I have just completed my setup of McAfee SaaS E-Mail Protection with Outbound Filtering (Encryption) and had some unusual setup issues. The biggest problem is that there is no easy way to list the Google e-mail servers in the outbound server setup. When in the McAfee setup for outbound e-mail servers, you must list all IP addresses (or a range using CIDR notation with a maximum size of /24) that send mail. Therefore, it became necessary to contact google to inquire about their IP addresses. Google does not release their IP addresses, but suggest that you query their SPF records (see: http://support.google.com/a/bin/answer.py?hl=en&answer=60764). When speaking to two separate representatives at Google, this was also their suggestion (they informed me that google regularly changes their IP Address range).
Of course, there is no way to include an SPF record in the McAfee setup so that McAfee inherits the IP address range from the google record. So, I simply queried the record, with the following results (_netblocks.google.com):
v=spf1 ip4:126.96.36.199/19 ip4:188.8.131.52/19 ip4:184.108.40.206/20 ip4:220.127.116.11/18 ip4:18.104.22.168/17 ip4:22.214.171.124/20 ip4:126.96.36.199/16 ip4:188.8.131.52/20 ip4:184.108.40.206/20 ip4:220.127.116.11/16
Notice the CIDR notation for these ranges, which include on the high end (the most IP addresses) of /16 and the low end (the fewest IP addresses) of /20. This means that there are 256 subnets that need to be reported when entering the /16 CIDR ranges in McAfee, as McAfee accepts a maximum of /24 (256 IP address). For instance, 18.104.22.168/16 equals 22.214.171.124 - 126.96.36.199. A /24 would include only the 256 IP address in a particular range. Therefore, to enter this block into McAfee, I had to enter the following:
188.8.131.52/24 ... all the way to 184.108.40.206/24
There is no easy way to do this. When looking at the number of potential IP address ranges for each of the blocks that google has in the SPF records, you can imagine that this took some time. I also had to make sure and enforce TLS for each of the servers, as our setup is using outbound encryption. The problem is that google could use (according to the google technicians) any of these potential IP address ranges for outbound mail and they tend to query the mail server with one IP and then send with another...all at random (I have a hard time believing that it's entirely random and google uses a particular subnet, but that's just my suspicion).
Once I added all 800 entries (if you look at the list above, there are 800 individual entries that needed to be made), I realized that if Google decides to update their SPF record to include (or amend, append, or replace) a new block, I would have to go back to the list in McAfee and update. So, I would like to pose the following suggestion:
1. Is it possible to add a way for McAfee to query an SPF record and then inhereit the blocks from that record?
2. If not, can we at least get a broader range of CIDR notations allowed in McAfee? Perhaps at the /16 level on the high end?
I feel for you and I think there should be an easier way to implement such services. GAFB has a huge set of ranges along with other services whether they be hand developed or otherwise. Clustering is becoming the Cloud based standard and with that comes big ranges to whitelist. If adding the 800 entries wasn't enough, your point of SPF verification, in my opinion, would be a huge asset. Or they could simply allow the more broad CIDR ranges for GAFB or whatever it is.
I will be watching this closely as our company is a partner and do resell GAFB. In some sense from a Partner perspectiv, this is kind of a bummer being that, though as you've shown not impossible, limits who anyone can resell this to.
Hopefully we will see an intelligible response from McAfee on how to from a Partner or even administrator stand point, make implementing this easier.
Hello jboren, thank you for sharing concerns and suggestions. I would like to encourage you to contact support to further discuss this and to open an enhancement request. All enhancement requests are reviewed and analyzed by our product development team for possible inclusion in future releases. While we cannot guarantee that all requests will be implemented, we take each request under consideration. We are constantly looking for ways to improve our products, and customer suggestions play a big role in that process.
Thank you again,
First, let me say that you are a trooper for entering in all those CIDR blocks /24 at a time. Wow,
Second and more importantly, we're currently working on official Google Apps and Office 365 support for the service for release in first half of 2013 (medium confidence). What this will mean is better documentation on how to use the services together, but also a shortcut for entering in those CIDR blocks in the outbound server config. I'm not able to say exactly what that will look like in the UI, but it will be very easy to get that data loaded into the system.
Senior Product Manager, Email Security
And the legal bit...
The information contained in this post is for informational purposes only and should not be deemed an offer by McAfee or create an obligation on McAfee. McAfee reserves the right to discontinue products at any time, add or subtractfeatures or functionality, or modify its products, at its sole discretion,without notice and without incurring further obligations.
Thank you for the update on the future release. I wish that the CIDR blocks were only /24 at at time (some are /16). Given the fact that so many businesses are moving to hosted systems, including GAB, this McAfee update will be very helpful!
Just an update: Happy to reveal that on Monday Feb 11 we will be releasing one-click support for outbound relay through SaaS Email Protection from Office 365 and Google Apps for Business. We will be tracking changes to their IP space for our customers so no need to worry about ongoing maintenence!
Notice: The information contained herein is for informational purposes only and should not be deemed an offer by McAfee or create an obligation on McAfee. McAfee reserves the right to discontinue products at any time, add or subtract features or functionality, or modify its products, at its sole discretion, without notice and without incurring further obligations.
Looking forward to more information on the integration of Google Apps with McAfee SaaS, especially archiving and encryption.