Views:
The steps outlined below detail how to add mail routes, an inbound gateways, SMTP relay, and content compliance rules in the Google Workspace Admin console to route inbound and outbound emails to Cloud Email and Collaboration Protection for Inline Protection.
Important
Important
The steps contained in these instructions were valid as of September 2023.

Procedure

  1. Log on to the Google Workspace Admin console as a Google Super Admin.
  2. Add mail routes to direct inbound and outbound emails to Cloud Email and Collaboration Protection .
    1. Go to AppsGoogle WorkspaceGmail and click Hosts.
    2. Add a mail route for inbound messages by clicking ADD ROUTE specifying the settings on the Add mail route screen.
      For details about how to specify the settings, see the "Inbound Messages" column in the Mail route settings table.
    3. Click Save.
    4. Add another mail route for outbound messages by clicking ADD ROUTE and specifying the settings on the Add mail route screen.
      For details about how to specify the settings, see the "Outbound Messages" column in the Mail route settings table .
    5. Click Save.

    Mail route settings

    Setting
    Inbound Messages
    Outbound Messages
    Name
    Set a name for the mail route for inbound messages.
    Set a name for the mail route for outbound messages.
    Specify email server
    Select Single host and specify the hostname and port number of Cloud Email and Collaboration Protection for inbound protection.
    • Hostname: Type the Cloud Email and Collaboration Protection hostname for inbound protection displayed on the access grant screen in the Cloud Email and Collaboration Protection console. The hostname is also available in PoliciesGlobal SettingsInline Protection Settings for Gmail.
    • Port number: Type 25.
    Select Single host and specify the hostname and port number of Cloud Email and Collaboration Protection for outbound protection.
    • Hostname: Type the Cloud Email and Collaboration Protection hostname for outbound protection displayed on the access grant screen in the Cloud Email and Collaboration Protection console. The hostname is also available in PoliciesGlobal SettingsInline Protection Settings for Gmail.
    • Port number: Type 25.
    Options
    Make sure the following settings are selected to implement secure communication between Gmail and Cloud Email and Collaboration Protection:
    • Require mail to be transmitted over a secure transport (TLS) connection (recommended): Encrypt messages between sending mail servers and receiving mail servers with Transport Layer Security (TLS).
    • Require CA signed certificate (recommended): The client SMTP server must present a certificate signed by a Certificate Authority that is trusted by Google.
    • Validate certificate hostname (recommended): Verify that the receiving hostname matches the certificate presented by the SMTP server.
    To verify the connection to Cloud Email and Collaboration Protection, click Test TLS connection.
    Make sure the following settings are selected to implement secure communication between Gmail and Cloud Email and Collaboration Protection:
    • Require mail to be transmitted over a secure transport (TLS) connection (recommended): Encrypt messages between sending mail servers and receiving mail servers with Transport Layer Security (TLS).
    • Require CA signed certificate (recommended): The client SMTP server must present a certificate signed by a Certificate Authority that is trusted by Google.
    • Validate certificate hostname (recommended): Verify that the receiving hostname matches the certificate presented by the SMTP server.
    To verify the connection to Cloud Email and Collaboration Protection, click Test TLS connection.
  3. Configure the inbound gateway that receives scanned inbound messages from Cloud Email and Collaboration Protection.
    1. Go to AppsGoogle WorkspaceGmail. Locate and click Spam, Phishing and Malware.
    2. Click Inbound gateway and specify the following settings:
      Setting
      Description
      Enable
      Select this option.
      Gateway IPs
      1. Click ADD, add the IP address of Cloud Email and Collaboration Protection based on your serving site, and click SAVE.
        The IP addresses of Cloud Email and Collaboration Protection for inbound protection are as follows:
        • US site: 20.245.215.64/28, 104.42.189.70, 104.210.58.247, 20.72.147.113, 20.72.140.32
        • EU site: 20.4.48.48/28, 20.107.69.176, 20.126.6.52, 20.54.65.186, 20.54.68.116
        • Japan site: 13.78.70.144/28, 20.222.63.30, 20.222.57.14, 104.46.234.4, 138.91.24.196
        • Australia and New Zealand site: 20.70.30.192/28, 20.213.240.47, 20.227.136.26, 20.39.98.128, 20.39.97.72
        • Canada site: 52.228.5.240/28, 52.228.125.192, 52.139.13.199, 52.229.100.53, 20.104.170.121
        • Singapore site: 52.163.102.112/28, 20.43.148.81, 20.195.17.218
        • UK site: 20.254.97.192/28, 20.68.25.194, 20.68.210.42, 52.142.171.1, 52.142.170.52
        • India site: 20.204.179.112/28, 20.204.44.59, 20.204.113.71, 20.219.110.223, 13.71.71.12
        • Middle East (UAE) site: 20.233.170.224/28, 20.216.24.7, 20.216.9.36, 20.21.106.199, 20.21.252.69
      2. Select Automatically detect external IP (recommended).
        When this option is selected, Gmail determines the source IP address to use for the SPF authentication.
      3. Clear Reject all mail not from gateway IPs.
        When this option is cleared, emails from senders other than Cloud Email and Collaboration Protection are not rejected.
      4. Select Require TLS for connections from the email gateways listed above.
        When this option is selected, connection attempts from gateways that do not use TLS are rejected.
      Message tagging
      The following settings move an email message to Spam Folder when the Cloud Email and Collaboration Protection takes the "Move to Spam" action on the message.
      1. Select Message is considered spam if the following header regexp matches.
      2. Under Regexp, type X-TrendMicro-CAS-SPAM: true.
      3. Select Message is spam if regexp matches.
  4. Create SMTP relay that receives scanned outbound messages from Cloud Email and Collaboration Protection.
    1. Go to AppsGoogle WorkspaceGmailRouting and locate SMTP relay service.
    2. Click CONFIGURE or ADD ANOTHER RULE (if the setting is already configured) and specify the following settings:
      Setting
      Description
      SMTP relay service
      Type TMCAS Inline SMTP Relay Service.
      Allowed Senders
      Select Only addresses in my domain.
      Authentication
      1. Select Only accept mail from the specified IP addresses.
      2. Click ADD, add the IP address of Cloud Email and Collaboration Protection based on your serving site, and click SAVE.
        The IP addresses of Cloud Email and Collaboration Protection for outbound protection are as follows:
        • US site: 20.66.85.0/28, 104.210.59.109, 104.42.190.154, 20.72.147.115, 20.72.140.41
        • EU site: 20.160.56.80/28, 20.126.64.109, 20.126.70.251, 20.54.65.179, 20.54.68.120
        • Japan site: 20.78.49.240/28, 20.222.60.8, 52.140.200.104, 104.46.227.238, 104.46.237.93
        • Australia and New Zealand site: 20.227.209.48/28, 20.227.165.104, 20.213.244.63, 20.39.98.131, 20.39.97.73
        • Canada site: 20.220.229.208/28, 52.228.125.196, 52.139.13.202, 20.104.170.106, 20.104.172.35
        • Singapore site: 52.163.216.240/28, 20.43.148.85, 20.195.17.222
        • UK site: 20.0.233.224/28, 20.68.214.138, 20.68.212.120, 52.142.171.6, 52.142.170.53
        • India site: 20.235.86.144/28, 4.213.51.121, 4.213.51.126, 104.211.202.104, 52.172.7.14
        • Middle East (UAE) site: 20.233.170.240/28, 20.74.137.84, 20.74.179.106, 20.21.106.164, 20.21.108.130
      Encryption
      Select Require TLS encryption.
  5. Add content compliance rules for routing inbound and outbound messages to Cloud Email and Collaboration Protection.
    1. Go to AppsGoogle WorkspaceGmail and click Compliance.
    2. In the Content compliance section, add a compliance rule for inbound messages by clicking CONFIGURE or ADD ANOTHER RULE (if the setting is already configured) and specifying the settings on the Add setting screen.
      For details about how to specify the settings, see the "Inbound Messages" column in the Content compliance rule settings table.
    3. Click Save.
    4. Add another compliance rule for outbound messages by clicking ADD ANOTHER RULE and specifying the settings on the Add mail route screen.
      For details about how to specify the settings, see the "Outbound Messages" column in the Content compliance rule settings table.
    5. Click SAVE.
    6. Disable the two compliance rules by clicking Disable after each rule and then clicking PROCEED on the displayed dialog box.
      Note
      Note
      This ensures that emails can deliver to their destinations properly before the access grant for Gmail (Inline Mode) is completed.

    Content compliance rule settings

    Setting
    Inbound Messages
    Outbound Messages
    Content compliance
    Type TMCAS Content Compliance Rule for Incoming Messages.
    Type TMCAS Content Compliance Rule for Outgoing Messages.
    Email messages to affect
    Select Inbound.
    Select Outbound.
    Add expressions that describe the content you want to search for in each message
    The following settings ensure that messages already scanned by Cloud Email and Collaboration Protection are not routed to Cloud Email and Collaboration Protection again.
    1. Select If ANY of the following match the message.
    2. Click ADD.
    3. On the Add setting screen, specify the following settings:
      • Select Advanced content match.
      • Under Location, select Full headers.
      • Under Match type, select Not contains text.
      • Under Content, type the Loop prevention header for inbound protection displayed on the access grant screen in the Cloud Email and Collaboration Protection console. The loop prevention header is also available in PoliciesGlobal SettingsInline Protection Settings for Gmail.
    The following settings ensure that messages already scanned by Cloud Email and Collaboration Protection are not routed to Cloud Email and Collaboration Protection again.
    1. Select If ANY of the following match the message.
    2. Click ADD.
    3. On the Add setting screen, specify the following settings:
      • Select Advanced content match.
      • Under Location, select Full headers.
      • Under Match type, select Not contains text.
      • Under Content, type the Loop prevention header for outbound protection displayed on the access grant screen in the Cloud Email and Collaboration Protection console. The loop prevention header is also available in PoliciesGlobal SettingsInline Protection Settings for Gmail.
    If the above expressions match, do the following
    The following settings ensures that messages already scanned by Cloud Email and Collaboration Protection will not be routed to Cloud Email and Collaboration Protection again.
    1. Select Modify message.
    2. Under Headers, select Add custom headers, and click ADD.
    3. Add the string you just typed in Content.
    4. Under Route, select Change the route and select the name of the mail route you just created for inbound messages.
    The following settings ensures that messages already scanned by Cloud Email and Collaboration Protection will not be routed to Cloud Email and Collaboration Protection again.
    1. Select Modify message.
    2. Under Headers, select Add custom headers, and click ADD.
    3. Add the string you just typed in Content.
    4. Under Route, select Change the route and select the name of the mail route you just created for outbound messages.
    Account types to affect
    1. Click Show options.
    2. Select Users and Groups.
    1. Click Show options.
    2. Select Users and Groups.
    Envelope filter
    1. Select Only affect specific envelope recipients.
    2. Specify the recipients affected by this rule based on the targets of your Cloud Email and Collaboration Protection policies for Gmail (Inline Mode).
      • Users/groups: Select Group membership (only received mail), click Select groups and select the group TMCAS Inline Incoming Gmail Virtual Group.
      • Domains only or both domains and users/groups in these domains: Select Pattern match, type the target domains in the format .*@<domain>, for example, .*@example.com.
      Important
      Important
      The default targets for a Gmail (Inline Mode) policy are all domains.
      If the targets of your Cloud Email and Collaboration Protection policies for Gmail (Inline Mode) include some domains and users/groups in some other domains, create two content compliance rules for each target type. Make sure the two rules share the same configuration except the Only affect specific envelope recipients settings.
    1. Select Only affect specific envelope senders.
    2. Specify the senders affected by this rule based on the targets of your Cloud Email and Collaboration Protection policies for Gmail (Inline Mode).
      • Users/groups: Select Group membership (sent mail only), click Select groups and select the group TMCAS Inline Outgoing Gmail Virtual Group.
      • Domains only or both domains and users/groups in these domains: Select Pattern match, type the target domains in the format .*@<domain>, for example, .*@example.com.
      Important
      Important
      The default targets for a Gmail (Inline Mode) policy are all domains.
      If the targets of your Cloud Email and Collaboration Protection policies for Gmail (Inline Mode) include some domains and users/groups in some other domains, create two content compliance rules for each target type. Make sure the two rules share the same configuration except the Only affect specific envelope recipients settings.