home

Security Service Edge

Mobile Endpoint SecuritySecurity Service Edge
Mobile Endpoint SecuritySecurity Service Edge

Lookout Product Documentation

Find answers about using and optimizing Lookout products.

Show Contents

Security Service Edge

Secure Cloud Access (CASB solution)

Gmail (Google Workspace) - SMTP Secure Email Gateway Configuration

Introduction.

This section provides instructions for configuring email routing between Gmail and the Lookout secure email gateway.

Headers of the email sent or received by the Gmail tenant are inspected for a flag that specifies whether the email has already been inspected by Lookout.

If the flag is not present, the header is amended with Lookout tenant specific information that allows the Lookout Security Platform to route the email to the correct tenant and apply policy. The email is sent from Gmail to Lookout through a configured route, processed by Lookout and a flag added to the header by Lookout. The email is then routed back to Gmail. Recognising that email has already been inspected, Gmail routes the email to the initial intended recipient.

This configuration includes the following procedures:

  1. Obtain configuration information from Lookout Management Console

  2. Create and configure a mail flow rule in Gmail

  3. Configure a connector for routing email from Gmail to the secure the email gateway

  4. Configure forwarding of email

  1. Obtain configuration from Lookout Management Console. This section assumes that a default environment has already been configured and the sanctioned application already created within App Management. The sanctioned application has Gmail (SMTP) enabled and Email enabled within the Protection Model.
  2. Log into the Lookout Management Console and navigate to Administration > Environment Management.
  3. Edit the Default environment.
  4. Click the Email tab.
  5. Take note of the Domain Name in the ‘Incoming Emails from Cloud Applications or User’ section.
  6. In the ‘Outgoing Email Settings’ section select Internal Relay.
  7. Enter smtp-relay.Gmail.com in Domain Name.
  8. Enter the Port number as 25 Port (this should match the port number set in Google Workspace Admin Console).
  9. Click Save.
  10. Navigate to Administration ➔ App Management. Note the same as the Google Workspace application to be used for SMTP integration.
  11. Configure a connector for routing emails from Gmail to the secure the email gateway. This section details the process to configure an outbound route for emails to be routed from Gmail to Lookout should they meet the rules specified in section 3. An outbound route is created to target the MX record DNS entry of your specific Lookout tenant.
  12. In the Google Workspace Admin Console, navigate to Apps ➔ Google Workspace ➔ Gmail.Click on Hosts.
  13. Click Add Route.
  14. In the Name field, enter a meaningful name.
  15. Select Single host from the dropdown
  16. In the Enter hostname or IP field, enter the domain name from step 1d, found in the Lookout Management Console
  17. In the port field, enter the port from step 1g, found in the Lookout Management Console
  18. Under section 2. Options, select:
    1. Perform MX Lookup on host Perform MX Lookup on host
    2. Require mail to be transmitted via a secure (TLS) connection (Recommended)
    3. Require CA signed certificate (Recommended)
    4. Validate certificate hostname (Recommended)
  19. To validate the connector configuration. Click Test TLS Connections. A successful response should be displayed. If the response is not successful, check configuration and contact support. Click Save.
  20. Create and configure a mail flow rule in Gmail. The section details how to configure rules that determine whether an email should be routed from Gmail to Lookout. If Gmail recognizes a specific flag in the email header indicating that the email has already been inspected by Lookout, the email bypasses the rule and is sent to its intended recipient. If the rule is matched and the flag is not within the header, then the header is amended with a Lookout specific tenant flag and sent to Lookout through the route configured in section 2.
  21. In Google Workspace Admin Console navigate to Apps > Google Workspace > Gmail.Scroll down and click Compliance. Scroll down to Content Compliance and Click on Add Rule. The Add Setting window will pop up. In the title field enter a name.
  22. In section 1.Email messages to affect, select which type of emails should be routed to Lookout for inspection. Inbound: All emails that are received from external senders will be routed to Lookout for inspection Outbound: All emails that are sent to external recipients from internal senders will be routed to Lookout for inspection. Internal – Sending: All emails that are sent to internal recipients from internal senders will be routed to Lookout for inspection. Internal – Receiving: All emails that are received by internal recipients from internal senders will be routed to Lookout for inspection. NOTE: It is recommended that Outbound is selected as a minimum to ensure security of data leaving the organization.
  23. In section 2. Add expressions that describe the content you want to search for in each message, select If ANY of the following match the message from the drop down. Under Expressions click on ADD. The Add Setting window will pop up. Select Advanced Content Match from the drop down. In the Location drop down, select Headers + Body.
  24. In the Match Type drop down, select Not contains text In the Content field, enter X-CC-Processed and click Save In section 3. If the above expressions match, do the following select Modify message from the drop down.
  25. Under Headers, select Add custom Headers Click ADD. In the X-Header key field enter CC-ACCOUNT-TENANTID In the Header value field enter the application name from the Lookout Management Console followed by a colon, followed by the Lookout tenant ID. Example: Google_SMTP:etst04 where Google_SMTP is the application name in the Lookout Management Console and etst04 is the Lookout tenant ID.
  26. Click Save. Note: The header is case sensitive. The application name must be as it is shown in the Lookout Management Console and the tenant ID MUST be in lowercase. Scroll down to Route and select change route In the drop down, select the Host that you created above. Click Save.

Whitelist the Lookout secure email gateway to Gmail (SMTP) - Inbound Connector

This section details the configuration required to accept inbound messages from Lookout after inspection. The IP addresses of the Lookout SMTP servers are whitelisted, accepting inspected emails, for sending onward to the intended recipients.

  1. In the Google Workspace Admin Console, navigate to Apps > Google Workspace > Gmail, scroll down and click on Routing.

  2. Scroll down to SMTP relay service and click Add New Rule.

  3. Give the rule a meaningful name

  4. In section 1. Allowed Senders, select Any addresses (not recommended) from the drop down.

  5. In section 2. Authentication, select Only accept mail from the specified IP addresses.

  6. Under the IP address / ranges section, add the IP addresses for the Lookout SMTP servers NOTE: These IP addresses must be obtained from support. They cannot be obtained through NSLOOKUP.

  7. Click Save. Click Save.

  8. Testing the configuration:

    To test the configuration, send an email from Gmail to a recipient that you have access to. Inspect the Gmail logs to ensure the email has been sent out, received back. Then check at the recipient client to ensure that the email has arrived and that it has been processed by Lookout by inspecting the header.

  10. After a couple of minutes of the email being sent navigate to Reporting > Email Log Search in the Google Workspace Admin Console.

  11. Click on Search.

  12. The email will be shown in the list of emails. Click on the Subject/Message ID

  13. Under Recipient details expand the drop down and ensure that the email was delivered to the MX record specified in step 2f. You can achieve this by executing a NSLOOKUP of the MX record and ensuring that one of the resolved IP addresses is the same as the IP address shown in the Email Log Search.

  14. If the email has successfully been inspected by Lookout and sent back to Gmail for onward processing, the Email Log Search will show that the email has further been received from an SMTP client with the same IP address as that configured above.

  15. In the recipient email client, the email should have been received. Open the email and inspect the header to ensure that the processed flag has been added.

Last updated: September 30, 2024

lookout-footer

Legal Privacy Policy Cookie Policy Transparency Report Compliance Info Compliance Info (Gov)

© 2024 Lookout, Inc. LOOKOUT®, the Lookout Shield Design®, LOOKOUT with Shield Design® and the Lookout multi-color/multi-shaded Wingspan Design® are registered trademarks of Lookout, Inc. in the United States and other countries. DAY OF SHECURITY®, LOOKOUT MOBILE SECURITY®, and POWERED BY LOOKOUT® are registered trademarks of Lookout, Inc. in the United States. Lookout, Inc. maintains common law trademark rights in EVERYTHING IS OK, PROTECTED BY LOOKOUT, CIPHERCLOUD, and the 4 Bar Shield Design.