Mark Berry May 12, 2014
I have a small client with an in-house mail server. Their cloud-based spam filter just wasn’t keeping up—too much spam was making it through. I wanted to try Google Apps Gmail as a spam filter but let them keep their in-house server for now.
An additional requirement is that two named in-house users should receive daily quarantine summary emails, but the remaining 150 or so users should simply pass through (they are actually forwarding-only addresses in the in-house server).
So how to get advanced spam handling for two named users and pass through all email to the in-house server? It turns out that it’s not that hard to do, but there is almost no documentation how to set it up. Hours of working with Google Support helped a little but in the end, I had to figure out most of it myself.
Update May 14, 2014 See the last section below for information on adding a new user with a Gmail-only inbox (split delivery).
Basic Routing Setup
This Google knowledgebase article has some info for setting up routing:
However the use case “Receiving routing – Use split delivery to route mail based on organizational unit” is not quite what we want. Modified instructions:
1. From the Google Apps Admin console, go to Google Apps > Gmail > Advanced settings.
2. On the Hosts tab, create a host (route) pointing to the in-house server.
3. On the Default routing tab, add one setting:
a. Match All recipients.
b. Change route to the host defined in the previous step (“In-house server”)
c. At the bottom, choose Perform this action on non-recognized and recognized addresses. The “non-recognized” part is important to allow mail to flow through even if the user is not set up in Google Apps (the 150 users mentioned above).
4. Under Google Apps > Users, set up an organizational unit (OU) for the named users. Create the two named users in that OU, or if you already created them, move them there. Let’s assume it’s called “Named Users”.
5. Back under Google Apps > Gmail > Advanced settings, highlight your new “Named Users” OU in the left column. Scroll down to Routing > Non-Gmail mailbox and add a setting. Deliver non-spam messages to the host defined above. Check Enable periodic summaries so these users will receive daily quarantine emails:
With this setup, mail to the non-named (“unrecognized”) users was flowing correctly, going directly to the in-house server.
What Didn’t Work
However mail to the named users didn’t work.
When you first set up Google Apps, each user has several apps, including Gmail. Since we don’t want mail accumulating in a Gmail inbox that the user will never access, I assumed the thing to do was to set up each named user so the routing would go only to the default route defined above. So under Google Apps > Users, I opened a user, clicked Profile, and scrolled to the bottom. Under Email routing, I unchecked Google Apps Email and left Inherit routes from [client name] checked.
However with that setting, once I switched the MX records to send incoming email to Google Apps, messages to the named user bounced immediately with this message:
Delivery to the following recipient failed permanently:
Technical details of permanent failure:
The partner did not specify the
domain to relay the emails
What Sort of Worked
I re-enabled Google Apps Email:
The mail to the named users immediately started flowing to the in-house server. It doesn’t make sense to me that Gmail must be enabled for the default route to work, but that’s how it is.
What Finally Worked
So the mail is flowing, but we now have email accumulating in a Gmail Inbox that the user will never see. Also, if the mail is going to Gmail, I doubt the Non-Gmail mailbox quarantine settings will take effect, meaning the user would have no access to messages trapped as spam.
I decided to try a simple solution: turn off the Gmail app for the named users. The instructions for turning off an individual service are here.
Once Gmail was turned off for the named users, email was flowing to the in-house server for all users and the named users started getting daily quarantine emails:
Update May 14, 2014
A new user needed an actual Gmail account. Mail to that user should not go to the in-house server as well. In other words, a split delivery scenario. However it’s different from the split delivery described in Google App’s Help in that we still need mail to all unnamed users to go to the in-house server.
Fortunately, this turned out to be pretty easy to configure. Everything above stays as is. Then:
1. Add a new sub-organization called “Named Users with Gmail”. Make sure Gmail is turned on for users in that sub-organization. Add the new user to that sub-organization.
2. Under Google Apps > Gmail > Advanced settings, highlight the “Named Users with Gmail” sub-organization. Then under Routing > Receiving routing, create a new setting:
a. Email messages to affect: Inbound and Internal – receiving.
b. Modify message, and under Route, check Change route. In the drop-down, chose Normal routing. This apparently corresponds to routing to Gmail, not routing to the Default route.
Send a test message to the new user. Make sure it is received in the user’s Gmail account but not by the in-house server.