Identify IP addresses that you can use to accept emails coming only from Hosted Email Security (HES) servers. If you prefer the network to receive emails from HES IP address ranges only, you have to whitelist these HES IP address ranges for incoming SMTP rules on the network firewall.
Below is a sample illustration of whitelisting HES servers IP range(s) on the network firewall. It is a stricter network configuration if all incoming mails should pass first (or be scanned by HES) before entering the corporate network. This is done through MX redirection to HES servers first. If that is the case, you can do further hardening of the network firewall by only allowing incoming SMTP traffic from HES IP range(s).
To receive emails coming from HES servers only, configure the firewall to accept emails from the following IP addresses:
For EMEA site:
For all other regions:
Below is a sample scenario using Cisco ASA Firewall. By default, it accepts SMTP traffic from any source IP.
After restricting it and allowing emails from HES IP range(s) only, the Source has been changed from "Any" to "TM_HES_IP_RANGE", which is a network object group referring to the individual IP range(s) network object.
In the sample above, the IP addresses for all other regions were used. The network firewall will only accept SMTP traffic (TCP Port 25) from the specified IP address range(s).
Additionally, if your firewall, MTA, or mail server is configured to check any IP Reputation / RBL service provider, the same set of IP blocks above must be added to the IP Reputation approved list. Another option is to disable the IP Reputation checking on the firewall, MTA, or mail server and let HES handle this task.
For further assistance in configuring your firewall, contact your network administrator.