Views:
The steps outlined below detail how to add a mail route, an SMTP relay, and a content compliance rules in the Google Workspace Admin console to route outbound emails to Cloud Email and Collaboration Protection for Inline Protection.
Important
Important
The steps contained in these instructions were valid as of September 2023.

Procedure

  1. Log on to the Google Workspace Admin console as a Google Super Admin.
  2. Add a mail route to direct outbound emails to Cloud Email and Collaboration Protection .
    1. Go to AppsGoogle WorkspaceGmail and click Hosts.
    2. Add a mail route for outbound messages by clicking ADD ROUTE specifying the following settings on the Add mail route screen.
      Setting
      Outbound Messages
      Name
      Set a name for the mail route for outbound messages.
      Specify email server
      Select Single host and specify the hostname and port number of Cloud Email and Collaboration Protection for outbound protection.
      • Hostname: Type the Cloud App Security hostname for outbound protection displayed on the access grant screen in the Cloud Email and Collaboration Protection console. The hostname is also available in AdministrationGlobal SettingsInline Protection Settings for Gmail.
      • Port number: Type 25.
      Options
      Make sure the following settings are selected to implement secure communication between Gmail and Cloud Email and Collaboration Protection:
      • Require mail to be transmitted over a secure transport (TLS) connection (recommended): Encrypt messages between sending mail servers and receiving mail servers with Transport Layer Security (TLS).
      • Require CA signed certificate (recommended): The client SMTP server must present a certificate signed by a Certificate Authority that is trusted by Google.
      • Validate certificate hostname (recommended): Verify that the receiving hostname matches the certificate presented by the SMTP server.
      To verify the connection to Cloud Email and Collaboration Protection, click Test TLS connection.
    3. Click Save.
  3. Create an SMTP relay that receives scanned outbound messages from Cloud Email and Collaboration Protection.
    1. Go to AppsGoogle WorkspaceSettings for GmailRouting. Locate SMTP relay service.
    2. Click CONFIGURE or ADD ANOTHER RULE (if the setting is already configured) and specify the following settings:
      Setting
      Description
      SMTP relay service
      Type TMCAS Inline SMTP Relay Service.
      Allowed senders
      Select Only addresses in my domain.
      Authentication
      1. Select Only accept mail from the specified IP addresses.
      2. Click ADD, add the IP address of Cloud Email and Collaboration Protection based on your serving site, and click SAVE.
        The IP addresses of Cloud Email and Collaboration Protection for outbound protection are as follows:
        • US site: 20.66.85.0/28, 104.210.59.109, 104.42.190.154, 20.72.147.115, 20.72.140.41
        • EU site: 20.160.56.80/28, 20.126.64.109, 20.126.70.251, 20.54.65.179, 20.54.68.120
        • Japan site: 20.78.49.240/28, 20.222.60.8, 52.140.200.104, 104.46.227.238, 104.46.237.93
        • Australia and New Zealand site: 20.227.209.48/28, 20.227.165.104, 20.213.244.63, 20.39.98.131, 20.39.97.73
        • Canada site: 20.220.229.208/28, 52.228.125.196, 52.139.13.202, 20.104.170.106, 20.104.172.35
        • Singapore site: 52.163.216.240/28, 20.43.148.85, 20.195.17.222
        • UK site: 20.0.233.224/28, 20.68.214.138, 20.68.212.120, 52.142.171.6, 52.142.170.53
        • India site: 20.235.86.144/28, 4.213.51.121, 4.213.51.126, 104.211.202.104, 52.172.7.14
        • Middle East (UAE) site: 20.233.170.240/28, 20.74.137.84, 20.74.179.106, 20.21.106.164, 20.21.108.130
      Encryption
      Select Require TLS encryption.
  4. Add a content compliance rule for routing outbound messages to Cloud Email and Collaboration Protection.
    1. Go to AppsGoogle WorkspaceGmail and click Compliance.
    2. In the Content compliance section, add a compliance rule for outbound messages by clicking CONFIGURE or ADD ANOTHER RULE (if the setting is already configured) and specifying the settings on the Add setting screen.
      Setting
      Outbound Messages
      Content compliance
      Type TMCAS Content Compliance Rule for Outgoing Messages.
      Email messages to affect
      Select Outbound.
      Add expressions that describe the content you want to search for in each message
      The following settings ensure that messages already scanned by Cloud Email and Collaboration Protection are not routed to Cloud Email and Collaboration Protection again.
      1. Select If ANY of the following match the message.
      2. Click ADD.
      3. On the Add setting screen, specify the following settings:
        • Select Advanced content match.
        • Under Location, select Full headers.
        • Under Match type, select Not contains text.
        • Under Content, type the Loop prevention header for outbound protection displayed on the access grant screen in the Cloud Email and Collaboration Protection console. The loop prevention header is also available in AdministrationGlobal SettingsInline Protection Settings for Gmail.
      If the above expressions match, do the following
      The following settings ensures that messages already scanned by Cloud Email and Collaboration Protection will not be routed to Cloud Email and Collaboration Protection again.
      1. Select Modify message.
      2. Under Headers, select Add custom headers, and click ADD.
      3. Add the string you just typed in Content.
      4. Under Route, select Change the route and select the name of the mail route you just created for outbound messages.
      Account types to affect
      1. Click Show options.
      2. Select Users and Groups.
      Envelope filter
      1. Select Only affect specific envelope senders.
      2. Specify the senders affected by this rule based on the targets of your Cloud Email and Collaboration Protection policies for Gmail (Inline Mode).
        • Users/groups: Select Group membership (sent mail only), click Select groups and select the group TMCAS Inline Outgoing Gmail Virtual Group.
        • Domains only or both domains and users/groups in these domains: Select Pattern match, type the target domains in the format .*@<domain>, for example, .*@example.com.
        Important
        Important
        The default targets for a Gmail (Inline Mode) policy are all domains.
        If the targets of your Cloud Email and Collaboration Protection policies for Gmail (Inline Mode) include some domains and users/groups in some other domains, create two content compliance rules for each target type. Make sure the two rules share the same configuration except the Only affect specific envelope recipients settings.
    3. Click Save.
    4. Disable the compliance rule by clicking Disable after the rule and then clicking PROCEED on the displayed dialog box.
      Note
      Note
      This ensures that emails can deliver to their destinations properly before the access grant for Gmail (Inline Mode) is completed.