Set up third-party servers for email from Google IP addresses

As an admin, you might want to route Google Workspace email to an on-premise email server or service. For example, you might send email to Exchange mailboxes, to a ticketing system, or to other on-premise systems.

To do this, set up your on-premise email server and firewall to accept email from servers with Google IP addresses. We recommend you don't allow email from non-Google IP addresses to connect to your email system. When you allow servers with non-Google IP addresses to connect to your email system, Google doesn't provide additional filtering and you might be at risk of getting malicious messages and spam.

Important: If you're switching from another email service to Google Workspace, we recommend you follow the steps in the article as soon as possible to avoid interruption of your email.

Before you start: Get current Google IP address ranges

Google maintains a global infrastructure that dynamically grows to accommodate demand. As a result, Google mail servers use a large range of IP addresses, and the addresses change frequently. To get the current range of Google IP addresses, check Google's SPF record using the steps in Google IP address ranges for outbound SMTP.

Set up your mail server & firewall to refuse port 25 traffic

We recommend that you configure your mail server and firewall to refuse port 25 traffic, except from Google IP ranges. This prevents spam, which can sometimes result from direct connections to your mail server.

If a malicious sender finds your mail server and connects directly to your email system, people in your organization might get spam, viruses, and malware.

  • Mail server—Go to Mail server-specific instructions, below, for steps to configure specific types of mail servers.
  • Firewall—Instructions for configuring your firewall vary, depending on the type of firewall. Check the help center for your firewall, and configure it to allow email traffic from current Google IP ranges.

Mail server-specific instructions

Important: Google doesn’t support issues with third-party servers. If you set up your mail server with the instructions in this article, check the help center for your server or contact the server vendor.

You need the latest Google IP address ranges for the steps below.

Microsoft Exchange 2013

Configure the Google IP ranges by creating a receive connector on the hub server (or you can reconfigure an existing receive connector).

Follow these steps:

  1. From the Exchange Control Panel, go to Mail flowand thenReceive connectors.
  2. Click Add + to create a Receive connector.
  3. Enter a name for the connector, such as Google or Google Workspace.
  4. Click Hub Transport.
  5. Click Internet.
  6. Add the Google IP ranges.
  7. Click Finish.
Microsoft Exchange 2007/2010

For Microsoft Exchange 2007/2010, configure the Google IP ranges by creating a receive connector on the hub server (or you can reconfigure an existing receive connector).

Follow these steps:

  1. From the Exchange Management Console, expand Server Configuration.
  2. From the server roles list, choose Hub Transport.
  3. In the Details pane, choose the appropriate hub transport server.
  4. In the Properties pane, right-click the Receive Connectors tab and choose New Receive Connector.
  5. Enter a name for the connector, such as Google or Google Workspace, and click Next.
  6. From Default Properties, select the Permission Groups tab, and check the Anonymous users box. You'll see the "Local Network Settings" page. If you haven’t made any customization to the IP settings of the Hub Server, keep the defaults; otherwise, use the settings appropriate for your customization.
  7. Click Next to go to the "Remote Network settings" page.
  8. Click the default range, and click Edit.
  9. From the "Edit Remote Servers" dialog box, add the Google IP ranges.
  10. Click OK.
  11. Click Next to continue.
  12. Click Newand thenFinish.
Microsoft Exchange 2003 and Small Business Server 2003

For Microsoft Exchange 2003 and Small Business Server 2003, configure the Google IP ranges to be a trusted relay.

Follow these steps:

  1. From the Start menu, click Programs > Microsoft Exchangeand thenSystem Manager.
  2. Click Serversand then[Your Mail Server]and thenProtocolsand thenSMTP.
  3. Right-click Default SMTP Virtual Server and select Properties.
  4. Select the Access tab.
  5. Click Relay.
  6. Click Add to add all of the Google IP ranges.
  7. Click OK to return to the Access tab.
  8. Click Connection. If the Connection list is set to Only the list below, add the same IP ranges that you added in the above step.
  9. Click OK to return to the Access tab.
  10. Click OK to close the "Default SMTP Virtual Server Properties" window.
  11. Stop and restart the SMTP services.
Microsoft Exchange 5.5

For Microsoft Exchange 5.5, configure the Google IP ranges to be a trusted relay.

Follow these steps:

  1. From the Start menu, click Programsand thenMicrosoft Exchangeand thenMicrosoft Exchange Administrator.
  2. Click [Your Mail Server]and thenConfigurationand thenConnectionsand thenInternet Mail Service.
  3. Right-click Internet Mail Service and select Properties.
  4. Click the Routing tab.
  5. Click Routing Restrictions.
  6. Check the Hosts and clients with these IP addresses box.
  7. Add the Google IP ranges.
  8. Click OK to return to the Routing tab.
  9. Stop and restart the Exchange service.
IBM Lotus Domino

For IBM Lotus Domino, configure the Google IP ranges to be a trusted relay.

Follow these steps:

  1. Open Domino Administrator and click Administration.
  2. Click the Configuration tab.
  3. Click the icon next to Messaging, and then click Configurations.
  4. Double-click the name of your Domino Server.
  5. At the top of the window, click Edit Server Configuration.
  6. Select the following:
    • Router/SMTP tab in the first row
    • Restrictions and Controls tab in the second row
    • SMTP Inbound Controls tab in the third row
  7. Under Allow messages only from the following internet hosts to be sent to external internet domains, add the Google IP ranges.
  8. Under Exclude these Connecting Hosts From Anti-Relay Checks, enter the same IP ranges.
  9. Click Saveand thenClose to exit.
  10. For the changes to take effect, stop and restart the Domino SMTP task.
Novell Groupwise

For Novell Groupwise, configure the Google IP ranges to be a trusted relay.

Follow these steps:

  1. Open the Groupwise ConsoleOne interface.
  2. Right-click the Internet Agent object and select Properties.
  3. Click the Access Control tab.
  4. Click SMTP Relay Settings.
  5. In the SMTP Relay Defaults section, verify that the Prevent message relaying option is selected.
  6. In the Exceptions section, click Create.
  7. In the From field, add the Google IP ranges. Leave the To field blank to indicate that any recipient is allowed.
  8. Click OK twice to close the Properties box.
Apple Macintosh OS X

For Mac OS X version 10.6 and 10.5, configure the Google IP ranges to be a trusted relay as follows:

  1. In Server Admin > Servers list, select a computer, and click Mail.
  2. Click Settings.
  3. Select the Relay tab.
  4. Check the Accept SMTP relays only from these hosts and networks box.
  5. Click Add (+) to add a Google IP range (see "Google IP ranges").

For Mac OS X version 10.4, configure the Google IP ranges to be a trusted relay as follows:

  1. In Server Admin, click Mail.
  2. Click Settings.
  3. Click Relay and add the Google IP ranges.

For Mac OS X version 10.3, configure the Google IP ranges to be a trusted relay as follows:

  1. In Server Admin, click Mail.
  2. Click Settings.
  3. Click Filters and add the Google IP ranges.
  4. Click Save to close the Server Admin.
Qmail

To configure Google IP ranges to be a trusted relay using qmail + tcpserver:

  1. Edit /etc/tcp.smtp to allow each of the Google IP ranges to relay:

    IP Range:allow,RELAYCLIENT="":allow

    where IP Range is the appropriate IP range.
  2. Run tcprules to reload allowed hosts:

    > cd /etc
    > tcprules tcp.smtp.cdb tcp.smtp.temp < tcp.smtp

     
  3. Verify that the tcp.smtp.cdb file is invoked in the mail server's startup script.
  4. Restart tcpserver so that the new rules take effect:

    /usr/local/bin/tcpserver -x/etc/tcp.smtp.cdb -R -H -c25 -u502 -g501 mailhost.domain.com smtp /var/qmail/bin/qmail-smtpd 2>&1

    (UID 502 and GID 501 may be different depending on server configuration.)

To configure Outbound Services IP ranges to be a trusted relay using qmail + inetd + tcpd:

Check to see if the Qmail line in the inetd.conf file is similar to the following:

smtp stream tcp nowait qmaild /usr/sbin/tcpd /var/qmail/bin/tcp-env /var/qmail/bin/qmail-smtpd

If yes, follow these steps:

  1. Edit /etc/hosts.allow to include the Google IP ranges (see "Google IP ranges").
  2. Disallow everything else.
Postfix

For Postfix, configure the Google IP ranges to be a trusted relay.

Follow these steps:

  1. Add the Google IP ranges to the mynetworks parameter of your configuration file (example path: /etc/postfix/main.cf). Configuring the mynetworks parameter overrides the mynetworks_style parameter. If the mynetworks parameter was not previously used, you might need to add your own subnets.
  2. Restart Postfix by running the following command:

    # sudo postfix reload
Was this helpful?
How can we improve it?

Need more help?

Sign in for additional support options to quickly solve your issue

Search
Clear search
Close search
Google apps
Main menu
Search Help Center
false
false
true
73010
false
false