Configuring Geographical Restrictions Definitions and Policies

Document created by user.oxriBaJeN4 Employee on Jan 11, 2019Last modified by user.oxriBaJeN4 Employee on Jun 13, 2019
Version 14Show Document
  • View in full screen mode

A Geographical Restrictions policy allows administrators to permit or block IP addresses listed in our country specific IP database, thereby controlling which countries can connect to the Mimecast Gateway. This provides the ability to apply inbound reputation checks based upon the geographical location of the sender. These checks apply before our auto allow / managed sender policies, and reject inbound messages if the sender's IP address is blocked.

If a policy is set to block a country's IP addresses, you can create a separate policy to allow specific domains to  override it by specifying the domain's IP address. For example, the block policy would be set to "Everyone to Everyone" and the allow domain policy set to "Group to Internal".

A geographical restrictions policy can be used:

  • For compliance reasons.
  • To drive down the number of spam messages received by end users.
  • To narrow down an organization's potential inbound cyber attack scope.
  • For other applications (e.g. SMTP authentication requests originating from blacklisted IP addresses).

 

Usage Considerations

 

Consider the following when configuring a Geographical Restrictions policy:

  • Geographical Restrictions policies only apply to inbound connections. Outbound and internal messages aren't affected.
  • Applying a "block" policy rejects messages in protocol. These are listed in the Message Center: Rejected and Deferred Messages queue.
  • Where conflicting Geographical Restrictions policies exist (i.e. one to block and one to permit) the permit takes precedence. For example:
    • Messages from permitted countries are allowed.
    • Messages from blocked countries are rejected.
  • Messages from Mimecast IP ranges aren't blocked, even if they originate from a blocked country.

 

Configuring a Geographical Restrictions Definition

 

To configure a Geographical Restrictions definition:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button.
  3. Select the Gateway | Policies menu item.
  4. Click on the Definitions button.
  5. Select Geographical Restrictions from the dropdown menu to display your definitions.
  6. Either click the:
    • New Geographical Restrictions button to create a definition.
    • Definition to be changed.
  7. Complete the Geographical Settings as shown below:
    Field / OptionDescription
    NameSpecify a description for the definition. This is kept in the archive for messages that have this definition applied.
    TypeSelect whether to "Permit" or "Block" inbound messages.
    CountriesEither move the required countries from the:
    • "Available" column to the "Selected" column by selecting them and clicking on the Add button.
    • "Selected" column to the "Available" column by selecting them and clicking on the Remove button.

    Multiple countries can be added or removed at a time.

  8. Click on the Save and Exit button.

 

Configuring a Geographical Restrictions Policy

 

To configure a Geographical Restrictions policy:

  1. Log on to the Administration Console.
  2. Click on the Administration toolbar button.
  3. Select the Gateway | Policies menu item.
  4. Click on Geographical Restrictions. A list of existing policies is displayed.
  5. Either click on the:
    • New Policy button to create a policy.
    • Policy to be amended.
  6. Complete the Options section as follows:
    Filed / OptionDescription
    Policy NarrativeEnter a description for the policy. This is kept with the message in the archive.
    Select DefinitionSpecify a Geographical Restrictions definition from the dropdown list.
  7. Complete the Emails From section as follows:
    Filed / OptionDescription
    Addresses Based OnSpecify the email address characteristics the policy is based on.
    Applies FromSpecify the sender characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific.
    SpecificallyEnables you to specify an SMTP address if "Individual Email Addresses" is specified in the "Applies From" field.
  8. Complete the Emails To section as follows:
    Filed / OptionDescription
    Applies ToSpecify the recipient characteristics the policy is based on. For multiple policies, you should apply them from the most to least specific.
    SpecificallyEnables a specific SMTP address if "Individual Email Addresses" is specified in the "Applies To" field.
  9. Complete the Validity section as required:
    Field / OptionDescription
    Enable / DisableUse this option to enable or disable a policy. Disabling the policy allows you to prevent it from being applied without having to delete or backdate it. Should the policy's configured date range be reached, it's automatically disabled.
    Set Policy as PerpetualSpecifies that the policy's start and end dates are set to "Eternal", meaning the policy never expires.
    Date RangeSpecify a start and end date for the policy. This automatically deselects the "Eternal" option.
    Policy OverrideSelect this option to override the default order that policies are applied. If there are multiple applicable policies, this policy is applied first unless more specific policies of the same type have also been configured with an override.
    Bi-DirectionalIf selected, the policy also applies when the policy's recipient is the sender and the sender is the recipient.
    Source IP Ranges (n.n.n.n/x)Enter any required Source IP Ranges for the policy. These only apply if the source IP address used to transmit the message data, falls inside or matches the range(s) configured. IP ranges should be entered in CIDR notation.
  10. Click on the Save and Exit button.

 

See Also...

 

Attachments

    Outcomes