This article contains information on configuring Mimecast Geographical Restrictions policies to block or permit email connections based on sender location, enhancing compliance, reducing spam, and mitigating cyber threats through customizable settings.
A Geographical Restrictions policy allows administrators to permit, hold, or block IP addresses listed in our country-specific IP database, thereby controlling which countries can connect to the Mimecast Gateway. This provides the ability to apply inbound reputation checks based on the geographical location of the sender. These checks apply before Auto-Allow/Managed Sender policies.
A Geographical Restrictions policy can be used:
- For compliance reasons.
- To drive down the number of Spam messages received by end users.
- To narrow down an organization's potential inbound cyber attack scope.
- For other applications (e.g., SMTP authentication requests originating from blocklisted IP addresses).
Usage Considerations
Consider the following when configuring a Geographical Restrictions policy:
- Geographical Restrictions policies only apply to inbound connections. Outbound and internal messages are not affected.
- All countries are permitted by default.
- Applying a Block policy rejects messages in the protocol. These are listed in the Rejected and Deferred Messages.
- Applying a Hold policy accepts the message and places it in the Held Queue. An Admin Notification is sent to the configured Admin Notification group. If no group is configured, the message is held silently and must be located via the Mimecast Administration Console.
- Held messages can be released to the intended recipient or dropped permanently by an administrator.
- When multiple Geographical Restrictions policies match the same message, Mimecast resolves the conflict using a fixed action precedence order: Permit (Allow) > Hold > Block. If no policy matches, the default action is Permit. The table below summarises how each action is treated:
| Field / Option | Description |
| Permit policy only | Permit. The message is delivered. |
| Block policy only | Block. The message is rejected at the protocol level. |
| Hold policy only | Hold. The message is accepted and placed in the held queue for administrator review. |
| No matching policy | Permit (default). All countries are permitted unless a policy explicitly restricts them. |
Policy Precedence Examples
The following examples use distinct countries and policy configurations to show how the precedence order applies in practice.
Example 1 - Hold beats Block: You have a Block definition applied to Canada for all external senders. You later add a Hold definition that also applies to Canada, scoped to your Finance team as recipients. A message arrives from a Canadian IP address to finance@yourdomain.com. Both policies match. Hold takes precedence over Block, so the message is accepted and placed in the held queue for administrator review rather than rejected at the protocol level.
Example 2 - Permit beats Block: Germany is blocked for all external senders. A known partner (partner.com) sends from a German mail server. You have a second Permit definition for Germany, scoped to the partner.com email domain. Both policies match the same message. Permit takes precedence over Block, so the message is delivered.
Example 3 - Permit beats Hold and Block: China is blocked for everyone. A Hold policy is also configured for China, scoped to your Security team. A Permit policy exists for a trusted Chinese supplier, scoped to the Vendors address group. A message from the supplier matches all three policies simultaneously. Permit wins. The message is delivered regardless of the Block and Hold policies that also matched.
Example 4 - IP address scoping to bypass a blocked region: Brazil is blocked for all external senders. A specific supplier sends from a known, fixed IP address. To allow only that sender through, create a Permit definition for Brazil and configure the policy with a Source IP Range. Because the policy is scoped to that IP, only messages originating from that address match the Permit policy. All other Brazilian senders continue to match only the Block policy and are rejected. Permit takes precedence, so the supplier’s messages are delivered.
Configuring a Geographical Restrictions Definition
To configure a Geographical Restrictions definition:
- Log in to the Mimecast Administration Console.
- Select the Policies | Gateway Policies menu item.
- Click on the Definitions button.
- Select Geographical Restrictions from the drop-down menu to display your definitions.
- Either click the:
- New Geographical Restrictions button to create a definition.
- Definition to be changed.
- Complete the Geographical Settings as shown below:
| Field / Option | Description |
| Name |
Either move the required countries from:
Multiple countries can be selected and added/removed in one process. |
| Type | Select whether to Permit, Block, or Hold inbound messages. |
| Countries | When Hold is selected, specify the administrator group to be notified when a message is held. If left blank, messages will be held with no notification sent. |
- Click on the Save and Exit button.
Configuring a Geographical Restrictions Policy
To configure a Geographical Restrictions policy:
- Log in to the Mimecast Administration Console.
- Select the Policies | Gateway Policies menu item.
- Click on Geographical Restrictions. A list of existing policies is displayed.
- Either click on the:
- New Policy button to create a policy.
- Policy to be amended.
- Complete the Options section as follows:
| Field / Option | Description |
| Policy Narrative | Enter a description for the policy. This is kept with the message in the archive. |
| Select Definition | Specify a Geographical Restrictions definition from the drop-down list. |
- Complete the Emails From section as follows:
| Field / Option | Description |
| Addresses Based On | Specify the email address characteristics on which the policy is based. |
| Applies From | Specify the sender characteristics on which the policy is based. For multiple policies, you should apply them from the most specific to the least specific. |
| Specifically | Enables you to specify an SMTP address if "Individual Email Addresses" is specified in the "Applies From" field. |
- Complete the Emails To section as follows:
| Field / Option | Description |
| Applies To | Specify the recipient characteristics on which the policy is based. For multiple policies, you should apply them from the most specific to the least specific. |
| Specifically | Enables a specific SMTP address if "Individual Email Addresses" is specified in the "Applies To" field. |
- Complete the Validity section as required:
| Field / Option | Description |
| Enable / Disable | Use this option to enable or disable a policy. Disabling the policy allows you to prevent it from being applied without having to delete or backdate it. Should the policy's configured date range be reached, it's automatically disabled. |
| Set Policy as Perpetual | Specifies that the policy's start and end dates are set to "Eternal", meaning the policy never expires. |
| Date Range | Specify a start and end date for the policy. This automatically deselects the "Eternal" option. |
| Bi-Directional | If selected, the policy also applies when the policy's recipient is the sender and the sender is the recipient. |
| Source IP Ranges (n.n.n.n/x) | Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation. |
- Click on the Save and Exit button.
Using the Hold Action
The Hold action is an alternative to Block that allows administrators to review messages from restricted geographic regions before deciding to release or drop them. Unlike Block, which rejects at the protocol level, Hold accepts the message and queues it for review.
Key behaviors:
- Messages from a held country are accepted by the Mimecast Gateway and placed in the held queue with a geographic restriction reason code.
- If an Admin Notification group is configured on the definition, an Admin Notification email is sent automatically. The notification includes message details (From, To, Subject, date) and geographic restriction details such as the originating country.
- If no Admin Notification group is configured, the message is held silently. Administrators must check the held queue in the Mimecast Administration Console to locate it.
- Administrators can release held messages to the intended recipient or drop them permanently.
Configuring a Geographical Restrictions Bypass
Permit entries take precedence over both Block and Hold entries. You can use a Permit definition for a specific sender by creating a Permit definition for the country and setting the policy to be based on an IP address for that specific sender. This allows messages from a specific sender IP to bypass a blocked or held region. Follow the steps in the Configuring a Geographical Restrictions Definition section above.
You can do this by following the steps in the above Configuring a Geographical Restrictions Definition section.
Comments
In the Definition I still only have Block & Permit. Presume the change has not been deployed yet.
Hi Claus,
Thanks for your comment. The Hold functionality should be available now.
Please sign in to leave a comment.