Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Why does Alias add smtp.gmail.com only have one IP?
« previous
next »
Print
Pages: [
1
]
2
Author
Topic: Why does Alias add smtp.gmail.com only have one IP? (Read 3379 times)
king039
Newbie
Posts: 4
Karma: 0
Why does Alias add smtp.gmail.com only have one IP?
«
on:
August 29, 2023, 03:54:27 pm »
Hello guys, when I add smtp.gmail.com to Aliases, I can only get one IPv4 and IPv6, which makes it impossible for other systems to send mail when they encounter parsing errors.
How can I solve it?
My aliases settings are as follows:
Name: Gmail
Type: Host(s)
Content: smtp.gmail.com
Description: Gmail
Thanks for your help.
«
Last Edit: August 29, 2023, 04:31:55 pm by king039
»
Logged
meyergru
Hero Member
Posts: 1725
Karma: 170
IT Aficionado
Re: Why does Alias add smtp.gmail.com only have one IP?
«
Reply #1 on:
August 29, 2023, 05:09:09 pm »
1. I do not understand your problem, because smtp.gmail.com only HAS one IPv4 and one IPv6 - depending on who asks. The mechanism is called split-horizon DNS.
For some services, like Google DNS, they use anycast IPs which are being routed to a real server that is near to the client.
In both cases, there is no need for DNS round robin or similar mechanisms.
2. You did not explain what you are trying to accomplish or at least I do not get it. How is the alias used? Why do "other systems" need more than one IP?
«
Last Edit: August 29, 2023, 05:10:52 pm by meyergru
»
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
king039
Newbie
Posts: 4
Karma: 0
Re: Why does Alias add smtp.gmail.com only have one IP?
«
Reply #2 on:
August 29, 2023, 05:39:29 pm »
Hello, I created a new vlan and set it to all deny, but some IoT devices still have to send alert mail through smtp.gmail.com, so I want to add a record in Aliases, but the record only It will capture 1 v4 and 1 v6, and will not create an IP list, resulting in some exception IPs encountered when parsing smtp.gmail.com and unable to send mail.
Thanks for your help.
Logged
meyergru
Hero Member
Posts: 1725
Karma: 170
IT Aficionado
Re: Why does Alias add smtp.gmail.com only have one IP?
«
Reply #3 on:
August 29, 2023, 05:56:36 pm »
Something does not add up here. Your shown alias is "Gmail", whereas the firewall rule uses Gmail_SMTP.
Also, in/out rules are seldomly useful. The rules shown apply only to IPv4. Since IPv6 (if available) is being resolved first, those rules would not allow access to smtp.gmail.com.
Other than that, there is no problem with your approach - nor with the fact that there is only one IP of either kind - UNLESS the DNS server of your OpnSense is not the same as the one your VLAN clients use. In the latter case, because of split-horizon DNS, it could be that smtp.gmail.com does not resolve to the same IPs on your clients than your OpnSense. You should make sure that all of your devices use the same DNS server.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
king039
Newbie
Posts: 4
Karma: 0
Re: Why does Alias add smtp.gmail.com only have one IP?
«
Reply #4 on:
August 29, 2023, 06:20:45 pm »
Sorry for the confusion.
"Gmail" was created by me to express that Aliases can only get 1 IP.
The Aliases actually applied by the firewall is Gmail_SMTP.
The DNS part you mentioned, I use 8.8.8.8 for each interface to resolve, but because the IP of smtp.gmail.com changes at any time, it causes the IoT device to use the unresolved IP to send mail, so it fails.
Thank you very much for your help, I will look for related articles on the forum.
Logged
meyergru
Hero Member
Posts: 1725
Karma: 170
IT Aficionado
Re: Why does Alias add smtp.gmail.com only have one IP?
«
Reply #5 on:
August 29, 2023, 07:25:02 pm »
Once again - there IS only one IP for Gmail - or at least it SHOULD. I doubt that it will deliberately change. Also, firewall aliases are updated once in a while in case an IP changes. I think there is also a cronjob to update the aliases.
However, guessing from your firewall rules, I assume that you want your VLAN clients not to be able than to resolve DNS, send mail and get NTP.
There are two things to consider here:
1. If you want to restrict them to use Google services, you could use another alias type, namely ASN aliases. Google has AS15169.
2. You did not restrict ports yet. SMTP/SUBMISSION are 25 and 587 respectively.
Thus, if you specify a TCP "in" rule using a port alias with 35 and 587 plus an ASN alias, you should catch all potential Gmail IPs but avoid "phoning home" of your VLAN clients at the same time.
«
Last Edit: August 29, 2023, 07:30:19 pm by meyergru
»
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
Saarbremer
Sr. Member
Posts: 353
Karma: 14
Re: Why does Alias add smtp.gmail.com only have one IP?
«
Reply #6 on:
August 29, 2023, 07:39:14 pm »
There is more ips to Google s smtp and the alias system in OPNsense is not quite well for it.
Use a mail proxy or the suggested AS method
;; ANSWER SECTION:
smtp.google.com. 300 IN A 142.250.147.27
smtp.google.com. 300 IN A 142.251.9.27
smtp.google.com. 300 IN A 142.251.9.26
smtp.google.com. 300 IN A 142.250.147.26
Logged
meyergru
Hero Member
Posts: 1725
Karma: 170
IT Aficionado
Re: Why does Alias add smtp.gmail.com only have one IP?
«
Reply #7 on:
August 29, 2023, 09:17:36 pm »
The DNS domain is smtp.gmail.com, not smtp.google.com. And that usually has only one IP, dependend on the region you are coming from.
However, a mail proxy is another viable solution, indeed. And you do not need any alias for that, either.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
karlson2k
Full Member
Posts: 114
Karma: 4
Re: Why does Alias add smtp.gmail.com only have one IP?
«
Reply #8 on:
August 29, 2023, 09:22:30 pm »
Alternatively, you can define single IP address in your DNS server and aliases and routing will be always the same. The drawback is IP could become offline and would need manual update.
Logged
seed
Full Member
Posts: 174
Karma: 12
Re: Why does Alias add smtp.gmail.com only have one IP?
«
Reply #9 on:
August 29, 2023, 09:30:55 pm »
I just added the alias to my firewall and 9 ips where added.
if you want to keep your aliases up to date you have to add a cronjob with the templatecommand:
"Update and reload firewall aliases"
Logged
i want all services to run with wirespeed and therefore run this dedicated hardware configuration:
AMD Ryzen 7 9700x
ASUS Pro B650M-CT-CSM
64GB DDR5 ECC (2x KSM56E46BD8KM-32HA)
Intel XL710-BM1
Intel i350-T4
2x SSD with ZFS mirror
PiKVM for remote maintenance
private user, no business use
karlson2k
Full Member
Posts: 114
Karma: 4
Re: Why does Alias add smtp.gmail.com only have one IP?
«
Reply #10 on:
August 29, 2023, 09:36:53 pm »
Aliases renewed automatically every 5 (or 15?) minutes.
Logged
Saarbremer
Sr. Member
Posts: 353
Karma: 14
Re: Why does Alias add smtp.gmail.com only have one IP?
«
Reply #11 on:
August 29, 2023, 09:55:19 pm »
Yes, you're right.
;; ANSWER SECTION:
smtp.gmail.com. 300 IN A 142.251.9.109
I would still stick with some layer 7 proxy for several reasons.
Logged
meyergru
Hero Member
Posts: 1725
Karma: 170
IT Aficionado
Re: Why does Alias add smtp.gmail.com only have one IP?
«
Reply #12 on:
August 29, 2023, 10:19:57 pm »
Quote from: seed on August 29, 2023, 09:30:55 pm
I just added the alias to my firewall and 9 ips where added.
Try smtp.gmail.com, not smtp.google.com.
Logged
Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005
1100 down / 440 up
,
Bufferbloat A+
king039
Newbie
Posts: 4
Karma: 0
Re: Why does Alias add smtp.gmail.com only have one IP?
«
Reply #13 on:
August 30, 2023, 04:13:55 pm »
Hi friends, because Aliases still won't update the IP list of smtp.gmail.com, I used a stupid method.
I wrote a cron to extract each IP and then manually added aliases.
*/3 * * * * ping -c 1 smtp.gmail.com | grep data. >> IP.txt
«
Last Edit: August 30, 2023, 04:23:18 pm by king039
»
Logged
franco
Administrator
Hero Member
Posts: 17672
Karma: 1613
Re: Why does Alias add smtp.gmail.com only have one IP?
«
Reply #14 on:
August 30, 2023, 10:22:32 pm »
Alias is built for a common use case and gmail outgoing server is not that.
To be honest, isn't there an external lookup for this sort of thing?
Oh look I googled it and that's a top suggestion:
https://www.sourceonetechnology.com/gmail-ip-address-ranges/
Was this so hard? Now you can fix your leaky host alias to be a proper network alias.
Logged
Print
Pages: [
1
]
2
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
Why does Alias add smtp.gmail.com only have one IP?