How do I allow all possible IPs for Gmail servers through my ufw firewall?
Solution 1
You'd need a script that periodically resolves the domain and updates firewall rules with the latest IP. Instead, try this method:
Domains like these often have multiple IPs associated with them. Use host domain.tld
to get a list:
$ host smtp.gmail.com smtp.gmail.com is an alias for gmail-smtp-msa.l.google.com. gmail-smtp-msa.l.google.com has address 74.125.127.108 gmail-smtp-msa.l.google.com has address 74.125.127.109
But these two also probably keep changing, based on your question. So it's best to whitelist the entire netblock -- use whois
with the IP:
$ whois 74.125.127.108 NetRange: 74.125.0.0 - 74.125.255.255 CIDR: 74.125.0.0/16 OriginAS: NetName: GOOGLE NetHandle: NET-74-125-0-0-1 Parent: NET-74-0-0-0-0 NetType: Direct Allocation RegDate: 2007-03-13 Updated: 2012-02-24 Ref: http://whois.arin.net/rest/net/NET-74-125-0-0-1 ...
The NetRange
/CIDR
tell you what to whitelist -- 74.125.0.0/16. Google could assign any IP in this range to smtp.gmail.com
Solution 2
The following command will return a couple of domains:
nslookup -q=TXT _spf.google.com 8.8.8.8
Run a nslookup for each one:
nslookup -q=TXT _netblocks.google.com 8.8.8.8
nslookup -q=TXT _netblocks2.google.com 8.8.8.8
nslookup -q=TXT _netblocks3.google.com 8.8.8.8
From: http://support.google.com/a/bin/answer.py?hl=en&answer=60764
Solution 3
free GMail & paid GSuite GMail use different servers; because when I run:
sudo doveadm dump /home/vmail/acme.com/postmaster/Maildir | grep google.com
it gives me addresses within the 209.85.128.0/17
range.
ARIN even has an API response for GOGL.
Related videos on Youtube
nomadicME
Updated on September 18, 2022Comments
-
nomadicME over 1 year
I am currently using the following rule:
ufw allow out from my_local_ip to any port 587
This is a little too lax for my liking. I would like to tighten it up and restrict it to only gmail's smtp server ip addresses, but they are always changing. I used to just wait until an outgoing email didn't make it to its destination, then check syslog for the ip address that was blocked, then add that to the ufw configure script. However, now I have a need for much more reliability.
Is there any way to use smtp.gmail.com in ufw? I don't think so, but thought I would ask. Any other ideas? Thanks.
Update
Taking izx's suggestion, I obtained the following (abbreviated) info from whois:
$ whois 74.125.53.108
...
NetRange: 74.125.0.0 - 74.125.255.255
CIDR: 74.125.0.0/16
...
Using this info I created the following command in my ufw configuration script (I realize there are other ranges to open, this is just an example):
ufw allow out from 192.168.2.5 to 74.125.0/24.0/24 port 587
but ufw does not like that. So I changed it to:
ufw allow out from 192.168.2.5 to 74.125.0.0/24 port 587
this ufw accepted but obviously this will only block any address in this range with 0 as the third octet. So how do I get from 0-255 for the third octet as well?
-
nomadicME almost 12 yearsthank you for your help. Using this info I created the following command in my ufw configuration script (I realize there are other ranges to block, this is just an example): ufw allow out from 192.168.2.5 to 74.125.0/24.0/24 port 587 but ufw does not like that. So I changed it to ufw allow out from 192.168.2.5 to 74.125.0.0/24 port 587, this ufw accepted. So how do I get from 0-255 for the third octet?
-
Lekensteyn almost 12 years@nomadicME See serverfault.com/q/49765/51929 for a lengthy description. In short, you need to use
74.125.0.0/16
. For more IP addresses that GMail may use, use thedig _spf.google.com TXT
command. -
nomadicME almost 12 years@Lekensteyn, thank you. I think I finally have all the ip possibilities. That has been bugging me for a while.