Setting up UTM as an inbound gateway for your google hosted mail, allows you to take advantage of all of the mail filtering benefits of UTM, or Sophos Mail Gateway, combined with all of the benefits of using a hosted mail solution.
UTM must be configured to deliver mail to Google's servers, once filtered. It is important to know the server addresses Google listens on for mail from your domain. You can find these in the Google Apps management dashboard. Under Service Settings > Email activation, click the link titled: Instructions on how to activate Email. Then, under 'Set up email delivery', find the link called 'Change MX Records'. This document will detail which hostnames Google has established to host your account. Have this information ready when completing the next step.
In UTM's web interface, navigate to Email Protection > SMTP > Routing
Finally, under Email Protection > SMTP > Relaying > Host-Based Relay, add the same Google hosts created above.
This is all that is needed within UTM's web interface.
On your DNS provider or server, be sure to remove all MX records pointing to Google, and replace them with an MX record pointing at your UTM's public IP address. If you are using WAN multilink on UTM, and have multiple ISPs, you may want to add MX records, for each ISP. This will provide greateer redundancy. If oyu are unsure how to do this, consult with your DNS provider, or help documentation on your DNS server. DNS related changes may take up to 48 hours to take effect.
Inbound and Outbound Setup (Optional)
Inbound and Outbound gateway setup is not available in the free Standard version of google apps, but is available in edu and other paid versions. Setup is not necessary, but without inbound gateway setup, it is possible to bypass Astaro's spam filtering and send spam directly to google's servers.
In your Google Apps domain administration dashboard, select Service Settings > Email.
If you wish to send all outbound mail back through the UTM for scanning, then fill in the outbound gateway field with UTM's public IP. In the inbound gateway section, enter all public IP addresses your UTM may send from. You may also want to check the box labeled 'Only let my users receive email from the gateways listed above.' This will prevent spam from possibly bypassing your UTM's protection.
You are now complete. Once the MX record changes propagate through DNS, UTM will now be protecting your domain.