Chotaire Wiki

Stuff you didn't know

User Tools

Site Tools


pfsense-unblock-incoming-gmail

Unblock incoming Gmail on pfBlocker NG

If you are using pfBlocker NG, you might eventually end up receiving no more e-mails from Google's Gmail service, depending on which RBL lists you use. For example, spamcop is known to repeatedly block networks that host Gmail SMTP servers. This may be a problem for you, because everyone and their grandmother is using Gmail.

Solution 1: Disable the guilty RBL list

  • Log into your Gmail account, send an e-mail to an e-mail address hosted on your mailserver that is firewalled by pfSense
  • Watch your firewall logs looking for “:25” and you should find a host that just got blocked trying to send to your mailserver IP at port 25.
  • Do a name lookup on the source host and if it's a google host then you found it.
  • Now click the red “x” sign infront of the firewall log line and it should show you that it got blocked because of e.g. “PfB_MAIL”. In this case you know it was Pfblocker NG and you will also know the guilty RBL Alias.
  • Go into that RBL Alias e.g. Firewall → pfBlockerNG → IPv4 → PfB_MAIL and then you will see a list of RBL lists including their URLs.
  • You will copy all these URLs that are enabled and download each list in a new browser window and start grepping for the affected source IP. In many cases it's not a single IP but an entire network that got blacklisted, so if e.g. 209.85.160.196 has been denied access, you would start looking for 209.85.160 and if you find nothing then try 209.85.
  • At some point you will be successful and find the affecting list, you can now disable this single RBL list within your RBL Alias and Gmail will work again.
Problem: You have now disabled the entire RBL list. It may have been a very useful list and you may now be receiving much more spam than you previously did. Plus, any other RBL list may kick in and block Gmail again. So if this is not an option for you then read on.

Solution 2: Excempt Gmail from getting blacklisted

This solution will take considerably more work, now and in the future, but it will keep all your RBL lists intact.

  • Under Firewall → pfBlockerNG → IPv4, you will create a new RBL Alias that will Permit Inbound.
  • Within that RBL Alias you will fill the IPv4 Custom List with IP addresses/networks used by Google for outgoing SMTP.
  • You will then save it and drag it above the other RBL Alias that previously caused issues.
  • Then you will run a force update.

But how do you get this list of IP addresses? Google uses hundreds if not thousands of outgoing SMTP servers to deliver e-mails and you never know which one hits our firewall. You will make use of SPF to compile a list of IP addresses that are currently allowed to send e-mails under the gmail.com domain. For this you will need a linux shell and dig installed. Let's see what's up with the SPF record of gmail.com:

# dig txt gmail.com | grep spf
gmail.com.              594     IN      TXT     "v=spf1 redirect=_spf.google.com"

This appears to be a redirect to _spf.google.com, alright, let's look up google.com's SPF records:

# dig txt _spf.google.com | grep spf
_spf.google.com.        599     IN      TXT     "v=spf1 include:_netblocks.google.com include:_netblocks2.google.com include:_netblocks3.google.com ~all"

Fantastic, even more redirects, so you have no other chance than looking up all of these:

# dig txt _netblocks.google.com | grep spf
 
_netblocks.google.com.  1820    IN      TXT     "v=spf1 ip4:35.190.247.0/24 ip4:64.233.160.0/19 ip4:66.102.0.0/20 ip4:66.249.80.0/20 ip4:72.14.192.0/18 ip4:74.125.0.0/16 ip4:108.177.8.0/21 ip4:173.194.0.0/16 ip4:209.85.128.0/17 ip4:216.58.192.0/19 ip4:216.239.32.0/19 ~all"
 
# dig txt _netblocks2.google.com | grep spf
 
_netblocks2.google.com. 2767    IN      TXT     "v=spf1 ip6:2001:4860:4000::/36 ip6:2404:6800:4000::/36 ip6:2607:f8b0:4000::/36 ip6:2800:3f0:4000::/36 ip6:2a00:1450:4000::/36 ip6:2c0f:fb50:4000::/36 ~all"
 
# dig txt _netblocks3.google.com | grep spf
 
_netblocks3.google.com. 3598    IN      TXT     "v=spf1 ip4:172.217.0.0/19 ip4:172.217.32.0/20 ip4:172.217.128.0/19 ip4:172.217.160.0/20 ip4:172.217.192.0/19 ip4:172.253.56.0/21 ip4:172.253.112.0/20 ip4:108.177.96.0/19 ip4:35.191.0.0/16 ip4:130.211.0.0/22 ~all"

That is an absolutely shocking number of IP addresses, thanks Google for being so lazy on this one. So you will need to compile a list of all these, in our example you will need an IPv4 list (create another IPv6 list if both your firewall and your mailserver use IPv6 and you use IPv6 RBL lists for mail on PfBlocker NG):

IPv4

35.190.247.0/24
64.233.160.0/19
66.102.0.0/20
66.249.80.0/20
72.14.192.0/18
74.125.0.0/16
108.177.8.0/21
173.194.0.0/16
209.85.128.0/17
216.58.192.0/19
216.239.32.0/19
172.217.0.0/19
172.217.32.0/20
172.217.128.0/19
172.217.160.0/20
172.217.192.0/19
172.253.56.0/21
172.253.112.0/20
108.177.96.0/19
35.191.0.0/16
130.211.0.0/22

IPv6

2001:4860:4000::/36
2404:6800:4000::/36
2607:f8b0:4000::/36
2800:3f0:4000::/36
2a00:1450:4000::/36
2c0f:fb50:4000::/36

Updated on: Jan 19, 2020

So this is your custom list, create the RBL Alias exactly as explained in the first paragraph and do not forget force update. Once successful, again send e-mail from Gmail to your local e-mail address and in the end everything will be fine:



pfsense-unblock-incoming-gmail.txt · Last modified: 2020/01/19 23:07 by chotaire