Loading ...
Sorry, an error occurred while loading the content.

google outbound SMTP whitelisting

Expand Messages
  • Mike.
    I wanted to put google s outbound SMTP servers on a postscreen whitelist, but the list seems to be dynamic. I found this web page that explains how to get the
    Message 1 of 10 , May 19, 2013
    View Source
    • 0 Attachment
      I wanted to put google's outbound SMTP servers on a postscreen
      whitelist, but the list seems to be dynamic. I found this web page
      that explains how to get the list of IP addresses:
      http://support.google.com/a/bin/answer.py?hl=en&hlrm=de&answer=60764

      So I wrote a quick script that outputs to stdout the list of CIDR
      addresses in a format suitable for a postscreen whitelist.

      The script is called gwhitelist.sh and is available here:
      http://archive.mgm51.com/sources/gwhitelist.html




      The output from the script currently is:

      # gwhitelist.sh
      216.239.32.0/19 permit
      64.233.160.0/19 permit
      66.249.80.0/20 permit
      72.14.192.0/18 permit
      209.85.128.0/17 permit
      66.102.0.0/20 permit
      74.125.0.0/16 permit
      64.18.0.0/20 permit
      207.126.144.0/20 permit
      173.194.0.0/16 permit
      2001:4860:4000::/36 permit
      2404:6800:4000::/36 permit
      2607:f8b0:4000::/36 permit
      2800:3f0:4000::/36 permit
      2a00:1450:4000::/36 permit
      2c0f:fb50:4000::/36 permit




      I tested the script under OpenBSD 5.3, FreeBSD 9.1, and Debian
      GNU/Linux 6.0.6.

      Comments are welcome.
    • LuKreme
      ... Funny, I just asked about doing this within the last week in a thread postscreen and Google The answer, direct from Wietse, is ... If you re server is
      Message 2 of 10 , May 19, 2013
      View Source
      • 0 Attachment
        On 19 May 2013, at 13:08 , Mike. <the.lists@...> wrote:
        > I wanted to put google's outbound SMTP servers on a postscreen
        > whitelist, but the list seems to be dynamic. I found this web page
        > that explains how to get the list of IP addresses:
        > http://support.google.com/a/bin/answer.py?hl=en&hlrm=de&answer=60764

        Funny, I just asked about doing this within the last week in a thread "postscreen and Google"

        The answer, direct from Wietse, is

        > Don't enable the "after 220" tests, or wait until whitelisting is stable. Given that Google has many servers, manual whitelisting is not a long-term solution.

        If you're server is high-volume, you need to run post screen for a while with soft-bounce enabled to build up the cache. A month.

        You might also read the thread "Snapshot 20130517" which details up-coming changes in 2.11 that will allow whitelisting via a DNS RBL-style lookup.

        (I went with disabling the after-220 tests and postscreen is still doing an excellent job of keeping mail from having to go through spamd, significantly dropping my server's processor load).

        --
        Can I tell you the truth? I mean this isn't like TV news, is it?
      • Benny Pedersen
        ... wishfull thinking here: make postscreen postfix policy compatible -- senders that put my email into body content will deliver it to my own trashcan, so if
        Message 3 of 10 , May 20, 2013
        View Source
        • 0 Attachment
          Mike. skrev den 2013-05-19 21:08:

          > Comments are welcome.

          wishfull thinking here: make postscreen postfix policy compatible

          --
          senders that put my email into body content will deliver it to my own
          trashcan, so if you like to get reply, dont do it
        • Mike.
          ... ============= That s beyond the scope of the project. :) More seriously, if I were to integrate it more closely with postscreen, I would want to seriously
          Message 4 of 10 , May 20, 2013
          View Source
          • 0 Attachment
            On 5/20/2013 at 3:14 PM Benny Pedersen wrote:

            |Mike. skrev den 2013-05-19 21:08:
            |
            |> Comments are welcome.
            |
            |wishfull thinking here: make postscreen postfix policy compatible
            =============

            That's beyond the scope of the project. :)


            More seriously, if I were to integrate it more closely with postscreen,
            I would want to seriously beef up the error checking within the script.
            I purposely left it to the individual mail admin to decide how, and
            to what extent, to fit gwhitelist.sh into the mail system.
          • Steve Jenkins
            ... Simple. Neat. Effective. I ve now added gwhitelist it to the crontab on my personal mail server: # crontab -l @hourly /usr/local/bin/opendkim-reportstats
            Message 5 of 10 , May 20, 2013
            View Source
            • 0 Attachment
              On Mon, May 20, 2013 at 7:02 AM, Mike. <the.lists@...> wrote:
              More seriously, if I were to integrate it more closely with postscreen,
              I would want to seriously beef up the error checking within the script.
                I purposely left it to the individual mail admin to decide how, and
              to what extent, to fit gwhitelist.sh into the mail system.

              Simple. Neat. Effective. I've now added gwhitelist it to the crontab on my personal mail server:

              # crontab -l
              @hourly /usr/local/bin/opendkim-reportstats -sendstats > /dev/null #Send OpenDKIM Stats
              0 4 * * * /usr/local/bin/sa_wrapper.sh #SpamAssassin Learning Tasks
              @weekly /usr/bin/wget -q -N -P /etc/postfix http://hardwarefreak.com/fqrdns.pcre #Download Stan's updated PCRE file
              @weekly /usr/local/bin/gwhitelist.sh > /etc/postfix/gmail_whitelist.cidr #Update Google Mail Server Whitelist

              Thx!

              SteveJ
            • Benny Pedersen
              ... unsure if postfix self reloads on filechanges ? :/ if not can postfix do this ? -- senders that put my email into body content will deliver it to my own
              Message 6 of 10 , May 20, 2013
              View Source
              • 0 Attachment
                Steve Jenkins skrev den 2013-05-20 16:31:

                > @weekly /usr/local/bin/gwhitelist.sh >
                > /etc/postfix/gmail_whitelist.cidr #Update Google Mail Server
                > Whitelist

                unsure if postfix self reloads on filechanges ? :/

                if not can postfix do this ?

                --
                senders that put my email into body content will deliver it to my own
                trashcan, so if you like to get reply, dont do it
              • Wietse Venema
                ... You need postfix reload after changing cidr maps (and pres, regexp, and other files that are processed in their entirety as the map is opened). Wietse
                Message 7 of 10 , May 20, 2013
                View Source
                • 0 Attachment
                  Benny Pedersen:
                  > Steve Jenkins skrev den 2013-05-20 16:31:
                  >
                  > > @weekly /usr/local/bin/gwhitelist.sh >
                  > > /etc/postfix/gmail_whitelist.cidr #Update Google Mail Server
                  > > Whitelist
                  >
                  > unsure if postfix self reloads on filechanges ? :/
                  >
                  > if not can postfix do this ?

                  You need "postfix reload after changing cidr maps (and pres, regexp,
                  and other files that are processed in their entirety as the map is
                  opened).

                  Wietse
                • Steve Jenkins
                  ... I wasn t sure either, which is why I added a postfix reload as the last line of the gwhitelist.sh script. :) SteveJ
                  Message 8 of 10 , May 20, 2013
                  View Source
                  • 0 Attachment
                    On Mon, May 20, 2013 at 8:57 AM, Benny Pedersen <me@...> wrote:
                    Steve Jenkins skrev den 2013-05-20 16:31:


                    @weekly /usr/local/bin/gwhitelist.sh >
                    /etc/postfix/gmail_whitelist.cidr #Update Google Mail Server Whitelist

                    unsure if postfix self reloads on filechanges ? :/

                    if not can postfix do this ?

                    I wasn't sure either, which is why I added a "postfix reload" as the last line of the gwhitelist.sh script. :)

                    SteveJ 
                  • Benny Pedersen
                    ... here i just move cidr maps to postgresql so it does not need to reload postfix, but its maybe not all using postgresql, just to note it for cron update
                    Message 9 of 10 , May 21, 2013
                    View Source
                    • 0 Attachment
                      wietse@... skrev den 2013-05-20 19:02:

                      > You need "postfix reload after changing cidr maps (and pres, regexp,
                      > and other files that are processed in their entirety as the map is
                      > opened).

                      here i just move cidr maps to postgresql so it does not need to reload
                      postfix, but its maybe not all using postgresql, just to note it for
                      cron update postfix

                      using spf data to dump into cidr is basicly a bit silly in the terms
                      its not live data, postscreen could use tables in any postconf -m, its
                      only make sense to use cidr for speed reasons imho

                      --
                      senders that put my email into body content will deliver it to my own
                      trashcan, so if you like to get reply, dont do it
                    • Benny Pedersen
                      ... please respect my signature, if you use multiple sh files to update via cron, then you might combine all sh into one cron script and end it all with one
                      Message 10 of 10 , May 21, 2013
                      View Source
                      • 0 Attachment
                        Steve Jenkins skrev den 2013-05-20 19:06:

                        > I wasn't sure either, which is why I added a "postfix reload" as the
                        > last line of the gwhitelist.sh script. :)

                        please respect my signature, if you use multiple sh files to update via
                        cron, then you might combine all sh into one cron script and end it all
                        with one single postfix reload, if not using postgresql :)

                        --
                        senders that put my email into body content will deliver it to my own
                        trashcan, so if you like to get reply, dont do it
                      Your message has been successfully submitted and would be delivered to recipients shortly.