Background
This document will guide you through the configuration of the Customer-Hosted Gateway rules backed by Gmail infrastructure.
Specific steps for this section include:
- Add Host
- Add Rule
- Test Rule
Assumptions:
- Mail Decryption Trigger:
- In the body of every Virtru-encrypted email, the phrase below can be found:
--- START PROTECTED MESSAGE TDF
- Mail Flow: Gmail > Gateway > Final Delivery
- IP of the gateway is: 1.1.1.1
- Comprehensive Mail Storage is disabled
Comprehensive Mail Storage
If Comprehensive Mail Storage is enabled the unencrypted message will NOT be delivered, only the encrypted message will be delivered.
Items to Consider Prior to Enabling Inbound Decrypt
Gateway-level decryption decrypts inbound Virtru messages before they reach your inbox. Virtru advises following your organization's security policies to remain compliant.
Skip to:
Diagram of Standard Mailflow
Creating Gmail Rules
In Google Admin, navigate to Apps > Google Workspace > Settings for Gmail > Hosts
Add Host
Select the ADD ROUTE
button to add a new host that points to your Customer-Hosted Gateway running in inbound decrypt mode, and save your changes
Add New Host
Content Compliance Settings
In Google Admin, navigate to Apps > Google Workspace > Settings for Gmail > Compliance:
Add Rule
Fill in appropriate information.
- Name:
Virtru Inbound Decrypt
- Email messages to affect:
Inbound
- If also decrypting internally, select
Internal-Receiving
as well.
- Email messages to affect:
Add setting
2. Add expressions that describe the content you want to search for in each message.
If All of the following match the message
Add Expression
- Virtru Action for Decryption
- Advanced Content Match
-
Location
- Body
-
Match type
- Contains Text
-
Content
--- START PROTECTED MESSAGE TDF
Add Another Expression
This will prevent loops in the mail flow
- Virtru Action for Loop Prevention
- Advanced Content Match
-
Location
- Full Headers
-
Match type
- Not Contains Text
-
Content
- X-MSGDECRYPT
- This can also be customized to the header of your choice, i.e. X-Virtru-Decrypt
- X-MSGDECRYPT
3. Add Header and Change Route
Under "If the above expressions match, do the following" > Modify message:
- Add custom headers
- Header Key: X-MSGDECRYPT
- This can also be customized to the header of your choice, i.e. X-Virtru-Decrypt
- Header Value: 1
Under Route, select "Change Route" and point this rule to your Customer-Hosted GW running in inbound decrypt mode:
Add Setting
Save the Rule to Gmail