Hello guys, when I add smtp.gmail.com to Aliases, I can only get one IPv4 and IPv6, which makes it impossible for other systems to send mail when they encounter parsing errors.
How can I solve it?
My aliases settings are as follows:
Name: Gmail
Type: Host(s)
Content: smtp.gmail.com
Description: Gmail
Thanks for your help.
1. I do not understand your problem, because smtp.gmail.com only HAS one IPv4 and one IPv6 - depending on who asks. The mechanism is called split-horizon DNS.
For some services, like Google DNS, they use anycast IPs which are being routed to a real server that is near to the client.
In both cases, there is no need for DNS round robin or similar mechanisms.
2. You did not explain what you are trying to accomplish or at least I do not get it. How is the alias used? Why do "other systems" need more than one IP?
Hello, I created a new vlan and set it to all deny, but some IoT devices still have to send alert mail through smtp.gmail.com, so I want to add a record in Aliases, but the record only It will capture 1 v4 and 1 v6, and will not create an IP list, resulting in some exception IPs encountered when parsing smtp.gmail.com and unable to send mail.
(https://upload.cc/i1/2023/08/29/5VtKhY.png)
(https://upload.cc/i1/2023/08/29/XEaJcn.png)
(https://upload.cc/i1/2023/08/29/zv6npk.png)
Thanks for your help.
Something does not add up here. Your shown alias is "Gmail", whereas the firewall rule uses Gmail_SMTP.
Also, in/out rules are seldomly useful. The rules shown apply only to IPv4. Since IPv6 (if available) is being resolved first, those rules would not allow access to smtp.gmail.com.
Other than that, there is no problem with your approach - nor with the fact that there is only one IP of either kind - UNLESS the DNS server of your OpnSense is not the same as the one your VLAN clients use. In the latter case, because of split-horizon DNS, it could be that smtp.gmail.com does not resolve to the same IPs on your clients than your OpnSense. You should make sure that all of your devices use the same DNS server.
Sorry for the confusion.
"Gmail" was created by me to express that Aliases can only get 1 IP.
The Aliases actually applied by the firewall is Gmail_SMTP.
The DNS part you mentioned, I use 8.8.8.8 for each interface to resolve, but because the IP of smtp.gmail.com changes at any time, it causes the IoT device to use the unresolved IP to send mail, so it fails.
(https://upload.cc/i1/2023/08/30/oTZUPL.png)
Thank you very much for your help, I will look for related articles on the forum.
Once again - there IS only one IP for Gmail - or at least it SHOULD. I doubt that it will deliberately change. Also, firewall aliases are updated once in a while in case an IP changes. I think there is also a cronjob to update the aliases.
However, guessing from your firewall rules, I assume that you want your VLAN clients not to be able than to resolve DNS, send mail and get NTP.
There are two things to consider here:
1. If you want to restrict them to use Google services, you could use another alias type, namely ASN aliases. Google has AS15169.
2. You did not restrict ports yet. SMTP/SUBMISSION are 25 and 587 respectively.
Thus, if you specify a TCP "in" rule using a port alias with 35 and 587 plus an ASN alias, you should catch all potential Gmail IPs but avoid "phoning home" of your VLAN clients at the same time.
There is more ips to Google s smtp and the alias system in OPNsense is not quite well for it.
Use a mail proxy or the suggested AS method
;; ANSWER SECTION:
smtp.google.com. 300 IN A 142.250.147.27
smtp.google.com. 300 IN A 142.251.9.27
smtp.google.com. 300 IN A 142.251.9.26
smtp.google.com. 300 IN A 142.250.147.26
The DNS domain is smtp.gmail.com, not smtp.google.com. And that usually has only one IP, dependend on the region you are coming from.
However, a mail proxy is another viable solution, indeed. And you do not need any alias for that, either.
Alternatively, you can define single IP address in your DNS server and aliases and routing will be always the same. The drawback is IP could become offline and would need manual update.
I just added the alias to my firewall and 9 ips where added.
(https://i.postimg.cc/XXSy7cVB/smtp-alias.png)
if you want to keep your aliases up to date you have to add a cronjob with the templatecommand:
"Update and reload firewall aliases"
(https://i.postimg.cc/YCx8Zj3z/smtp-alias2.png)
Aliases renewed automatically every 5 (or 15?) minutes.
Yes, you're right.
;; ANSWER SECTION:
smtp.gmail.com. 300 IN A 142.251.9.109
I would still stick with some layer 7 proxy for several reasons.
Quote from: seed on August 29, 2023, 09:30:55 PM
I just added the alias to my firewall and 9 ips where added.
Try smtp.gmail.com, not smtp.google.com.
Hi friends, because Aliases still won't update the IP list of smtp.gmail.com, I used a stupid method.
I wrote a cron to extract each IP and then manually added aliases.
*/3 * * * * ping -c 1 smtp.gmail.com | grep data. >> IP.txt
(https://upload.cc/i1/2023/08/30/CcvlfT.png)
Alias is built for a common use case and gmail outgoing server is not that.
To be honest, isn't there an external lookup for this sort of thing?
Oh look I googled it and that's a top suggestion:
https://www.sourceonetechnology.com/gmail-ip-address-ranges/
Was this so hard? Now you can fix your leaky host alias to be a proper network alias.
As the article clearly tells, the ranges may change in the future (and actually did since the article was written in 2017). AFAIK, there are no aliases in OpnSense to resolve SPF TXT records, so using an alias is not automatic.
Also, the three SPF netblocks are a subset of Google's AS, for which an OpnSense automatic alias type exists. By limiting access to SMTP and SUBMISSION ports for those IPs, restrictions should be fair enough for this purpose without the need to manually update anything - actually, any Google SMTP server in the future will also reside in AS15169.
Quote from: meyergru on August 31, 2023, 12:21:00 AM
Also, the three SPF netblocks are a subset of Google's AS, for which an OpnSense automatic alias type exists.
OK, you suggest an Alias based on BGP ASN 15169 (which is Googles AS number), right?
I did exactly that a few posts ago (https://forum.opnsense.org/index.php?topic=35659.msg173446#msg173446).
> As the article clearly tells, the ranges may change in the future (and actually did since the article was written in 2017). AFAIK, there are no aliases in OpnSense to resolve SPF TXT records, so using an alias is not automatic.
True I did not dispute that. I was referring to the "ping" script that "tries" to built a list of all IP addresses which fails miserably for the same reason the alias doesn't work.
Cheers,
Framco
Quote from: franco on August 30, 2023, 10:22:32 PM
...
Oh look I googled it and that's a top suggestion:
https://www.sourceonetechnology.com/gmail-ip-address-ranges/
Was this so hard? Now you can fix your leaky host alias to be a proper network alias.
To quote from your link:
Quote...as of September 2017 ...
Still up to date? I doubt. I would go with the solution proposed by meyergru, whole google range with relevant ports blocked...
Ok. Instead of focusing on a random link from Google I posted that has a viable solution maybe you want to focus on the fact that I never said it's not going to be outdated.
You want me to not post it because someone later said there is a better solution? I think that is the point of progressing this discussion.
No cheers from me for this,
Franco