Set up Proofpoint with Zoho mail

Created by Abderrahim Ibnou el kadi, Modified on Tue, 13 Jun, 2023 at 9:28 AM by Marc Chouinard

Synopsis:

This article describes the steps need to follow while setting up Proofpoint to filter Incoming mail and forwarding it to Zoho mail.

Configuration:

Here are the steps to take to complete the configuration:

I) Proofpoint Admin Portal:

Login to the Proofpoint portal
Verify your domain and enable relay and MUST wait 1 hour before it can process incoming mail
1. Click on the Verify Domain button then copy the Value (Figure 1, Figure 2)
  Figure 1:
  Figure 2:
2. Once the TXT record on your DNS is populated with the Value copied above wait few minutes and click Verify Domain button, then click on the 3 dots then click on Edit Domain
3. Enter the Domain name, Primary Delivery Destination, SMTP failover1,2,3 as shown in the screen shot below
4. Click on SAVE
5. Click on Enable Relay button, this will allow the platform to be ready to accept Incoming message.

Important: Allow 1 hour for the changes to propagate on Proofpoint platform then you can proceed with the next steps below, otherwise mail will be rejected

II) Zoho mail Admin Console:

On the Zoho Admin Console, navigate to Mail Settings > Email Routing > Inbound Gateway (screen shot belo) add the below IPs, with respect to your location, so we need to allow Zoho mail to only accept messages from those IPs.

Proofpoint Essentials-US	Proofpoint Essentials-EU
67.231.149.0/24 67.231.152.0/24 67.231.153.0/24 67.231.154.0/24 67.231.155.0/24 67.231.156.0/24 67.231.144.0/24 67.231.145.0/24 67.231.146.0/24 67.231.147.0/24 67.231.148.0/24 69.172.217.0/24 (V) 148.163.128.0/24 148.163.129.0/24 148.163.130.0/24 148.163.131.0/24 148.163.132.0/24 148.163.133.0/24 148.163.134.0/24 148.163.135.0/24	148.163.136.0/24 148.163.137.0/24 148.163.138.0/24 148.163.139.0/24 148.163.140.0/24 148.163.141.0/24 148.163.142.0/24 148.163.143.0/24 148.163.144.0/24 148.163.145.0/24 148.163.146.0/24 148.163.147.0/24 148.163.148.0/24 148.163.149.0/24 148.163.150.0/24 148.163.151.0/24 148.163.152.0/24 148.163.153.0/24 148.163.154.0/24 148.163.155.0/24 148.163.156.0/24 148.163.157.0/24 148.163.158.0/24 148.163.159.0/24	91.209.104.0/24 91.207.212.0/24 91.207.213.0/24 62.209.50.0/24 62.209.51.0/24 185.132.180.0/24 185.132.181.0/24 185.132.182.0/24 185.132.183.0/24 185.183.28.0/24 185.183.29.0/24 185.183.30.0/24 185.183.31.0/24 69.172.217.0/24 (V)

Proofpoint Essentials-US

Proofpoint Essentials-EU

67.231.149.0/24

67.231.152.0/24

67.231.153.0/24

67.231.154.0/24

67.231.155.0/24

67.231.156.0/24

67.231.144.0/24

67.231.145.0/24

67.231.146.0/24

67.231.147.0/24

67.231.148.0/24

69.172.217.0/24 (V)

148.163.128.0/24

148.163.129.0/24

148.163.130.0/24

148.163.131.0/24

148.163.132.0/24

148.163.133.0/24

148.163.134.0/24

148.163.135.0/24

148.163.136.0/24

148.163.137.0/24

148.163.138.0/24

148.163.139.0/24

148.163.140.0/24

148.163.141.0/24

148.163.142.0/24

148.163.143.0/24

148.163.144.0/24

148.163.145.0/24

148.163.146.0/24

148.163.147.0/24

148.163.148.0/24

148.163.149.0/24

148.163.150.0/24

148.163.151.0/24

148.163.152.0/24

148.163.153.0/24

148.163.154.0/24

148.163.155.0/24

148.163.156.0/24

148.163.157.0/24

148.163.158.0/24

148.163.159.0/24

91.209.104.0/24

91.207.212.0/24

91.207.213.0/24

62.209.50.0/24

62.209.51.0/24

185.132.180.0/24

185.132.181.0/24

185.132.182.0/24

185.132.183.0/24

185.183.28.0/24

185.183.29.0/24

185.183.30.0/24

185.183.31.0/24

69.172.217.0/24 (V)

Now we need to disable the Spam and Anti-spoofing verification on Zoho mail Admin console since Proofpoint has already scanned them
Login to the Zoho console:
1. select Security & Compliance > Spam Control>Spam Processing and disable the following: Spam Process Type, Sender-based Alerts, Post-delivery Spam Checks
2. Navigate to Security & Compliance > Spam Control>Spam Verification and set the following Actions SPF failure, DKIM Verification, DMARC Verification to None (see screen shot below)
  Note: DMARC is enabled by default, and if it is not disabled messages from Proofpoint will be bounced
Change you domain MX record to point to Proofpoint servers with respect to your location
Proofpoint Essentials-US
mx1-us1.ppe-hosted.com
mx2-us1.ppe-hosted.com

Proofpoint Essentials-EU
mx1-eu1.ppe-hosted.com
mx2-eu1.ppe-hosted.com
Once you confirm your mail flow for a day or 2 then you can proceed to lock down your Zoho mail to not accept mail from any other server except the Ips mentioned above. To do so login to the Zoho Admin Console> Mail Settings>Email Routing>Inbound Gateway and toggle to the right the option “Reject non-inbound gateway emails” Screen shot below

III) Zoho mail Admin Console: Outbound mail configuration

Before configuring your Zoho console make sure that you added the following IP addresses to your Proofpoint portal Account under Account Management > Domains then in the section "Sending Servers" add the following IP addresses

Zoho's Outbound mail is sent from the following IPs:

136.143.188.3

136.143.188.4

136.143.188.5

136.143.188.1

Make sure to wait 1 hour before you perform any outbound mail tests

Zoho Admin Console:

login to the Admin console and navigate to Mail Settings > Email Routing > Outbound Gateway (see screen shot below) and Add the following :

Destination Host (MX/IP address): enter the following Proofpoint server

ProofPoint Essentials-US
ProofPoint Essentials-EU
Smarthost
outbound-us1.ppe-hosted.com
outbound-eu1.ppe-hosted.com
Connection Type : Plain Support with TLS
Port : 25
Authentication : NO
Apply for: All Users

	ProofPoint Essentials-US	ProofPoint Essentials-EU
Smarthost	outbound-us1.ppe-hosted.com	outbound-eu1.ppe-hosted.com