SMTPAUTH_RESTRICT and GOOGLEMAIL GMAIL Send As

[HostBob]

Due to a lot of distributed SMTP auth attacks I used the advanced EXIM editor as outlined in the readme.txt file for CSF/LFD. Worked like a charm, thank you!

But now Google has decided if you wish to 'send mail as' another address than the Google account's own - you have to provide Google direct SMTP access to your server.

But Google's IPs for sending SMTP is variable and ever changing so I can't manually add them to:

CSF's modified /etc/csf/csf.smtpauth

Is there an easy way around this?

TY!

[HostBob]

Google searching discovered this way to retrieve the _current_ Google IP ranges:

nslookup -q=TXT _spf.google.com 8.8.8.8
This returns a list of the domains included in Google's SPF record, such as:
_netblocks.google.com, _netblocks2.google.com, _netblocks3.google.com

Now look up the DNS records associated with those domains, one at a time, like so:

nslookup -q=TXT _netblocks.google.com 8.8.8.8
nslookup -q=TXT _netblocks2.google.com 8.8.8.8
nslookup -q=TXT _netblocks3.google.com 8.8.8.8
The results of these commands contain the current range of addresses.

Can I use the output of these to generate useful content for /etc/csf/csf.smtpauth

I can code something to do this in PHP and run it as a cron task as root, but what format is acceptable? Does csf.smtpauth accept IP range declarations? Does it cope OK with IPV6 IPs?

After any change I'll also need to force a restart of csf and lfd automatically so the new IPs are in use. Is that possible from PHP running as root?

Thanks!

[ForumAdmin]

You can use IPv4 and IPv6 IP addresses and CIDRs in csf.smtpauth. You do have to restart csf and then lfd after changing that file.

[HostBob]

Excellent, tried it, it works! Thank you.

But to make it fully automatic I will need to automate the restart. Do you know of a way in PHP to initiate a restart of CFS and LFD without resorting to PHP commands 'system' or 'exec' which are disabled on my server.

I could simply set up a cron task to run a shell command to restart them shortly after the scheduled runtime of the script which is updating the IPs but it'd be neater if it was all in one PHP script.

If I have to run a shell command, could you advise what that would be?

TY!

[HostBob]

I've coded up a PHP cron task now to grab the SPF records, compare with existing records in the csf.smtpauth file and update only if needed - and email me if so, so that I can manually cause a restart.

Code I've written for this is available here, feel free to use it:
http://www.aetherweb.co.uk/block-distri ... ia-server/

Just need to find a nice way to automate the restart of the firewall as required.

[HostBob]

For the moment I've solved this by using PHP to create a file if a change has occurred.

One minute after the PHP runs (by CRON) another cron task runs. If the file exists it restarts CSF and LFD with:

csf -r
etc/init.d/lfd restart

And then deletes the trigger file.