Table of Contents

Unblock incoming Gmail on pfBlocker NG

If you are using pfBlocker NG, you might eventually end up receiving no more e-mails from Google's Gmail service, depending on which RBL lists you use. For example, spamcop is known to repeatedly block networks that host Gmail SMTP servers. This may be a problem for you, because everyone and their grandmother is using Gmail.

Solution 1: Disable the guilty RBL list

Problem: You have now disabled the entire RBL list. It may have been a very useful list and you may now be receiving much more spam than you previously did. Plus, any other RBL list may kick in and block Gmail again. So if this is not an option for you then read on.

Solution 2: Excempt Gmail from getting blacklisted

This solution will take considerably more work, now and in the future, but it will keep all your RBL lists intact.

But how do you get this list of IP addresses? Google uses hundreds if not thousands of outgoing SMTP servers to deliver e-mails and you never know which one hits our firewall. You will make use of SPF to compile a list of IP addresses that are currently allowed to send e-mails under the gmail.com domain. For this you will need a linux shell and dig installed. Let's see what's up with the SPF record of gmail.com:

# dig txt gmail.com | grep spf
gmail.com.              594     IN      TXT     "v=spf1 redirect=_spf.google.com"

This appears to be a redirect to _spf.google.com, alright, let's look up google.com's SPF records:

# dig txt _spf.google.com | grep spf
_spf.google.com.        599     IN      TXT     "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

Fantastic, even more redirects, so you have no other chance than looking up all of these:

# dig txt _netblocks.google.com | grep spf
 
_netblocks.google.com.  1820    IN      TXT     "v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"
 
# dig txt _netblocks2.google.com | grep spf
 
_netblocks2.google.com. 2767    IN      TXT     "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"
 
# dig txt _netblocks3.google.com | grep spf
 
_netblocks3.google.com. 3598    IN      TXT     "v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all"

That is an absolutely shocking number of IP addresses, thanks Google for being so lazy on this one. So you will need to compile a list of all these, in our example you will need an IPv4 list (create another IPv6 list if both your firewall and your mailserver use IPv6 and you use IPv6 RBL lists for mail on PfBlocker NG):

IPv4

35.190.247.0/24
64.233.160.0/19
66.102.0.0/20
66.249.80.0/20
72.14.192.0/18
74.125.0.0/16
108.177.8.0/21
173.194.0.0/16
209.85.128.0/17
216.58.192.0/19
216.239.32.0/19
172.217.0.0/19
172.217.32.0/20
172.217.128.0/19
172.217.160.0/20
172.217.192.0/19
172.253.56.0/21
172.253.112.0/20
108.177.96.0/19
35.191.0.0/16
130.211.0.0/22

IPv6

2001:4860:4000::/36
2404:6800:4000::/36
2607:f8b0:4000::/36
2800:3f0:4000::/36
2a00:1450:4000::/36
2c0f:fb50:4000::/36

Updated on: Jan 19, 2020

So this is your custom list, create the RBL Alias exactly as explained in the first paragraph and do not forget force update. Once successful, again send e-mail from Gmail to your local e-mail address and in the end everything will be fine: