Hybrid (Gsuit + Zimbra) email solution [With Barracuda ESG]
Introduction
Often our
client requests us to provide them email solution where they can experience
enterprise level email solution (For limited users) while keep using their on-premise
email server. Below documentation is prepared based on this kind of hybrid
email solution.
Objective
Building an email service architecture where it will consist of:
1.
Gsuit
based email service for some users of a domain
2.
Zimbra
based email service for rest of the user of the same domain
3.
Integrate
Barracuda email security gateway (if required)
Prerequisite
User shall/may
have at least one of above mentioned (Gsuit or BOL) email services. Then we
shall integrate the solution as per their requirement.
Description
Let’s assume
that one of our clients has their existing Zimbra based email service under
their domain (example.com). The mail server consists of below
information:
|
Domain Name |
example.com |
|
DNS Record |
A –
(Published) PTR – (Published) SPF – "v=spf1
mx a a:mx1.bol-online.com a:mx2.bol-online.com a:mx3.bol-online.com
a:mailx.bol-online.com a:mail.example.com a:antispam1.bol-onlone.com ~all" MX – antispam1.bol-online.com |
|
Email Account List |
|
|
Barracuda ESG Service |
Yes |
Now client requested us to provide them Gsuite based email service for below mentioned high
priority user:
|
Gsuit based email accounts |
xyz@example.com |
To achieve that
under above mentioned circumstances, we shall follow below steps:
Step#1
Activate a G-suite portal with the desired domain (example.com)
Above
mentioned user ID (pqr & xyz) shall be created from the “Users”
option of the “Admin Portal”
Step#2
We need to modify the MX record of the domain (example.com)
We
shall remove existing MX record (antispam1.bol-online.com) and set google’s MX
records as domain’s(example.com) MX record.
Updated
MX records:
example.com
MX preference = 10, mail exchanger = alt4.aspmx.l.google.com
example.com
MX preference = 5, mail exchanger = alt1.aspmx.l.google.com
example.com
MX preference = 5, mail exchanger = alt2.aspmx.l.google.com
example.com
MX preference = 1, mail exchanger = aspmx.l.google.com
example.com
MX preference = 10, mail exchanger = alt3.aspmx.l.google.com
Step#3
We shall remove all previous SPF/TXT records. Because now we need to validate gsuit & Zimbra server both as authorized sender for this domain
Updated
spf/txt record:
"v=spf1
include:_spf.google.com ip4:202.84.32.26 ip4:zimbra_server_ip ~all"
Remarks:
In
the updated MX record, we have added Gsuit, Zimbra_server_ip &
antispam1.bol-online.com
Step:#4
We
must ensure that to login into the Zimbra server web interface A record for mail.example.com
should be pointed towards the Zimbra server.
IP Hostname
Zimbra_server_ip
mail.example.com
Step#5
After
all initial setup (Setp#1 to Step#4), now only
gsuit can send & receive emails of the mentioned domain (example.com).
And Existing Zimbra server can only send emails.
As
MX records are pointed towards the g-suite, Zimbra has to receive email
through g-suite.
Therefore,
we need to modify existing g-suit settings as below:
Goto
G-suite Admin Panel:
1.
We can
go through APP > Gmail > Settings for Gmail
OR
2.
We can
search “Hosts” in the search bar.
3.
In the
“Settings for Gmail” page, select “Hosts”.
4.
Click
“Add Route”. Fill following fields:
a.
Name
[Any Name]
b.
Specify
Mail Server
i.
Select
Single Host
ii.
Mail
Server Address/Barracuda ESG address
[In
this case, we have barracuda protection for our Zimbra email server. Hence, we
will receive email via antispam1]
Example:
Antispam1.bol-online.com :25
iii.
Check
mark “Require CA signed certificate” (Recommended)
c.
Save
5.
Now we have an external host. We need to route
emails to the external hosts in case of external delivery as follows:
Goto G-suite Admin Panel:
We
can go through APP > Gmail > Settings for Gmail > Default routing
a.
Add
Rule
b.
Specify
envelope recipients to match
Select
pattern match and insert
.*example.com.*
c.
Go to
the Route option:
Select
Change Route
Select
the Hosts settings name from the dropdown list.
d.
At the
bottom, select Perform this action only on non-recognized addresses.
e.
Save
Now,
our g-suite knows that if any incoming email comes it will lookup the local
user list. If the user does not exist than it will forward the traffic towards
the configured destination (Hosts & Default routing)
settings.
Step#6
So
far we have done that,
1.
Zimbra
server can send email itself
2.
Zimbra
Server can receive email via g-suite routing
3.
Gsuit
can send & receive email.
So
now remaining tasks are:
a.
Allowing
gsuit users to send email to Zimbra users
b.
Allowing
Zimbra users to send email to Gsuit users.
If
g-suite user xyz@example.com
wants to send email to Zimbra user abc@example.com . It will route the email towards the
Zimbra server after looking the local user list. As we are using Barracuda
ESG, it will detect the incoming of example.com
from g-suite as spoofed email. Even if the barracuda allows the email the
Zimbra server will not allow it. To over come this challenge, we need to do
followings:
a. Allowing gsuit users to send email to Zimbra users
ü Add all user accounts from g-suite of example.com
domain as allowed user. Or Simple whitelist them.
ü List all user accounts from g-suite and
create them into the Zimbra server.
b. Allowing Zimbra users to send email to Gsuit users.
ü By default, all g-suite user account has a
secondary email account with a subdomain of the existing domain
Example:
Primary
Account:
Secondary
Account:
xyz@example.com.test-google-a.com
ü So if we send email to secondary account,
user xyz will receive the email in his regular inbox.
ü Now we will set forwarding rules into the
respective g-suite users at Zimbra admin Panel. That all mail coming to the xyz@example.com
(At Zimbra Server) will be forwarded to
the xyz@example.com.test- google-a.com (At G-suite Server). By this when abc@example.com (of ZimbraServer) will send mail to xyz@example.com (of Zimbra server) it will delivered to xyz@example.com (of G-suite Server) via xyz@example.com.test-google.s.com
Step#7
Now all are set. We shall test extensively from random source to destination.
|
Incoming Mail |
|||||
|
Src.
Address |
Src.
Server |
Incoming
MX |
Dst.
Address |
Dst.
Server |
Status |
|
Gmail.com |
Gmail |
G-suite |
G-suite |
|
|
|
Gmail.com |
Gmail |
G-suite |
Zimbra |
|
|
|
Outlook.com |
O365 |
G-suite |
G-suite |
|
|
|
Outlook.com |
O365 |
G-suite |
Zimbra |
|
|
|
Yahoo.com |
Yahoo |
G-suite |
G-suite |
|
|
|
Yahoo.com |
Yahoo |
G-suite |
Zimbra |
|
|
|
bolcorp |
Zimbra |
G-suite |
G-suite |
|
|
|
bolcorp |
Zimbra |
G-suite |
Zimbra |
|
|
|
Outoging Mail |
|||||
|
Src.
Address |
Src.
Server |
Outgoing
Relay |
Dst.
Address |
Dst.
Server |
Status |
|
G-suite |
G-suite |
Gmail.com |
Gmail |
|
|
|
Zimbra |
Zimbra |
Gmail.com |
Gmail |
|
|
|
G-suite |
G-suite |
Outlook.com |
O365 |
|
|
|
Zimbra |
Zimbra |
Outlook.com |
O365 |
|
|
|
G-suite |
G-suite |
Yahoo.com |
Yahoo |
|
|
|
Zimbra |
Zimbra |
Yahoo.com |
Yahoo |
|
|
|
G-suite |
G-suite |
bolcorp |
Zimbra |
|
|
|
Zimbra |
Zimbra |
bolcorp |
Zimbra |
|
|
|
Internal Mail |
|||||
|
Src.
Address |
Src.
Server |
Via |
Dst.
Address |
Dst.
Server |
Status |
|
abc |
Zimbra |
Local
Lookup |
bcd |
Zimbra |
|
|
abc |
Zimbra |
Zimbra Forwarding |
xyz |
G-suite |
|
|
xyz |
G-suite |
Local
Users List |
pqr |
G-suite |
|
|
xyz |
G-Suite |
External
Routing |
abc |
Zimbra |
|
Comments
Post a Comment