How to configure Sophos Email for G Suite

You need to add your domain.

1. Click Email Gateway > Settings.
2. Click Domain Settings/Status.
3. Click Add Domain.
4. Enter your email domain details.
5. Configure your delivery destination.
   1. For delivery destination and port, enter MX, and the value routing-mx.<yourdomain.com> on Port 25. You will configure your routing MX values after you verify domain ownership.
6. Next, click Verify Domain Ownership.
7. Copy the TXT value presented in the Verify Domain Ownership dialog.

   This value is specific to your email domain.

8. Create a TXT DNS record in the root level of the domain name (entered in step 5) and paste the TXT value that was copied in the last step. You can give it the same TXT name as shown or use @.
9. Once the new TXT DNS record entry has been saved, click Verify.

To provide failover for the inbound connection between Sophos Email and G Suite you need to setup new MX records on a new subdomain of your mail domain.

In this example, we recommend using routing-mx.<yourdomain.com>.

Note This is different to configuring the MX records for mail delivery on your domain itself. Adding these records will have no impact on mailflow at this point, as we are just using these records for the delivery destination configured within Sophos Email.

How this is configured will vary with different DNS providers, but typically you would enter the type as MX, the hostname as routing-mx, and the destination and priority as per the Google URLs in the screenshot below. The key point is to have ASPMX.L.GOOGLE.COM as the highest priority record.

Note If you prefer, you can skip this step, and configure the delivery destination to point directly to ASPMX.L.GOOGLE.COM. However, if there is an issue contacting ASPMX.L.GOOGLE.COM, mail will not be delivered to Google's alternate MX server.

You can add mailboxes using AD Sync.

1. On the Active Directory Sync Status page, click the link to download the Sophos Central Active Directory Synchronization Utility installer, then run it.
2. In the setup wizard, enter the information required. On the last page, select Launch Sophos Central AD Sync Utility and click Finish.

   Alternatively, go to the Windows Start menu > All Programs > Sophos > Central > AD Sync. If you're running Windows 8 or later, in the Apps list, find the app AD Sync listed under Sophos.

   Follow the instructions in the Sophos Central Active Directory Synchronization Setup assistant.

3. On the Central Credentials page, enter your Sophos Central account credentials.
4. On the AD Configuration page, specify your Active Directory LDAP server and credentials for a user account that has read access to the entire Active Directory forest with which you want to synchronize. To stay secure, use an account with the least rights that will give this access.

   We recommend using a secure LDAP connection, encrypted via SSL, and leaving Use LDAP over an SSL connection selected. If your LDAP environment doesn’t support SSL, clear Use LDAP over an SSL connection, and change the port number accordingly. Usually, the port number is 636 for SSL connections and 389 for insecure connections.

5. If you don’t want to synchronize the entire forest, you can specify which domains to include in the synchronization on the AD Filters page. You can also specify additional search options for each domain, for example search bases and LDAP query filters. You can specify distinct options for users and groups.
   Note AD Sync will only create groups that have members with discovered users, regardless of group filter settings.
   1. Searchbases: You can specify search bases (also called “base distinguished names”). For example, if you want to filter by Organizational Units (OUs), you can specify a search base in this format:
      OU=Finance,DC=myCompany,DC=com
   2. LDAP query filters To filter users, for example, by group membership, you can define a user query filter in this format:

      memberOf=CN=testGroup,DC=myCompany,DC=com

      The above query will limit user discovery to users belonging to “testGroup”. Note that if you don't also specify a group query filter, AD Sync will discover all groups to which these discovered users belong. If you wish group discovery to also be limited to “testGroup”, you could define the following group query filter:

      CN=testGroup

      Note If you include base distinguished names in your search options or change your filter settings, some of the existing Sophos Central users and groups created during previous synchronizations may fall outside the search scope. They may be deleted from Sophos Central.
6. On the Sync Schedule page, define the times at which the synchronization will be performed automatically.
   Note A background service performs a scheduled synchronization. The AD Sync utility does not need to be running for the scheduled synchronizations to occur.

   If you want to synchronize manually by running the AD Sync utility and don't want the synchronization to run automatically on a regular basis, select Never. Only sync when manually initiated.

7. To synchronize immediately, click Preview and Sync. Review the changes that will be made during the synchronization. If you are happy with the changes, click Approve Changes and Continue.

   The Active Directory users and groups are imported from the Active Directory to the Sophos Central Admin console.

   1. To stop the synchronization in progress, click Stop.

Sophos Email allows you to add single mailboxes manually via the user interface.

1. Click Mailboxes.
2. On the Mailboxes screen, click Add.
3. Select Add Mailbox.

   There are three types of mailbox:

   • User Email: a mailbox for a person. Example: firstname.lastname@companyname.com.
     Tip For a User Email mailbox you can click on the mailbox name to view the user's details.
   • Distribution List: a mailbox for a group of people. Example: support@companyname.com.
   • Public Folder: a mailbox for collecting information such as surveys or feedback. Example: survey@companyname.com.
4. Select a mailbox type.
5. Enter a name for the mailbox.
6. Enter the SMTP address for the mailbox.
7. Click Save to create a single mailbox and exit, or Save and Add Another to create additional mailboxes.

Sophos Email allows you to add mailboxes in bulk mailbox import.

1. Create your import .csv file using the following format:

   Name	Email Address	Type
   Robert Alamar	robert.alamar@test.com	User
   Support DL	support@test.com	DL
   Vacation Calendar	vacation@test.com	PF

2. Click Add Mailbox and select Import mailboxes.
3. Click Browse and navigate to your import file.
4. Click Add to start the import process.

   Import will run and display results after it completes.

Because you are using Sophos Email to filter your mail and have your MX records pointed directly to us, you will want to restrict delivery to G Suite to only Sophos Delivery IPs.

1. Log in to your G Suite Admin Console.
2. Navigate to Apps > G Suite > Settings for Gmail > Advanced settings.
3. On the General Settings tab, scroll down to Inbound Gateway.
4. Click Configure.
5. Describe the Inbound Gateway – “Sophos Email Inbound Gateway.”
6. Click Add and enter the gateway IPs that correspond to your region. You will need to save after each entry.
7. Turn on:
   • Automatically detect external IP (recommended).
   • Reject all mail not from gateway IPs.
   • Require TLS connections from the email gateways listed above.
8. Click Add Setting.