This article contains information on securing inbound email by locking down your firewall to accept only Mimecast Data Center IP Ranges, ensuring all emails are filtered for spam and viruses. It includes steps for on-premises, Microsoft 365, and Google Workspace setups.
To ensure all inbound email is filtered through Mimecast, you must limit your inbound SMTP connections to only receive from Mimecast Data Center IP Ranges. You could expose your mail server to direct attacks and spam email delivery if you do not. This is a common method that spammers utilize to bypass gateway security services. By locking down your connections, you ensure all your messages are scanned by us to prevent viruses and spam from reaching your internal environment.
Prerequisite Tasks
-
-
- Ensure you cancel any contracts with your previous email cloud security provider. This prevents any disruption to your email flow before you complete your firewall lockdown.
- Ensure all emails are delivered by Mimecast only, including removing any other MX Records. Your Technical Point of Contact (TPOC) completes this step.
-
It may not be possible to lock down your firewall using Hosted Exchange (HEX), Google Apps, or other hosted services. Check with your provider to verify if this is possible.
On-Premises
We recommend locking down port 25 to the Mimecast Data Center IP ranges to ensure that all inbound mail is scanned by Mimecast. View the Mimecast Data Centers and URLs page for details.
When your firewall has been locked down, contact the Mimecast Connect Team. We will test the firewall and validate your email flow effectively.
Microsoft 365
We recommended locking down your inbound email flow in Microsoft 365 to only allow mail from Mimecast IP addresses. This requires you to create a receive connector in Microsoft 365. See the Connect Process: Locking Down Your Microsoft 365 Inbound Email Flow page for full details.
When your firewall has been locked down, contact the Mimecast Connect Team. We will test the firewall and validate that your email flow is working effectively.
Google Workspace
To lock down your Google Workspace to Mimecast, follow these steps:
- Add Mimecast IP Ranges to your Inbound Gateway.
- Configure a Delivery Route in Mimecast.
- Reject all mail, not from your Gateway IPs.
Adding Mimecast IP Ranges to Your Inbound Gateway
To add the Mimecast IP Ranges to your Inbound Gateway:
- Navigate to Inbound Gateway.
- Click on the Configure button.
-
-
- Enter Mimecast Gateway in the Short description.
- Use the Add button to enter the Mimecast Data Center IP for your Mimecast account region. See the Mimecast Data Centers and URLs page for full details.
- Ensure the Required TLS for Connections From the Email Gateways Listed Above option is selected.
- Ensure the other two options aren't selected.
-
- Click on the Add Setting button to save the change.
Configuring a Delivery Route in Mimecast
To configure a Delivery Route in Mimecast:
- Create the Delivery Routing Definitions and Policies using the Google Workspace MX record value in the routing definition.
-
-
- Primary host: ASPMX.L.GOOGLE.COM
- Alternative host: ALT1.ASPMX.L.GOOGLE.COM
-
- Create a Delivery Routing policy (see the above article) as follows:
Field / Option Value Policy Narrative Google Workspace Route Select the definition created in step 1 Address Based On Both Applies From Everyone (Applies to all Senders) Applies To Internal Addresses (Applies to all Internal Recipients) - Click on the Save and Exit button.
Rejecting Mail Not From Your Gateway IPs
To reject all mail not from your Gateway IPs:
- Click on the Edit button.
- Check on the Reject All Mail Not From Gateway IPs option.
- Click on the Save button.
When your firewall has been locked down, contact the Mimecast Connect Team. We will test the firewall and validate that your email flow is working effectively.
Comments
Please sign in to leave a comment.