes. To refresh every request, set to 0. -# -# GATEWAY_DLP_CACHE_DURATION=30 - - -# Inbound FROM address rewrite. -# Enable or disable from address rewriting (inbound topology only). This feature allows the Virtru Gateway to support DKIM. -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_REPLACEMENT_FROM_ENABLED=1 - - - -# Enable decryption of PFP protected files -# The feature to enable/disable the option to decrypt Virtru Persistent File Protection -# protected files (DECRYPT mode only) -# -# Required: No -# Default: 1 -# Values: -# 1 - Enabled -# 0 - Disabled -# -# GATEWAY_DECRYPT_PERSISTENT_PROTECTED_ATTACHMENTS=1 - - -EOM - - - - - - - - -} - - - - -WriteScript() { -echo $gwVersion - echo "script" - scriptFile=/var/virtru/vg/scripts/setup-$gwName.sh - - - - - /bin/cat <$scriptFile -docker run \\ ---env-file /var/virtru/vg/env/$gwName.env \\ --v /var/virtru/vg/tls/:/etc/postfix/tls \\ --v /var/virtru/vg/queue/$gwName/:/var/spool/postfix \\ --v /var/virtru/vg/dkim/:/etc/opendkim/keys \\ ---name $gwName \\ ---publish $gwPort:25 \\ ---interactive --tty --detach \\ ---restart unless-stopped \\ ---log-driver json-file \\ ---log-opt max-size=10m \\ ---log-opt max-file=100 \\ -virtru/gateway:$gwVersion -EOM - - - - - - - - -chmod +x $scriptFile - - - - - - - - -} -ShowNextSteps() { - echo "next steps" - echo "-----------------------" - echo " Deploy Successful!" - echo " Next Steps:" - echo " " - echo " run: docker login" - echo " run: sh $scriptFile" - echo "-----------------------" -} - - - - - - - - - - -# Entry Point - - - - - - - - -clear -EntryPoint