Background
This document will guide you through the configuration of the Customer-Hosted Gateway rules backed by Gmail infrastructure.
Specific steps for this section include:
- Add Host
- Add Rule
- Test Rule
Assumptions:
- Mail Decryption Trigger:
- In the body of every Virtru-encrypted email, the phrase below can be found:
--- START PROTECTED MESSAGE TDF
- Mail Flow: Gmail > Gateway > Final Delivery
- IP of the gateway is: 1.1.1.1
- Comprehensive Mail Storage is disabled
Comprehensive Mail Storage
If Comprehensive Mail Storage is enabled the unencrypted message will NOT be delivered, only the encrypted message will be delivered.
Skip to:
Diagram of Standard Mailflow
Creating Gmail Rules
In Google Admin, navigate to Apps > Google Workspace > Settings for Gmail > Hosts
Add Host
Select the ADD ROUTE
button to add a new host that points to your Customer-Hosted Gateway running in inbound decrypt mode, and save your changes
Add New Host
Content Compliance Settings
In Google Admin, navigate to Apps > Google Workspace > Settings for Gmail > Compliance:
Add Rule
Fill in appropriate information.
- Name:
Virtru Inbound Decrypt
- Email messages to affect:
Inbound
- If also decrypting internally, select
Internal-Receiving
as well.
- Email messages to affect:
Add setting
2. Add expressions that describe the content you want to search for in each message.
If All of the following match the message
Add Expression
- Virtru Action for Decryption
- Advanced Content Match
-
Location
- Body
-
Match type
- Contains Text
-
Content
--- START PROTECTED MESSAGE TDF
Add Another Expression
This will prevent loops in the mail flow
- Virtru Action for Loop Prevention
- Advanced Content Match
-
Location
- Full Headers
-
Match type
- Not Contains Text
-
Content
- X-MSGDECRYPT
- This can also be customized to the header of your choice, i.e. X-Virtru-Decrypt
- X-MSGDECRYPT
3. Add Header and Change Route
Under "If the above expressions match, do the following" > Modify message:
- Add custom headers
- Header Key: X-MSGDECRYPT
- This can also be customized to the header of your choice, i.e. X-Virtru-Decrypt
- Header Value: 1
Under Route, select "Change Route" and point this rule to your Customer-Hosted GW running in inbound decrypt mode:
Add Setting
Save the Rule to Gmail