[Email Security] Inline deployment docs (#19099)

* [Email Security] Inline deployment docs

* Fixing link

* Apply suggestions from code review

Co-authored-by: Jun Lee <[email protected]>

* Updating steps

* Adding prereq steps and egress ips

* Typo

* Fixing link

* Adding Cisco prereqs, partials, and renaming URLs

* Fixing steps

* Add submission addresses

* Remove space

* Adding graphs

* Adding Cisco diagrams

* Remove submission addresses

* Apply suggestions from code review

Co-authored-by: Jun Lee <[email protected]>

* Correcting UI component

* Update src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/inline-deployment-setup.mdx

Co-authored-by: Jun Lee <[email protected]>

* Correcting table

* Making steps optional

* Open Egress IPs to new page

* Update copy

* Add instructions about quarantining on MS365

* update links

* Fixing broken link + updating note

* Update src/content/docs/cloudflare-one/email-security/setup/pre-delivery-deployment/prerequisites/office365-email-security-mx.mdx

Co-authored-by: Jun Lee <[email protected]>

* Removing partial

---------

Co-authored-by: Jun Lee <[email protected]>

Author: Maddy-Cloudflare

src/assets/email-security/Cisco_to_Cisco_MX_Inline.png

@@ -0,0 +1,103 @@
+---
+title: Egress IPs
+pcx_content_type: reference
+sidebar:
+  order: 4
+---
+
+When you set up Email Security using an [MX/Inline deployment](/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment/), you need to tell your existing email providers to accept messages coming from Email Security's egress IP addresses.
+
+Refer to this page for reference on what IP subnet mask ranges to use.
+
+:::caution[Additional information for O365]
+
+Office 365 does not support IPv6 addresses nor the following IPv4 subnet mask ranges:
+
+* `104.30.32.0/19`
+* `134.195.26.0/23`
+
+If you use Office 365, you will have to use the broken down `/24` subnet mask IP addresses. Refer to [Office 365 `/24` addresses](#office-365-24-addresses) for a list of supported IPv4 addresses.
+
+
+:::
+
+## United States
+
+For customers in the United States, enter the following IP addresses:
+
+### IPv4
+
+```txt
+52.11.209.211
+52.89.255.11
+52.0.67.109
+54.173.50.115
+104.30.32.0/19
+158.51.64.0/26
+158.51.65.0/26
+134.195.26.0/23
+```
+
+### IPv6
+
+```txt
+2405:8100:c400::/38
+```
+
+## Europe
+
+For customers in Europe, add all our US IP addresses. Additionally, you need to add the following IP addresses for our European data centers:
+
+```txt
+52.58.35.43
+35.157.195.63
+```
+
+## India
+
+For customers in India, add all our US IP addresses.
+
+## Australia / New Zealand
+
+For customers in Australia and New Zealand, add all our US IP addresses.
+
+## Office 365 `/24` addresses
+
+Use these IPv4 addresses for Office 365, instead of the `/19` and `/23` subnets:
+
+```txt
+104.30.32.0/24
+104.30.33.0/24
+104.30.34.0/24
+104.30.35.0/24
+104.30.36.0/24
+104.30.37.0/24
+104.30.38.0/24
+104.30.39.0/24
+104.30.40.0/24
+104.30.41.0/24
+104.30.42.0/24
+104.30.43.0/24
+104.30.44.0/24
+104.30.45.0/24
+104.30.46.0/24
+104.30.47.0/24
+104.30.48.0/24
+104.30.49.0/24
+104.30.50.0/24
+104.30.51.0/24
+104.30.52.0/24
+104.30.53.0/24
+104.30.54.0/24
+104.30.55.0/24
+104.30.56.0/24
+104.30.57.0/24
+104.30.58.0/24
+104.30.59.0/24
+104.30.60.0/24
+104.30.61.0/24
+104.30.62.0/24
+104.30.63.0/24
+134.195.26.0/24
+134.195.27.0/24
+```

src/assets/email-security/Cisco_to_Email_Security_MX_Inline.png

@@ -0,0 +1,14 @@
+---
+title: Pre-delivery deployment
+pcx_content_type: navigation
+sidebar:
+  order: 1
+  group:
+    hideIndex: true
+---
+
+import { DirectoryListing } from "~/components"
+
+
+
+<DirectoryListing />

src/assets/email-security/Email_Security_Gmail_MX_Inline.png

@@ -0,0 +1,56 @@
+---
+title: Set up MX/Inline deployment
+pcx_content_type: concept
+sidebar:
+  order: 3
+---
+
+To set up MX/Inline:
+
+1. Log in to [Zero Trust](https://one.dash.cloudflare.com/).
+2. Select **Email Security**.
+3. Select **Monitoring**. If you are a first time user, select **Contact sales**. Otherwise, select **Set up**.
+4. Select **MX/Inline**.
+5. To start the MX/Inline configuration, you will need to have completed the prerequisite setup on your email provider's platform. Once you have completed this step, select **I confirm that I have completed all the necessary requirements**. Then, select **Start configuration**.
+
+If you have verified zones on Cloudflare, continue with the following steps:
+
+1. **Connect a domain**: Select your domain. Then, select **Continue**.
+2. **Select position**: This step allows you to choose where Email Security fits into your mail flow and configure position settings:
+    - **Select position**: Choose between:
+        - **Sit first (hop count = 1)**: Email Security is the first server that receives the email. There are no other email scanners or services between the Internet and Cloudflare.
+        - **Sit in the middle (hop count > 1)**: Email Security sits anywhere other than the first position. Other servers receive emails _before_ Email Security. There are other email scanners or email services in between.
+    - **Position settings**: Refine how Email Security receives and forwards emails:
+        - **Forwarding address**: This is your mail flow next hop after Email Security. This value is auto-filled, but you can still change it.
+        - **Outbound TLS**: Choose between:
+            1. **Forward all messages over TLS** (recommended).
+            2. **Forward all messages using opportunistic TLS**.
+    - Select **Continue**.
+3. (**Optional**, select **Skip for now** to skip this step) **Configure quarantine policy**: Select dispositions to automatically prevent certain types of incoming messages from reaching a recipient's inbox. 
+4. (Optional) **Update MX records**: 
+    - Email Security can automatically update MX records for domains that proxy traffic through Cloudflare. Under **Your mail processing location**, select your mail processing location.
+    - You can also choose to allow Cloudflare to update MX records by selecting **I confirm that I allow Cloudflare to update to the new MX records**. When Email Security updates MX records, we replace your original MX records with Email Security MX records.
+    - Select **Continue**.
+5. **Review details**: Review your domain, then select **Go to domains**.
+
+## Users who do not have domains with Cloudflare
+
+If you do not have domains with Cloudflare, the dashboard will display two options:
+
+- Add a domain to Cloudflare.
+- Enter domain manually.
+
+### Add a domain to Cloudflare
+
+Selecting **Add a domain to Cloudflare** will redirect you to a new page where you will connect your domain to Cloudflare. Once you have entered an existing domain, select **Continue**.
+
+Then, follow the steps to [Set up MX/Inline](/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/).
+
+### Enter domain manually
+
+1. **Add domains**: Manually enter domain names.
+2. **Review all domains**: Review all your domains, then select **Continue**.
+3. **Verify your domains**: It may take up to 24 hours for your domains to be verified. Select **Done**.
+4. Once your domains have been verified, the dashboard will display a message like this: **You have verified domains ready to connect to Email Security**. This means that you can now set up Email Security via MX/Inline. 
+5. Select **Set up**, then select **MX/Inline**.
+6. Follow the steps to [Set up MX/Inline](/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/).

src/assets/email-security/Email_Security_O365_MXInline.png

@@ -0,0 +1,20 @@
+---
+title: MX/Inline deployment
+pcx_content_type: concept
+sidebar:
+  order: 2
+---
+
+With pre-delivery deployment, also known as Inline deployment, Email Security evaluates email messages before they reach a user's inbox.
+
+Email Security becomes a hop in the SMTP processing chain and physically interacts with incoming email messages. Based on your policies, various messages are blocked before reaching the inbox.
+
+When you choose an inline deployment, you get the following benefits:
+
+- Messages are processed and physically blocked before arriving in a user's mailbox.
+- Your deployment is simpler, because any complex processing can happen downstream and without modification.
+- Email Security can modify delivered messages, adding subject or body mark-ups.
+- Email Security can offer high availability and adaptive message pooling.
+- You can set up advanced handling downstream for non-quarantined messages with added X-headers.
+
+![Inline deployment diagram](~/assets/images/email-security/deployment/inline-setup/CF_A1S_Deployment_Inline_Diagrams.png)

src/assets/images/email-security/deployment/inline-setup/CF_A1S_Deployment_Inline_Diagrams.png

@@ -0,0 +1,55 @@
+---
+title: Cisco - Email Security as MX Record
+pcx_content_type: integration-guide
+sidebar:
+  order: 5
+---
+
+import { Render } from "~/components"
+
+![A schematic showing where Email Security sits in the life cycle of an email received](src/assets/email-security/Cisco_to_Email_Security_MX_Inline.png)
+
+In this tutorial, you will learn how to configure Cisco IronPort with Email Security as MX record. 
+
+<Render file="deployment/mx-deployment-prerequisites" product="email-security"/>
+
+## 1. Add a Sender Group for Email Security Email Protection IPs
+
+To add a new Sender Group:
+
+1. Go to **Mail Policies** > **HAT Overview**.
+
+2. Select **Add Sender Group**.
+
+3. Configure the new Sender Group as follows:
+   - **Name**: `Email Security`.
+   - **Order**: Order above the existing **WHITELIST** sender group.
+   - **Comment**: `Email Security Email Protection egress IP Addresses`.
+   - **Policy**: `TRUSTED` (by default, spam detection is disabled for this mail flow policy).
+   - **SBRS**: Leave blank.
+   - **DNS Lists**: Leave blank.
+   - **Connecting Host DNS Verification**: Leave all options unchecked.
+
+4. Select **Submit and Add Senders** and add the IP addresses mentioned in <a href="/cloudflare-one/email-security/setup/pre-delivery-deployment/egress-ips/" target="_blank">Egress IPs</a>
+
+## 2. Configure Incoming Relays
+
+You need to configure the Incoming Relays section to tell IronPort to ignore upstream hops, since all the connections are now coming from Email Security. This step is needed so the IronPort can retrieve the original IPs to calculate IP reputation. IronPort also uses this information in the Anti-Spam (IPAS) scoring of messages.
+
+1. To enable the Incoming Relays Feature, select **Network** > **Incoming Relays**.
+2. Select **Enable** and commit your changes.
+3. Now, you will have to add an Incoming Relay. Select **Network** > **Incoming Relays**.
+4. Select **Add Relay** and give your relay a name.
+5. Enter the IP address of the MTA, MX, or other machine that connects to the email gateway to relay incoming messages. You can use IPv4 or IPv6 addresses.
+6. Specify the `Received:` header that will identify the IP address of the original external sender.
+7. Commit your changes.
+
+## 3. Disable SPF checks
+
+Make sure you disable Sender Policy Framework (SPF) checks in IronPort. Because Email Security is acting as the MX record, if you do not disable SPF checks, IronPort will block emails due to an SPF failure.
+
+Refer to [Cisco's documentation](https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117973-faq-esa-00.html) for more information on how to disable SPF checks.
+
+## Next steps
+
+Now that you have completed the prerequisite steps, you can set up [MX/Inline](/cloudflare-one/email-security/setup/pre-delivery-deployment/mx-inline-deployment-setup/) on the Cloudflare dashboard.