This article contains information on configuring Mimecast Geographical Restrictions policies to block or permit email connections based on sender location, enhancing compliance, reducing spam, and mitigating cyber threats through customizable settings.
A Geographical Restrictions policy allows administrators to permit or block IP addresses listed in our country-specific IP database, thereby controlling which countries can connect to the Mimecast Gateway. This provides the ability to apply inbound reputation checks based upon the geographical location of the sender. These checks apply before our Auto-Allow/Managed Sender policies and reject inbound messages if the sender's IP address is blocked.
A Geographical Restrictions policy can be used:
- For compliance reasons.
- To drive down the number of spam messages received by end users.
- To narrow down an organization's potential inbound cyber attack scope.
- For other applications (e.g., SMTP authentication requests originating from blacklisted IP addresses).
Usage Considerations
Consider the following when configuring a Geographical Restrictions policy:
- Geographical Restrictions policies only apply to inbound connections. Outbound and internal messages aren't affected.
- All countries are permitted by default.
- Applying a Block policy rejects messages in the protocol. These are listed in the Rejected and Deferred Messages.
- Where conflicting Geographical Restrictions policies exist (i.e., one to block and one to permit), the permit takes precedence. For example:
- Messages from permitted countries are allowed.
- Messages from blocked countries are rejected.
- Messages from Mimecast IP ranges aren't blocked, even if they originate from a blocked country.
Configuring a Geographical Restrictions Definition
To configure a Geographical Restrictions definition:
- Log in to the Mimecast Administration Console.
- Select the Policies | Gateway Policies menu item.
- Click on the Definitions button.
- Select Geographical Restrictions from the drop-down menu to display your definitions.
- Either click the:
-
- New Geographical Restrictions button to create a definition.
- Definition to be changed.
- Complete the Geographical Settings as shown below:
| Field / Option | Description |
| Name |
Either move the required countries from:
Multiple countries can be selected and added/removed in one process. |
| Type | Select whether to Permit or Block inbound messages. |
| Countries | Specify a description for the definition. This is kept in the archive for messages that have this definition applied. |
- Click on the Save and Exit button.
Configuring a Geographical Restrictions Policy
To configure a Geographical Restrictions policy:
- Log in to the Mimecast Administration Console.
- Select the Policies | Gateway Policies menu item.
- Click on Geographical Restrictions. A list of existing policies is displayed.
- Either click on the:
-
- New Policy button to create a policy.
- Policy to be amended.
- Complete the Options section as follows:
| Field / Option | Description |
|---|---|
| Policy Narrative | Enter a description for the policy. This is kept with the message in the archive. |
| Select Definition | Specify a Geographical Restrictions definition from the drop-down list. |
- Complete the Emails From section as follows:
| Field / Option | Description |
|---|---|
| Addresses Based On | Specify the email address characteristics the policy is based on. |
| Applies From | Specify the sender characteristics the policy is based on. For multiple policies, you should apply them from the most to the least specific. |
| Specifically | Enables you to specify an SMTP address if "Individual Email Addresses" is specified in the "Applies From" field. |
- Complete the Emails To section as follows:
| Field / Option | Description |
|---|---|
| Applies To | Specify the recipient characteristics the policy is based on. For multiple policies, you should apply them from the most to the least specific. |
| Specifically | Enables a specific SMTP address if "Individual Email Addresses" is specified in the "Applies To" field. |
- Complete the Validity section as required:
| Field / Option | Description |
|---|---|
| Enable / Disable | Use this option to enable or disable a policy. Disabling the policy allows you to prevent it from being applied without having to delete or backdate it. Should the policy's configured date range be reached, it's automatically disabled. |
| Set Policy as Perpetual | Specifies that the policy's start and end dates are set to "Eternal", meaning the policy never expires. |
| Date Range | Specify a start and end date for the policy. This automatically deselects the "Eternal" option. |
| Bi-Directional | If selected, the policy also applies when the policy's recipient is the sender and the sender is the recipient. |
| Source IP Ranges (n.n.n.n/x) | Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation. |
- Click on the Save and Exit button.
Configuring a Geographical Restrictions Bypass
As previously mentioned, permit entries will take precedence over a blocked entry.
You can use a permit for a specific sender by doing a permit definition for the country and then setting the policy to be based off an IP address for the specific sender. This would allow messages from a specific sender IP from a blocked region.
You can do this by following the steps in the above Configuring a Geographical Restrictions Definition section.
Comments
Please sign in to leave a comment.