Enable Soft bounce
Configuring Google Workspace and CipherMail requires a number of steps. If for whatever reason the CipherMail appliance cannot deliver email to Google Workspace, for example because Google Workspace does not allow the gateway’s IP address to send email via Google’s SMTP servers, the email might get bounced (if the Google servers report this as a 500 permanent error).
To prevent the CipherMail appliance from bouncing email, it is advised to enable the postfix soft_bounce setting. If soft_bounce is enabled, permanent SMTP errors, i.e., 5XX errors, will be treated as temporary errors, i.e., 4XX.
To enable soft_bounce, follow these steps:
Log into CipherMail appliance.
Open “MTA config file” page (, then click MTA config file)
Add the following line to the end of postfix config file:
soft_bounce = yes
Click Apply
Note
If it is confirmed that the integration of CipherMail and Google Workspace is successful and has been proven to be stable, you might consider disabling the soft_bounce setting.
Encrypt outgoing email
To setup encryption for outgoing email from Google Workspace to external recipients, the following steps must be taken:
Create lookup table for the Gmail IP range
Create a list of valid sender domains
Configure postfix to only allow incoming email from Google Workspace for valid domains
Add the appliance as an email host to Google Workspace
Configure Google Workspace “Inbound gateway”
Add “Content compliance” rule to relay outgoing email via the CipherMail appliance
Configure Google Workspace “SMTP relay service”
Configure the CipherMail appliance to relay email via smtp-relay.gmail.com
Google Workspace IP range lookup table
The CipherMail appliance should only relay email to external recipients if the request comes from an IP address used by Google Workspace. The CipherMail appliance contains a module which retrieves the IP range used by Google Workspace (using the spf record of the gmail domain).
To load the Google Workspace IP range, follow these steps:
Login to CipherMail admin GUI
Open “MTA client access list providers” page ()
Click on the “cog” icon for the “Gmail” entry
On the “Client access list for Gmail” page, click the Load list button. The CipherMail appliance will retrieve the Gmail spf record and create a list of valid IP ranges
Click Copy to lookup table to save the IP range to the “cidr-gmail-ip-range.map” map file
List of valid sending domains
To make sure the CipherMail appliance will only relay email for your domains, all of your Google Workspace hosted domains should be added to the list of authorized sending domains.
Login to CipherMail admin GUI
Open ” MTA lookup tables” page ()
Click Add lookup table to open the “Add MTA lookup table” page
Set “Map Type” to “hash”
Set “Name” to “google-workspace-authorized-senders”
For each of the hosted Google Workspace domains, add a line that maps your domain to a postfix restriction class:
example.comgoogle_workspace_checkswhere example.com should be replaced by your Google Workspace hosted domain.
Click Add to add the new lookup table.
Note
The postfix restriction class google_workspace_checks, which will be added in a later step, is used to restrict incoming IP addresses to the Google Workspace IP range.
Configure postfix restrictions
Postfix should now be configured to allow relaying from Google Workspace.
Log into CipherMail appliance.
Open “MTA config file” page (, then click MTA config file)
Add the following check_client_access line to smtpd_recipient_restrictions setting:
check_client_access cidr:${maps_d_dir}/cidr-gmail-ip-range.mapResulting smtpd_recipient_restrictions should look like:
smtpd_recipient_restrictions = permit_mynetworks check_client_access cidr:${maps_d_dir}/cidr-gmail-ip-range.map reject_unauth_destination check_client_access hash:/etc/postfix/client-whitelist check_client_access hash:/etc/postfix/client-blacklist ${djigzo_rbl_clients} ${djigzo_reject_unverified_recipient? reject_unverified_recipient}Add the following check_sender_access line to smtpd_relay_restrictions setting:
check_sender_access hash:${maps_d_dir}/hash-google-workspace-authorized-senders.mapResulting smtpd_relay_restrictions should look like:
smtpd_relay_restrictions = permit_mynetworks check_sender_access hash:${maps_d_dir}/hash-google-workspace-authorized-senders.map permit_sasl_authenticated reject_unauth_destinationAdd restriction class for Google Workspace
Add the following lines to the end of postfix config file:
smtpd_restriction_classes = google_workspace_checks google_workspace_checks = check_client_access cidr:${maps_d_dir}/cidr-gmail-ip-range.mapClick Apply
Add email host to Google Workspace
Because we need to route email to the appliance, we need to add the appliance hostname to the list of hosts on Google Workspace.
Log into Google Admin
Open the Gmail app page ()
On the Gmail app page, click Hosts
On the “Hosts” page, click Add route
On the “Add mail route” page, select a name for the route (for example: Route to CipherMail appliance)
Select “Single host”
Set hostname to the hostname (or IP) of the ciphermail appliance and set port to 25
Select “Require mail to be transmitted via a secure (TLS) connection”, “Require CA signed certificate” and “Validate certificate hostname”
Click Test TLS connection and check whether the TLS connection succeeds
Click Save
Configure Google Workspace Inbound gateway
We need to tell Google Workspace from which IP address the appliance will send email to back to Google Workspace.
Log into Google Admin
Open the Gmail app page ()
Open the “Advanced settings” ()
Under “Spam, phishing, and malware”, select the “Inbound gateway” row and click Configure
Set description to “Incoming from CipherMail”
Add the IP address of the CipherMail appliance
Select “Automatically detect external IP” and “Require TLS for connections from the email gateways listed above”
Click Add setting
Click Save
Add Content compliance rule
Google Workspace should be configured to relay email for external recipients via the CipherMail appliance. This allows the appliance to encrypt the email. Relaying via the CipherMail appliance will be triggered using a content compliance rule. To prevent any mail loops, i.e., sending email back and forth between Gmail and the appliance, the compliance rule will only be triggered in the email was not sent by the appliance.
Tip
The compliancy rule can conditionly be activated based on some trigger. This allows you to be selective which emails are handled by the CipherMail appliance. There are various ways a rule can be triggered. For example, the rule can be triggered if:
the subject contains a certain keyword
the email is sent by a specfic user
the email recipient matches some domain
the email contains some header
In this example we will trigger the rule if the subject contains the keyword [secure].
Log into Google Admin
Open the Gmail app page ()
Open the “Advanced settings”
Select the “Content compliance” row and click Configure
Set description to “Encrypt outgoing email”
Set “Email messages to affect” to “Internal-sending”
In field “Add expressions that describe the content you want to search for in each message”, select “If ALL of the following match the message”
Click Add to add an expression
Select “Advanced content match”
Set “Location” to “Subject”
Set “Match type” to “Contains text”
Set “Content” to “[secure]” (or select some other keyword which triggers the rule)
Click Save
Add an additional rule which will exclude the appliance IP address from triggering the rule. Click Add to add an additional expression
Select “Metadata match”
Set “Attribute” to “Source IP”
Set “Match type” to “Source IP is not within the following range”
Specify the IP address of the appliance and Click Save
Under “If the above expressions match, do the following”, select “Change route”
Select the host, “Route to CipherMail appliance”, which was added in step Add email host to Google Workspace
Under “Encryption (onward delivery only)” select “Require secure transport (TLS)”
Click Add setting to close the dialog.
Click Save to save the changes.
Configure Google Workspace SMTP relay service
Instead of direct delivery, we will use the Google SMTP service to deliver email to the external recipients. We therefore need to configure the Google SMTP relay service to allow connections from the appliance IP address.
Note
While it’s possible to directly deliver email to the final recipients, it’s better to use the Google SMTP services.
Log into Google Admin
Open the Gmail app page ()
Open the “Advanced settings”
Select the “SMTP relay service” row and click Configure
Set the description. For example: “Allow CipherMail appliance”
Under “Authentication”, select “Only accept mail from the specified IP addresses”
Add the IP address of the CipherMail appliance.
Select “Require TLS encryption”
Click Add setting to close the dialog.
Click Save to save the changes.
Mandatory TLS
To make sure email sent from the CipherMail appliance to Google workspace cannot be intercepted, we need to configure mandatory TLS for the connection to Google Workspace.
Login to CipherMail admin GUI
Open “MTA lookup tables” page ()
Click Add lookup table to open the “Add MTA lookup table” page
Set “Map Type” to “hash”
Set “Name” to “tls-policy”
Add the following lines
example.com:25 verify match=mx.google.com [smtp-relay.gmail.com]:587 verify
Replace example.com by your Google workspace hosted domain
Click Add to add the new lookup table
Open “MTA config file” page (, then click MTA config file)
Add the following lines to the end of postfix config file:
smtp_tls_policy_maps = hash:${maps_d_dir}/hash-tls-policy.mapClick Apply
Test relay
Test whether relaying via Google workspace is correctly setup and allowed:
Log into CipherMail appliance
Open the “Compose a test email” page ()
On the “Compose a test email” page, set “To” to a valid external recipient
Select a valid “Subject”
Click “More” to enable additional settings
Set “Sender” to a valid sender from your Google workspace domain
Provide a body text
Click Send
Open the MTA log () and check whether the email was successfully relayed via Google workspace.
Decrypt incoming email
With Google Workspace, email for your domain is delivered to Google’s servers (assuming your MX records are setup for Google Workspace). If you want the CipherMail gateway to decrypt incoming S/MIME or PGP encrypted email, incoming email should, at some point, be handled by the CipherMail gateway.
Note
You only need to setup incoming email encryption if you use the CipherMail gateway and use S/MIME or PGP. If you only use PDF encryption or Webmail Messenger, you can skip this part.
One option is to re-configure your MX records so that email for your domains is directly delivered to your CipherMail gateway. The CipherMail gateway should then deliver the email to Google Workspace.
Another option is to configure Google Workspace to deliver incoming email to the CipherMail gateway which will then sends it back to Google Workspace after decryption. To prevent a mail loop, Google Workspace should only forward the email to the CipherMail gateway if the email was not already handled by the CipherMail gateway. The main benefit of this setup, is that Google Workspace will be the first entry point for your email and can therefore check incoming email for viruses or spam.
To configure forwarding incoming email to CipherMail gateway for decryption, the following steps are required:
Log into Google Admin
Open the Gmail app page ()
Open the “Advanced settings”
Select the “Content compliance” row and click Add another
Set description to “Decrypt email”
Set “Email messages to affect” to “Internal-receiving”
In field “Add expressions that describe the content you want to search for in each message”, select “If ANY of the following match the message”
Click Add to add an expression
Select “Metadata match”
Set “Attribute” to “Source IP”
Set “Match type” to “Source IP is not within the following range”
Specify the IP address of the appliance and Click Save
Under “If the above expressions match, do the following”, select “Change route”
Select the host, “Route to CipherMail appliance”, which was added in step Add email host to Google Workspace
Under “Encryption (onward delivery only)” select “Require secure transport (TLS)”
Click Add setting to close the dialog.
Click Save to save the changes.
In the Ciphermail appliance, add all the Google Workspace domains to the “Relay domain” list.
Log into CipherMail appliance
Open “MTA config” page ()
For each of your Google Workspace hosted domains, add the domain as a “Relay Domain”
Click Apply