Connect Process: Locking Down Your Firewall

Document created by user.oxriBaJeN4 Employee on Sep 21, 2015Last modified by user.oxriBaJeN4 Employee on Apr 2, 2019
Version 11Show Document
  • View in full screen mode

firewall.pngTo ensure all inbound email is filtered through Mimecast, you must limit your inbound SMTP connections to only receive from Mimecast Data Center IP Ranges. If you don't, you could be exposing your mail server to direct attacks and spam email delivery. This is a common method that spammers utilize to bypass gateway security services. By locking down your connections, you ensure all your messages are scanned by us to prevent viruses and spam from reaching your internal environment.

 

Prerequisite Tasks

 

  • Ensure you cancel any contracts with your previous email cloud security provider. This prevents any disruption to your email flow before you complete your firewall lockdown.
  • Ensure all emails are being delivered by Mimecast only, including removing any other MX Records. Your Technical Point of Contact (TPOC) is responsible for completing this step.
It may not be possible to lock down your firewall if you are using Hosted Exchange (HEX), Google Apps or other hosted services. Check with your provider to verify if this is possible.

On Premises


We recommend locking down port 25 to the Mimecast Data Center IP ranges to ensure that all inbound mail is scanned by Mimecast. View the Mimecast Data Centers and URLs page for details.

When your firewall has been locked down, contact the Mimecast Connect Team. We will test the firewall and validate that your email flow is working effectively.

  

Office 365

 

We recommended locking down your inbound email flow in Office 365 to only allow mail from Mimecast IP addresses. This requires you to create a receive connector in Office 365. See the Locking Down Your Office 365 Inbound Email Flow page for full details.

When your firewall has been locked down, contact the Mimecast Connect Team. We will test the firewall and validate that your email flow is working effectively.

  

G Suite

 

To lock down your G suite to Mimecast, follow these steps:

  1. Add Mimecast IP ranges to your inbound Gateway. 
  2. Configure a delivery route in Mimecast.
  3. Reject all mail not from your Gateway IPs.

 

Adding Mimecast IP Ranges to Your Inbound Gateway

 

To add the Mimecast IP Ranges to your inbound Gateway:

  1. Navigate to Inbound Gateway.
  2. Click on the Configure button.
    1. Enter  "Mimecast Gateway" in the Short description.
    2. Use the Add button to enter the Mimecast Data Center IP for your Mimecast account region. See the Mimecast Data Centers and URLs page for full details.
    3. Ensure the Require TLS for Connections From the Email Gateways Listed Above option is selected.
    4. Ensure the other two options aren't selected.
  3. Click on the Add Setting button to save the change.

 

Configuring a Delivery Route in Mimecast

 

To configure a Delivery Route in Mimecast:

  1. Create a Delivery Routing definition using the G Suite MX record value in the routing definition.
    • Primary host: ASPMX.L.GOOGLE.COM
    • Alternative host: ALT1.ASPMX.L.GOOGLE.COM
  2. Create a Delivery Routing policy as follows:

    Field  / OptionValue
    Policy NarrativeG Suite
    RouteSelect the definition created in step 1.
    Address Based OnBoth
    Applies FromEveryone (Applies to all Senders)
    Applies ToInternal Addresses (Applies to all Internal Recipients)
  3. Click on the Save and Exit button.

 

Rejecting Mail Not From Your Gateway IPs

 

To reject all mail not from your Gateway IPs:

  1. Click on the Edit button.
  2. Check on the Reject all Mail Not From Gateway IPs option.
  3. Click on the Save button.
When your firewall has been locked down, contact the Mimecast Connect Team. We will test the firewall and validate that your email flow is working effectively.

See Also...

 

Attachments

    Outcomes