Connect Process: Locking Down Your Firewall

Document created by user.oxriBaJeN4 Employee on Sep 21, 2015Last modified by user.oxriBaJeN4 Employee on Jul 18, 2017
Version 8Show Document
  • View in full screen mode


To ensure all inbound email is filtered through us, you must lock your firewall traffic down on port 25 to the Mimecast Data Center IP Ranges. If you don't, you could be exposing your mail server to direct attacks and spam email delivery. This is a common method spammers utilize to bypass gateway security services. By locking down your firewall you ensure all your messages are scanned by us to prevent viruses and spam from reaching your internal environment.


Prerequisite Tasks


  • Ensure you cancel any contracts with your previous email cloud security provider. This prevents any disruption to your email flow before you complete your firewall lock down.
  • Ensure all emails are being delivered by Mimecast only, including removing any other MX Records. Your Technical Point of Contact (TPOC) is responsible for completing this step.
It may not be possible to lock down your firewall if you are using a Hosted Exchange (HEX), Google Apps or other hosted services. Check with your provider to verify if this is possible. If you are using Office 365, you can lock down inbound mail flow. See the Locking Down Your Office 365 Inbound Email Flow page for full details. 

Locking Down G Suite


To lock down your G suite to Mimecast:

  1. Add Mimecast IP ranges to your inbound Gateway
  2. Configure a delivery route in Mimecast
  3. Reject all mail not from your Gateway IPs


Adding Mimecast IP Ranges to Your Inbound Gateway


To add the Mimecast IP Ranges to your inbound Gateway:

  1. Navigate to Inbound Gateway.
  2. Click on the Configure button.
    1. Enter  "Mimecast Gateway" in the Short description.
    2. Use the Add button to enter the Mimecast Data Center IP for your Mimecast account region. See the Mimecast Data Centers and URLs page for full details.
    3. Ensure the Require TLS for Connections From the Email Gateways Listed Above option is selected.
    4. Ensure the other two options aren't selected.
  3. Click on the Add Setting button to save the change.


Configuring a Delivery Route in Mimecast


To configure a Delivery Route in Mimecast:

  1. Create a Delivery Routing Definition using the G Suite MX record value in the routing definition.
    • Primary host: ASPMX.L.GOOGLE.COM
    • Alternative host: ALT1.ASPMX.L.GOOGLE.COM
  2. Create a Delivery Routing Policy:

    Field  / OptionValue>
    Policy NarrativeG Suite
    RouteSelect the definition created in step 1.
    Address Based OnBoth
    Applies FromEveryone (Applies to all Senders)
    Applies ToInternal Addresses (Applies to all Internal Recipients)
  3. Click on the Save and Exit> button.


Rejecting all Mail not from Your Gateway IPs


To reject all Mail Not From Your Gateway IPs:

  1. Click on the Edit button.
  2. Check on the Reject all Mail Not From Gateway IPs option.
  3. Click on the Save button.
When your firewall has been locked down, contact the Mimecast Connect Team. They will test the firewall and validate that your email flow is working effectively.

See Also...


1 person found this helpful