Chotaire Wiki

Stuff you didn't know

User Tools

Site Tools


Unblock incoming Gmail on pfBlocker NG

If you are using pfBlocker NG, you might eventually end up receiving no more e-mails from Google's Gmail service, depending on which RBL lists you use. For example, spamcop is known to repeatedly block networks that host Gmail SMTP servers. This may be a problem for you, because everyone and their grandmother is using Gmail.

Solution 1: Disable the guilty RBL list

  • Log into your Gmail account, send an e-mail to an e-mail address hosted on your mailserver that is firewalled by pfSense
  • Watch your firewall logs looking for “:25” and you should find a host that just got blocked trying to send to your mailserver IP at port 25.
  • Do a name lookup on the source host and if it's a google host then you found it.
  • Now click the red “x” sign infront of the firewall log line and it should show you that it got blocked because of e.g. “PfB_MAIL”. In this case you know it was Pfblocker NG and you will also know the guilty RBL Alias.
  • Go into that RBL Alias e.g. Firewall → pfBlockerNG → IPv4 → PfB_MAIL and then you will see a list of RBL lists including their URLs.
  • You will copy all these URLs that are enabled and download each list in a new browser window and start grepping for the affected source IP. In many cases it's not a single IP but an entire network that got blacklisted, so if e.g. has been denied access, you would start looking for 209.85.160 and if you find nothing then try 209.85.
  • At some point you will be successful and find the affecting list, you can now disable this single RBL list within your RBL Alias and Gmail will work again.
Problem: You have now disabled the entire RBL list. It may have been a very useful list and you may now be receiving much more spam than you previously did. Plus, any other RBL list may kick in and block Gmail again. So if this is not an option for you then read on.

Solution 2: Excempt Gmail from getting blacklisted

This solution will take considerably more work, now and in the future, but it will keep all your RBL lists intact.

  • Under Firewall → pfBlockerNG → IPv4, you will create a new RBL Alias that will Permit Inbound.
  • Within that RBL Alias you will fill the IPv4 Custom List with IP addresses/networks used by Google for outgoing SMTP.
  • You will then save it and drag it above the other RBL Alias that previously caused issues.
  • Then you will run a force update.

But how do you get this list of IP addresses? Google uses hundreds if not thousands of outgoing SMTP servers to deliver e-mails and you never know which one hits our firewall. You will make use of SPF to compile a list of IP addresses that are currently allowed to send e-mails under the domain. For this you will need a linux shell and dig installed. Let's see what's up with the SPF record of

# dig txt | grep spf              594     IN      TXT     "v=spf1"

This appears to be a redirect to, alright, let's look up's SPF records:

# dig txt | grep spf        599     IN      TXT     "v=spf1 ~all"

Fantastic, even more redirects, so you have no other chance than looking up all of these:

# dig txt | grep spf  1820    IN      TXT     "v=spf1 ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ~all"
# dig txt | grep spf 2767    IN      TXT     "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"
# dig txt | grep spf 3598    IN      TXT     "v=spf1 ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ip4: ~all"

That is an absolutely shocking number of IP addresses, thanks Google for being so lazy on this one. So you will need to compile a list of all these, in our example you will need an IPv4 list (create another IPv6 list if both your firewall and your mailserver use IPv6 and you use IPv6 RBL lists for mail on PfBlocker NG):




Updated on: Jan 19, 2020

So this is your custom list, create the RBL Alias exactly as explained in the first paragraph and do not forget force update. Once successful, again send e-mail from Gmail to your local e-mail address and in the end everything will be fine:

pfsense-unblock-incoming-gmail.txt · Last modified: 2020/01/19 23:07 by chotaire