A non-stop wave of distributed smtp auth attacks on my server prompted me to ban non specified IPs from connecting to smtp on my server and sending mail though it. Very effective. (instructions: http://sysadmintips.in/advanced/csf/exim)
However I now cannot use Google Mail (Gmail) to 'Send Mail As' for new accounts without either enabling two-factor authentication (which is a pain as I'm setting this up remotely for my clients) or switching smtp auth back on on my server.
My other option would be to white-list Google Mail's IP addresses.
Google searching discovered this way to retrieve the current Google IP ranges using something along these lines (which I've copied from this page: https://support.google.com/a/answer/60764?hl=en):
nslookup -q=TXT _spf.google.com 8.8.8.8
This returns a list of the domains included in Google's SPF record, such as: _netblocks.google.com, _netblocks2.google.com, _netblocks3.google.com
Now look up the DNS records associated with those domains, one at a time, like so:
nslookup -q=TXT _netblocks.google.com 8.8.8.8
nslookup -q=TXT _netblocks2.google.com 8.8.8.8
nslookup -q=TXT _netblocks3.google.com 8.8.8.8
The results of these commands contain the current range of addresses.
Can I use the output of these to generate useful content for /etc/csf/csf.smtpauth ?
I can code something to do this in PHP and run it as a cron task as root, but what format is acceptable? Does csf.smtpauth accept IP range declarations? Does it cope OK with IPV6 IPs?
After any change I'll also need to force a restart of csf and lfd automatically so the new IPs are in use. Is that possible from PHP running as root?
Thanks!
Solved.
I've coded up the following PHP which queries Google's SPF records and then, only if required, will replace the existing SMTP Auth block with a new one. It then creates a file which is used as a flag for a bash script to re-start the firewall.
Note that /etc/csf/csf.smtpauth accepts IPV4 and IPV6 addresses and CIDR address ranges.
Then create a CRON task to run this shell script shortly after and each time the above is run: