The steps outlined below detail how to add mail routes, an inbound gateways, SMTP
relay, and content compliance rules in the Google Workspace Admin console to route
inbound and outbound emails to Cloud Email and Collaboration
Protection for Inline
Protection.
ImportantThe steps contained in these instructions were valid as of September 2023.
|
Procedure
- Log on to the Google Workspace Admin console as a Google Super Admin.
- Add mail routes to direct inbound and outbound emails to Cloud Email and Collaboration
Protection .
- Go to and click Hosts.
- Add a mail route for inbound messages by clicking ADD
ROUTE specifying the settings on the Add mail
route screen. For details about how to specify the settings, see the "Inbound Messages" column in the Mail route settings table.
- Click Save.
- Add another mail route for outbound messages by clicking ADD
ROUTE and specifying the settings on the Add
mail route screen.For details about how to specify the settings, see the "Outbound Messages" column in the Mail route settings table .
- Click Save.
Mail route settings
SettingInbound MessagesOutbound MessagesNameSet a name for the mail route for inbound messages.Set a name for the mail route for outbound messages.Specify email serverSelect Single host and specify the hostname and port number of Cloud Email and Collaboration Protection for inbound protection.-
Hostname: Type the Cloud Email and Collaboration Protection hostname for inbound protection displayed on the access grant screen in the Cloud Email and Collaboration Protection console. The hostname is also available in .
-
Port number: Type 25.
Select Single host and specify the hostname and port number of Cloud Email and Collaboration Protection for outbound protection.-
Hostname: Type the Cloud Email and Collaboration Protection hostname for outbound protection displayed on the access grant screen in the Cloud Email and Collaboration Protection console. The hostname is also available in .
-
Port number: Type 25.
OptionsMake sure the following settings are selected to implement secure communication between Gmail and Cloud Email and Collaboration Protection:-
Require mail to be transmitted over a secure transport (TLS) connection (recommended): Encrypt messages between sending mail servers and receiving mail servers with Transport Layer Security (TLS).
-
Require CA signed certificate (recommended): The client SMTP server must present a certificate signed by a Certificate Authority that is trusted by Google.
-
Validate certificate hostname (recommended): Verify that the receiving hostname matches the certificate presented by the SMTP server.
To verify the connection to Cloud Email and Collaboration Protection, click Test TLS connection.Make sure the following settings are selected to implement secure communication between Gmail and Cloud Email and Collaboration Protection:-
Require mail to be transmitted over a secure transport (TLS) connection (recommended): Encrypt messages between sending mail servers and receiving mail servers with Transport Layer Security (TLS).
-
Require CA signed certificate (recommended): The client SMTP server must present a certificate signed by a Certificate Authority that is trusted by Google.
-
Validate certificate hostname (recommended): Verify that the receiving hostname matches the certificate presented by the SMTP server.
To verify the connection to Cloud Email and Collaboration Protection, click Test TLS connection. - Configure the inbound gateway that receives scanned inbound messages from Cloud Email and Collaboration
Protection.
- Go to . Locate and click Spam, Phishing and Malware.
- Click Inbound gateway and specify the following
settings:SettingDescriptionEnableSelect this option.Gateway IPs
-
Click ADD, add the IP address of Cloud Email and Collaboration Protection based on your serving site, and click SAVE.The IP addresses of Cloud Email and Collaboration Protection for inbound protection are as follows:
-
US site: 20.245.215.64/28, 104.42.189.70, 104.210.58.247, 20.72.147.113, 20.72.140.32
-
EU site: 20.4.48.48/28, 20.107.69.176, 20.126.6.52, 20.54.65.186, 20.54.68.116
-
Japan site: 13.78.70.144/28, 20.222.63.30, 20.222.57.14, 104.46.234.4, 138.91.24.196
-
Australia and New Zealand site: 20.70.30.192/28, 20.213.240.47, 20.227.136.26, 20.39.98.128, 20.39.97.72
-
Canada site: 52.228.5.240/28, 52.228.125.192, 52.139.13.199, 52.229.100.53, 20.104.170.121
-
Singapore site: 52.163.102.112/28, 20.43.148.81, 20.195.17.218
-
UK site: 20.254.97.192/28, 20.68.25.194, 20.68.210.42, 52.142.171.1, 52.142.170.52
-
India site: 20.204.179.112/28, 20.204.44.59, 20.204.113.71, 20.219.110.223, 13.71.71.12
-
Middle East (UAE) site: 20.233.170.224/28, 20.216.24.7, 20.216.9.36, 20.21.106.199, 20.21.252.69
-
-
Select Automatically detect external IP (recommended).When this option is selected, Gmail determines the source IP address to use for the SPF authentication.
-
Clear Reject all mail not from gateway IPs.When this option is cleared, emails from senders other than Cloud Email and Collaboration Protection are not rejected.
-
Select Require TLS for connections from the email gateways listed above.When this option is selected, connection attempts from gateways that do not use TLS are rejected.
Message taggingThe following settings move an email message to Spam Folder when the Cloud Email and Collaboration Protection takes the "Move to Spam" action on the message.-
Select Message is considered spam if the following header regexp matches.
-
Under Regexp, type X-TrendMicro-CAS-SPAM: true.
-
Select Message is spam if regexp matches.
-
- Create SMTP relay that receives scanned outbound messages from Cloud Email and Collaboration
Protection.
- Go to and locate SMTP relay service.
- Click CONFIGURE or ADD ANOTHER
RULE (if the setting is already configured) and specify
the following settings:SettingDescriptionSMTP relay serviceType TMCAS Inline SMTP Relay Service.Allowed SendersSelect Only addresses in my domain.Authentication
-
Select Only accept mail from the specified IP addresses.
-
Click ADD, add the IP address of Cloud Email and Collaboration Protection based on your serving site, and click SAVE.The IP addresses of Cloud Email and Collaboration Protection for outbound protection are as follows:
-
US site: 20.66.85.0/28, 104.210.59.109, 104.42.190.154, 20.72.147.115, 20.72.140.41
-
EU site: 20.160.56.80/28, 20.126.64.109, 20.126.70.251, 20.54.65.179, 20.54.68.120
-
Japan site: 20.78.49.240/28, 20.222.60.8, 52.140.200.104, 104.46.227.238, 104.46.237.93
-
Australia and New Zealand site: 20.227.209.48/28, 20.227.165.104, 20.213.244.63, 20.39.98.131, 20.39.97.73
-
Canada site: 20.220.229.208/28, 52.228.125.196, 52.139.13.202, 20.104.170.106, 20.104.172.35
-
Singapore site: 52.163.216.240/28, 20.43.148.85, 20.195.17.222
-
UK site: 20.0.233.224/28, 20.68.214.138, 20.68.212.120, 52.142.171.6, 52.142.170.53
-
India site: 20.235.86.144/28, 4.213.51.121, 4.213.51.126, 104.211.202.104, 52.172.7.14
-
Middle East (UAE) site: 20.233.170.240/28, 20.74.137.84, 20.74.179.106, 20.21.106.164, 20.21.108.130
-
EncryptionSelect Require TLS encryption. -
- Add content compliance rules for routing inbound and outbound messages to Cloud Email and Collaboration
Protection.
- Go to and click Compliance.
- In the Content compliance section, add a
compliance rule for inbound messages by clicking
CONFIGURE or ADD ANOTHER
RULE (if the setting is already configured) and
specifying the settings on the Add setting
screen.For details about how to specify the settings, see the "Inbound Messages" column in the Content compliance rule settings table.
- Click Save.
- Add another compliance rule for outbound messages by clicking
ADD ANOTHER RULE and specifying the settings
on the Add mail route screen.For details about how to specify the settings, see the "Outbound Messages" column in the Content compliance rule settings table.
- Click SAVE.
- Disable the two compliance rules by clicking
Disable after each rule and then clicking
PROCEED on the displayed dialog box.
Note
This ensures that emails can deliver to their destinations properly before the access grant for Gmail (Inline Mode) is completed.
Content compliance rule settings
SettingInbound MessagesOutbound MessagesContent complianceType TMCAS Content Compliance Rule for Incoming Messages.Type TMCAS Content Compliance Rule for Outgoing Messages.Email messages to affectSelect Inbound.Select Outbound.Add expressions that describe the content you want to search for in each messageThe following settings ensure that messages already scanned by Cloud Email and Collaboration Protection are not routed to Cloud Email and Collaboration Protection again.-
Select If ANY of the following match the message.
-
Click ADD.
-
On the Add setting screen, specify the following settings:
-
Select Advanced content match.
-
Under Location, select Full headers.
-
Under Match type, select Not contains text.
-
Under Content, type the Loop prevention header for inbound protection displayed on the access grant screen in the Cloud Email and Collaboration Protection console. The loop prevention header is also available in .
-
The following settings ensure that messages already scanned by Cloud Email and Collaboration Protection are not routed to Cloud Email and Collaboration Protection again.-
Select If ANY of the following match the message.
-
Click ADD.
-
On the Add setting screen, specify the following settings:
-
Select Advanced content match.
-
Under Location, select Full headers.
-
Under Match type, select Not contains text.
-
Under Content, type the Loop prevention header for outbound protection displayed on the access grant screen in the Cloud Email and Collaboration Protection console. The loop prevention header is also available in .
-
If the above expressions match, do the followingThe following settings ensures that messages already scanned by Cloud Email and Collaboration Protection will not be routed to Cloud Email and Collaboration Protection again.-
Select Modify message.
-
Under Headers, select Add custom headers, and click ADD.
-
Add the string you just typed in Content.
-
Under Route, select Change the route and select the name of the mail route you just created for inbound messages.
The following settings ensures that messages already scanned by Cloud Email and Collaboration Protection will not be routed to Cloud Email and Collaboration Protection again.-
Select Modify message.
-
Under Headers, select Add custom headers, and click ADD.
-
Add the string you just typed in Content.
-
Under Route, select Change the route and select the name of the mail route you just created for outbound messages.
Account types to affect-
Click Show options.
-
Select Users and Groups.
-
Click Show options.
-
Select Users and Groups.
Envelope filter-
Select Only affect specific envelope recipients.
-
Specify the recipients affected by this rule based on the targets of your Cloud Email and Collaboration Protection policies for Gmail (Inline Mode).
-
Users/groups: Select Group membership (only received mail), click Select groups and select the group TMCAS Inline Incoming Gmail Virtual Group.
-
Domains only or both domains and users/groups in these domains: Select Pattern match, type the target domains in the format .*@<domain>, for example, .*@example.com.
Important
The default targets for a Gmail (Inline Mode) policy are all domains.If the targets of your Cloud Email and Collaboration Protection policies for Gmail (Inline Mode) include some domains and users/groups in some other domains, create two content compliance rules for each target type. Make sure the two rules share the same configuration except the Only affect specific envelope recipients settings. -
-
Select Only affect specific envelope senders.
-
Specify the senders affected by this rule based on the targets of your Cloud Email and Collaboration Protection policies for Gmail (Inline Mode).
-
Users/groups: Select Group membership (sent mail only), click Select groups and select the group TMCAS Inline Outgoing Gmail Virtual Group.
-
Domains only or both domains and users/groups in these domains: Select Pattern match, type the target domains in the format .*@<domain>, for example, .*@example.com.
Important
The default targets for a Gmail (Inline Mode) policy are all domains.If the targets of your Cloud Email and Collaboration Protection policies for Gmail (Inline Mode) include some domains and users/groups in some other domains, create two content compliance rules for each target type. Make sure the two rules share the same configuration except the Only affect specific envelope recipients settings. -