If you want to route mail through your Google Workspace service to an on-premise mail server—for example, if you have non-Gmail mailboxes or delivery endpoints, such as Exchange mailboxes, ticketing systems, or other on-premise systems—your on-premise email server and firewall must be configured to allow mail traffic from Google IP ranges. Any other IPs should not be allowed to connect to your infrastructure, unless they are trusted sources that you want to allow to connect directly to your server without additional filtering from Google.
Configuring your firewall and mail server
We recommend that you configure your mail server and firewall to refuse port 25 traffic, except from Google IP ranges.
This prevents unexpected spam, which is sometimes the result of direct connections to your mail server. If a malicious sender is able to find your mail server and connect directly, your users may receive spam, viruses, and malware.
- Configuring your firewall—The step-by-step instructions for configuring your firewall vary, depending on the type of firewall, so you may consider consulting directly with the manufacturer or vendor for instructions. Whatever firewall type you're using, configure it to allow email traffic from the current range of Google IP addresses (see Google IP ranges).
- Configuring your mail server—When configuring your mail server to accept mail from Google IP ranges, see Mail server-specific instructions for details about specific types of mail servers.
Google IP ranges
Google maintains a global infrastructure that dynamically grows to accommodate an increasing demand. As a result, Google Workspace mail servers use a large range of IP addresses, and the addresses often change. The most effective means of finding the current range of Google IP addresses is to query Google's SPF record (for instructions, see Google IP address ranges for outbound SMTP).
Mail server-specific instructions
Microsoft Exchange 2013Configure the Google IP ranges by creating a receive connector on the hub server (or you can reconfigure an existing receive connector).
Follow these steps:
- From the Exchange Control Panel, go to Mail flow
Receive connectors.
- Click Add + to create a Receive connector.
- Enter a name for the connector, such as Google or Google Workspace.
- Click Hub Transport.
- Click Internet.
- Add the Google IP ranges (see Google IP ranges).
- Click Finish.
For Microsoft Exchange 2007/2010, configure the Google IP ranges by creating a receive connector on the hub server (or you can reconfigure an existing receive connector).
Follow these steps:
- From the Exchange Management Console, expand Server Configuration.
- From the server roles list, choose Hub Transport.
- In the Details pane, choose the appropriate hub transport server.
- In the Properties pane, right-click the Receive Connectors tab and choose New Receive Connector.
- Enter a name for the connector, such as Google or Google Workspace, and click Next.
- From Default Properties, select the Permission Groups tab, and check the Anonymous users box.
Note: You'll see the "Local Network Settings" page. If you haven’t made any customization to the IP settings of the Hub Server, keep the defaults; otherwise, use the settings appropriate for your customization.
- Click Next to go to the "Remote Network settings" page.
- Click the default range, and click Edit.
- From the "Edit Remote Servers" dialog box, add the Google IP ranges (see Google IP ranges).
- Click OK.
- Click Next to continue.
- Click New
Finish.
For Microsoft Exchange 2003 and Small Business Server 2003, configure the Google IP ranges to be a trusted relay.
Follow these steps:
- From the Start menu, click Programs > Microsoft Exchange
System Manager.
- Click Servers
[Your Mail Server]
Protocols
SMTP.
- Right-click Default SMTP Virtual Server and select Properties.
- Select the Access tab.
- Click Relay.
- Click Add to add all of the Google IP ranges (see Google IP ranges).
- Click OK to return to the Access tab.
- Click Connection. If the Connection list is set to Only the list below, add the same IP ranges that you added in the above step.
- Click OK to return to the Access tab.
- Click OK to close the "Default SMTP Virtual Server Properties" window.
- Stop and restart the SMTP services.
For Microsoft Exchange 5.5, configure the Google IP ranges to be a trusted relay.
Follow these steps:
- From the Start menu, click Programs
Microsoft Exchange
Microsoft Exchange Administrator.
- Click [Your Mail Server]
Configuration
Connections
Internet Mail Service.
- Right-click Internet Mail Service and select Properties.
- Click the Routing tab.
- Click Routing Restrictions.
- Check the Hosts and clients with these IP addresses box.
- Add the Google IP ranges (see Google IP ranges).
- Click OK to return to the Routing tab.
- Stop and restart the Exchange service.
For IBM Lotus Domino, configure the Google IP ranges to be a trusted relay.
Follow these steps:
- Open Domino Administrator and click Administration.
- Click the Configuration tab.
- Click the icon next to Messaging, and then click Configurations.
- Double-click the name of your Domino Server.
- At the top of the window, click Edit Server Configuration.
- Select the following:
- Router/SMTP tab in the first row
- Restrictions and Controls tab in the second row
- SMTP Inbound Controls tab in the third row
- Under Allow messages only from the following internet hosts to be sent to external internet domains, add the Google IP ranges (see Google IP ranges).
- Under Exclude these Connecting Hosts From Anti-Relay Checks, enter the same IP ranges.
- Click Save
Close to exit.
- For the changes to take effect, stop and restart the Domino SMTP task.
For Novell Groupwise, configure the Google IP ranges to be a trusted relay.
Follow these steps:
- Open the Groupwise ConsoleOne interface.
- Right-click the Internet Agent object and select Properties.
- Click the Access Control tab.
- Click SMTP Relay Settings.
- In the SMTP Relay Defaults section, verify that the Prevent message relaying option is selected.
- In the Exceptions section, click Create.
- In the From field, add the Google IP ranges (see Google IP ranges). Leave the To field blank to indicate that any recipient is allowed.
- Click OK twice to close the Properties dialog box.
For Mac OS X version 10.6 and 10.5, configure the Google IP ranges to be a trusted relay as follows:
- In Server Admin > Servers list, select a computer, and click Mail.
- Click Settings.
- Select the Relay tab.
- Check the Accept SMTP relays only from these hosts and networks box.
- Click Add (+) to add a Google IP range (see "Google IP ranges").
For Mac OS X version 10.4, configure the Google IP ranges to be a trusted relay as follows:
- In Server Admin, click Mail.
- Click Settings.
- Click Relay and add the Google IP ranges (see Google IP ranges).
For Mac OS X version 10.3, configure the Google IP ranges to be a trusted relay as follows:
- In Server Admin, click Mail.
- Click Settings.
- Click Filters and add the Google IP ranges (see Google IP ranges).
- Click Save to close the Server Admin.
To configure Google IP ranges to be a trusted relay using qmail + tcpserver:
- Edit /etc/tcp.smtp to allow each of the Google IP ranges (see Google IP ranges) to relay:
IP Range:allow,RELAYCLIENT="":allow
whereIP Range
is the appropriate IP range. - Run tcprules to reload allowed hosts:
> cd /etc
> tcprules tcp.smtp.cdb tcp.smtp.temp < tcp.smtp
- Verify that the tcp.smtp.cdb file is invoked in the mail server's startup script.
- Restart
tcpserver
so that the new rules take effect:
/usr/local/bin/tcpserver -x/etc/tcp.smtp.cdb -R -H -c25 -u502 -g501 mailhost.domain.com smtp /var/qmail/bin/qmail-smtpd 2>&1
(UID
502
andGID
501
may be different depending on server configuration.)
To configure Outbound Services IP ranges to be a trusted relay using qmail + inetd + tcpd:
Check to see if the Qmail line in the inetd.conf file is similar to the following:
smtp stream tcp nowait qmaild /usr/sbin/tcpd /var/qmail/bin/tcp-env /var/qmail/bin/qmail-smtpd
If yes, follow these steps:
- Edit /etc/hosts.allow to include the Google IP ranges (see "Google IP ranges").
- Disallow everything else.
For Postfix, configure the Google IP ranges to be a trusted relay.
Follow these steps:
- Add the Google IP ranges (see Google IP ranges) to the
mynetworks
parameter of your configuration file (example path: /etc/postfix/main.cf).Note: Configuring themynetworks
parameter overrides the mynetworks_style parameter. If the mynetworks parameter was not previously used, you may also need to add your own subnets. - Restart Postfix by running the following command:
# sudo postfix reload