Google Apps

From Roaring Penguin
Jump to: navigation, search

Provisioning

CanIt works well with GSuite (Google Apps). When provision a new domain with the "Route To:" field should be filled by using the primary MX server that Google has provided. Currently this is "aspmx.l.google.com". Once the domain is set up, you can add the remaining alternate destinations later under Setup : Domain Routing, one-per-line. These are:

alt1.aspmx.l.google.com

alt2.aspmx.l.google.com

alt3.aspmx.l.google.com

alt4.aspmx.l.google.com

Outbound Filtering

Outbound filtering for Google Apps is only recommended on Hosted CanIt as we actively maintain a list of Google's outbound IPs. We streamline this process by allowing you to select Google Apps for the "Source of outbound email:". The confirmation email you receive will include information regarding the setup of your SPF record. You will also need to set Google to relay through CanIt as discussed here.

SPF Checks

Google will perform SPF checks in order to determine whether mail is coming from a legitimate source for a given domain. Since all mail will be coming from CanIt, will cause any domain with an SPF record to hit unnecessarily by default. CanIt already performs SPF checks, so Google doing so is redundant, however their documentation does not suggest that this can be disabled.

There are 2 ways to address this:

As discussed in the Inbound Gateway link in the next section, Google can be set to "Automatically detect external IP" which will ignore CanIt as the sending machine if it is set as a gateway, and instead look at the machine CanIt received the message from.

CanIt also has a feature which will allow Google to recognize the original sending machine without requiring any configuration changes in Google. This is Preferences->Quarantine Settings->S-930 "Enable SRS (Sender Rewriting Scheme)". Setting it to "Yes" will re-write the sender in a way that will pass Google's SPF checks while still arriving as expecting.

Restrict External Connections

Please read Google's documentation on inbound gateways and set up CanIt to be your inbound gateway. The Hosted CanIt IP addresses are found under My Domains, otherwise use the public IP(s) of your CanIt appliance(s). Google has both IPv4 and IPv6 connectivity, so you must be sure to include both the IPv4 and IPv6 networks as inbound gateways.

User Authentication

Google does expose IMAP to the internet, so it is possible to integrate this within CanIt in order to automate user logins. This must be defined in Setup->User Lookups, by creating a new user lookup and running the IMAP wizard.

While it may be possible to run alternative settings, we currently have several clients successfully integrating using the following settings. We recommend you start from here and only make adjustments if necessary.

   IMAP Server:                                           imap.gmail.com
   Strip domain name from login prior to authentication?: No
   Force user name to lower-case?:                        Yes
   Force stream name to lower-case?                       Yes
   Validate server certificate (if using TLS/SSL):        No
   Encryption Settings:                                   Require SSL
   Number of days to cache successful credentials (0-30): Any value you choose.

The following setting requires special attention:

   Strip domain name from home stream after authentication? 

This setting depends on your setting for Setup->Domain Mappings. If you use AsIs, answer 'No'. If you use ChopDomain, answer 'Yes'. If you use 'Program', you may be able to determine a Rewrite expression to suit your needs (See the online documentation link in the top-right corner). If you are confused by any of this, please contact RP for help.

Once you have completed the wizard, return to Setup->User Lookups and click the Test link next to the entry you have created. This will ensure that everything is working. If you do not know any valid credentials, you will need to activate it, as below, and then have a user test it for the actual login page.

CanIt needs to be told to actually use this lookup on a per-domain basis. This is done from Setup->Authentication Mappings.