Re: Greylisting google's gmail servers
On 12/21/05, Lukas Kubin <[EMAIL PROTECTED]> wrote: > We have a problem getting mail from gmail through spamd. Google's gmail > public mail service use a large number of smtp servers. The first time > gmail tries to contact our smtp, it is being greylisted on our spamd > server. The problem is the next time it tries to repeat the > transmission, it appears trying it from different IP and is greylisted > again. So the mail may get through after a very long time. > I understand this is not problem of spamd. However, is there any > solution for accepting mail from gmail? Eg. is there any list of IP > addresses they are using? I have had no issues with gmail. What are you starting spamd with? perhaps spamd is just removing their servers too soon? --Bryan
Re: Greylisting google's gmail servers
On Fri, 23 Dec 2005, Moritz Grimm wrote: Joseph C. Bender wrote: Instead, I suggest to use a ``no rdr'' line after rdr'ing those in the blacklists to spamd. Actually, yes, because it makes your filter rulesets easier to parse visually, but you want the "no rdr" *first*. This is the configuration that we are using. Uh well, to each his own -- in my case, spews1 hasn't caused any false positives, yet. When I whitelist someone like Gmail and it shows up in SPEWS1 eventually, I really need no more mail from @gmail.com accounts. (Personal choice, and according to the SPEWS FAQ I *should* be doing well with it.) Yeah, except when you need to exchange emails with domains on MCI/UUNETs network, or any of the other collateral damage that is inflicted due to SPEWS' childish behavior, even on spews1. P.S.: Another table with another no rdr line in front with the "I really need mail from these guys no matter what"-IPs and netblocks is still an option. ;-) Which is a waste of time. If I'm going to go out of my way to whitelist an IP, I don't want to do it twice. The fact that I'm putting something in a list to make sure that no matter what that it can talk to me, I'm sure as hell going to bypass whatever blacklist it may or may not end up on. But you are right, YMMV. -- Signing off, Joseph C. Bender <[EMAIL PROTECTED]>
Re: Greylisting google's gmail servers
Joseph C. Bender wrote: Instead, I suggest to use a ``no rdr'' line after rdr'ing those in the blacklists to spamd. Actually, yes, because it makes your filter rulesets easier to parse visually, but you want the "no rdr" *first*. This is the configuration that we are using. Uh well, to each his own -- in my case, spews1 hasn't caused any false positives, yet. When I whitelist someone like Gmail and it shows up in SPEWS1 eventually, I really need no more mail from @gmail.com accounts. (Personal choice, and according to the SPEWS FAQ I *should* be doing well with it.) Spam filtering needs to be done individually up to a certain point, so here we have two suggestions, both legitimate. Those who are following any of this advice should know/learn what they're doing and then make a decision (possibly after some testing) according to their needs. Moritz P.S.: Another table with another no rdr line in front with the "I really need mail from these guys no matter what"-IPs and netblocks is still an option. ;-)
Re: Greylisting google's gmail servers
On Thu, 22 Dec 2005, Moritz Grimm wrote: rdr pass on $EXT_IF inet proto tcp from to any port 25 -> 127.0.0.1 port smtp <== add this line rdr pass on $EXT_IF inet proto tcp from to any port 25 -> 127.0.0.1 port 8025 rdr pass on $EXT_IF inet proto tcp from ! to any port smtp -> 127.0.0.1 port 8025 Instead, I suggest to use a ``no rdr'' line after rdr'ing those in the blacklists to spamd. Actually, yes, because it makes your filter rulesets easier to parse visually, but you want the "no rdr" *first*. This is the configuration that we are using. From pf.conf(8): "For each packet processed by the translator, the translation rules are evaluated in sequential order, from first to last. The first matching rule decides what action is taken." This gets also gets you the added bonus of being able to whitelist something that has ended up in that shouldn't be there due to parts of a RBL being excessively lame, like spews1, for example. -- Signing off, Joseph C. Bender <[EMAIL PROTECTED]> "Does the government fear us? Or do we fear the government? When the people fear the government, tyranny has found victory. The federal government is our servant, not our master." ---Thomas Jefferson
Re: Greylisting google's gmail servers
Nick Ryan wrote: We have a problem getting mail from gmail through spamd. Google's gmail public mail service use a large number of smtp servers. The first time In addition to that, they also appear to be retrying either too fast or too slow ... *sigh* rdr pass on $EXT_IF inet proto tcp from to any port 25 -> 127.0.0.1 port smtp <== add this line rdr pass on $EXT_IF inet proto tcp from to any port 25 -> 127.0.0.1 port 8025 rdr pass on $EXT_IF inet proto tcp from ! to any port smtp -> 127.0.0.1 port 8025 Instead, I suggest to use a ``no rdr'' line after rdr'ing those in the blacklists to spamd. /root/whitelist.txt: 216.239.32.0/19 #gmail servers From my point of view on the Internet, gmail uses uproxy.gmail.com to send mail ... which happens to be in a different network than this (it's all IPs of 66.249.92.192/28, i.e. from their 66.249.64.0/19 netblock.) Moritz
Re: Greylisting google's gmail servers
> I don't make any exceptions. I tell users sending me email to > repeatedly submit the message or contact the relevant support staff to > fix their servers. Obviously this is never going to cause Yahoo and > Google to change their email strategy... But I relish the challenge. > I'm a purist at heart. And I likely didn't want that email anyway. Nothing is wrong with their email strategy though. I've been greylisting for months and gmail works great. No delays at all. Except for that first email I sent as a test. --Bryan
Re: Greylisting google's gmail servers
On 21/12/05, Jim Razmus <[EMAIL PROTECTED]> wrote: > * Lukas Kubin <[EMAIL PROTECTED]> [051221 05:59]: > > We have a problem getting mail from gmail through spamd. Google's gmail > > public mail service use a large number of smtp servers. The first time > > gmail tries to contact our smtp, it is being greylisted on our spamd > > server. The problem is the next time it tries to repeat the > > transmission, it appears trying it from different IP and is greylisted > > again. So the mail may get through after a very long time. > > I understand this is not problem of spamd. However, is there any > > solution for accepting mail from gmail? Eg. is there any list of IP > > addresses they are using? > > Thank you. > > > > Lukas Kubin > > I don't make any exceptions. I tell users sending me email to > repeatedly submit the message or contact the relevant support staff to > fix their servers. Obviously this is never going to cause Yahoo and > Google to change their email strategy... But I relish the challenge. > I'm a purist at heart. And I likely didn't want that email anyway. What is wrong with gmail servers? If you cannot configure greylisting correctly, doesn't mean that gmail is broken. :) Constantine.
Re: Greylisting google's gmail servers
* Lukas Kubin <[EMAIL PROTECTED]> [051221 05:59]: > We have a problem getting mail from gmail through spamd. Google's gmail > public mail service use a large number of smtp servers. The first time > gmail tries to contact our smtp, it is being greylisted on our spamd > server. The problem is the next time it tries to repeat the > transmission, it appears trying it from different IP and is greylisted > again. So the mail may get through after a very long time. > I understand this is not problem of spamd. However, is there any > solution for accepting mail from gmail? Eg. is there any list of IP > addresses they are using? > Thank you. > > Lukas Kubin I don't make any exceptions. I tell users sending me email to repeatedly submit the message or contact the relevant support staff to fix their servers. Obviously this is never going to cause Yahoo and Google to change their email strategy... But I relish the challenge. I'm a purist at heart. And I likely didn't want that email anyway. Rail against the system! ;-) Jim
Re: Greylisting google's gmail servers
On 12/21/05, Lukas Kubin <[EMAIL PROTECTED]> wrote: > > We have a problem getting mail from gmail through spamd. Google's gmail > public mail service use a large number of smtp servers. The first time > gmail tries to contact our smtp, it is being greylisted on our spamd > server. The problem is the next time it tries to repeat the > transmission, it appears trying it from different IP and is greylisted > again. So the mail may get through after a very long time. > I understand this is not problem of spamd. However, is there any > solution for accepting mail from gmail? Eg. is there any list of IP > addresses they are using? > Thank you. > > Lukas Kubin > > > If you like a more restrictive whitelist, you want to add just the outgoing gmail servers. Take a look at the header of any gmail message and you will see it was received from "some letter"proxy.gmail.com. This represents a pool of ip addreses, more exactly, a block of 16 ips. There is more than just one block. So this is what I added to my white list: 64.233.162.192/28 # zproxy gmail 64.233.170.192/28 # rproxy gmail 64.233.182.192/28 # nproxy gmail 64.233.183.192/28 # nproxy gmail 64.233.184.192/28 # wproxy gmail 66.249.82.192/28 # xproxy gmail 66.249.92.192/28 # uproxy gmail 216.239.56.240/28 # mproxy gmail As you can see there are two nproxy. "dig nproxy.gmail.com" reports just the first one, so keep your eyes on the spamd's log file... They may add new ones (xproxy and uproxy were added recently).
Re: Greylisting google's gmail servers
> /root/whitelist.txt: > 216.239.32.0/19 #gmail servers I just allowed all the announcements I saw from their AS for now. 64.233.160/19 66.102/20 66.249.64/19 72.14.192/19 72.14.224/20 216.239.32/19 Unless you run a site with enough users that they stay whitelisted anyway, the larger shared-spool mail systems can be something of a problem, so it's worth keeping an eye on 'spamdb|grep GREY'. > It's a bit of an extreme allowance really... www.dnsstuff.com is good for > looking up allocated IP ranges by the way. Find the relevant AS, use a looking-glass or route-views if you don't have your own router to pull it from. In cizcoeee that's "sh ip bgp reg _15169$". > If you make a change to the whitelist file, update the table with: > pfctl -t spamd-mywhite -T add -f /root/white.txt -Tr (rather than -Ta) covers deletions too. Add -v to get feedback.
Re: Greylisting google's gmail servers
> We have a problem getting mail from gmail through spamd. Google's gmail > public mail service use a large number of smtp servers. The first time > gmail tries to contact our smtp, it is being greylisted on our spamd > server. The problem is the next time it tries to repeat the > transmission, it appears trying it from different IP and is greylisted > again. So the mail may get through after a very long time. > I understand this is not problem of spamd. However, is there any > solution for accepting mail from gmail? Eg. is there any list of IP > addresses they are using? > Thank you. > > Lukas Kubin > What I do is have a separate whitelist file that has exceptions in it for spamd. Add these two rules to your pf.conf and add a line to the whitelist.txt file that has the ip range of googles servers in it. pf.conf snippet: table persist table persist table persist file "/root/white.txt" <==add this line rdr pass on $EXT_IF inet proto tcp from to any port 25 -> 127.0.0.1 port smtp <== add this line rdr pass on $EXT_IF inet proto tcp from to any port 25 -> 127.0.0.1 port 8025 rdr pass on $EXT_IF inet proto tcp from ! to any port smtp -> 127.0.0.1 port 8025 /root/whitelist.txt: 216.239.32.0/19 #gmail servers It's a bit of an extreme allowance really... www.dnsstuff.com is good for looking up allocated IP ranges by the way. You should probably have the whitelist somewhere better than the root homedir although it works for me though as I only want root to access and update it. If you make a change to the whitelist file, update the table with: pfctl -t spamd-mywhite -T add -f /root/white.txt Cheers - Nick
Re: Greylisting google's gmail servers
Thus Lukas Kubin <[EMAIL PROTECTED]> spake on Wed, 21 Dec 2005 11:55:30 +0100: > We have a problem getting mail from gmail through spamd. Google's > gmail public mail service use a large number of smtp servers. The > first time gmail tries to contact our smtp, it is being greylisted on > our spamd server. The problem is the next time it tries to repeat the > transmission, it appears trying it from different IP and is > greylisted again. So the mail may get through after a very long time. > I understand this is not problem of spamd. However, is there any > solution for accepting mail from gmail? Eg. is there any list of IP > addresses they are using? > Thank you. > > Lukas Kubin from whois (look at the CIDR): OrgName:Google Inc. OrgID: GOGL Address:1600 Amphitheatre Parkway City: Mountain View StateProv: CA PostalCode: 94043 Country:US NetRange: 216.239.32.0 - 216.239.63.255 CIDR: 216.239.32.0/19 NetName:GOOGLE NetHandle: NET-216-239-32-0-1 Parent: NET-216-0-0-0-0 NetType:Direct Allocation NameServer: NS1.GOOGLE.COM NameServer: NS2.GOOGLE.COM NameServer: NS3.GOOGLE.COM NameServer: NS4.GOOGLE.COM Comment: RegDate:2000-11-22 Updated:2001-05-11 RTechHandle: ZG39-ARIN RTechName: Google Inc. RTechPhone: +1-650-318-0200 RTechEmail: [EMAIL PROTECTED] OrgTechHandle: ZG39-ARIN OrgTechName: Google Inc. OrgTechPhone: +1-650-318-0200 OrgTechEmail: [EMAIL PROTECTED] # ARIN WHOIS database, last updated 2005-12-20 19:10 # Enter ? for additional hints on searching ARIN's WHOIS database.