If your server is set to use Google Workspace Email (G Suite formerly) to handle your emails, and your server's firewall is set to block SMTP ports for public, then you will need to whitelist Google IP address ranges for outbound SMTP in order for Google to properly send emails.
This program is written in Bash and it automates the process of retrieving Google IP address ranges, updating them on daily basis and whitelisting them within the firewall configuration.
- Linux Server.
- SSH access with root/sudo privileges.
- Bash Shell.
- ConfigServer (CSF) Firewall.
Note: This program has been implemented and tested on CentOS servers and ConfigServer (CSF) firewall. It should work with all other Linux distributions. However, the program is configured to work according to ConfigServer (CSF) firewall rules and it is not guaranteed to work with other firewall software.
The program consists of four (4) Bash scripts that run in a sequential order; it basically retrieves Google IPs, exports them to a text file, then by using Bash text manipulation techniques, it appends SMTP ports to the retrieved IP address ranges, formats them according to the firewall reading rules, then exports the final IPs to another text file which is included inside the firewall configuration file for whitelisting.
- google.sh - Retrieves Google IP address ranges and exports them to results.txt file.
- appendport25.sh - Gets IPs from results.txt, format and append port 25, then export them to port25.txt.
- appendport465.sh – Gets IPs from results.txt, format and append port 465, then export them to port465.txt.
- tofinalgoogleips.sh – Combines results from port25.txt and port465.txt files and export them to finalgoogleips.txt.
I have included the required files in a single compressed tar.gz file so you can download it directly to your server. I have also included a non-compressed version here.
- Open your SSH client and login to your server.
- Run the command line
mkdir -p /usr/local/customscripts/csfallowgoogle - Run
cd /usr/local/customscripts/csfallowgoogle - Run the following command to download the program to your server
wget https://github.com/MinaHafzalla/Google-IP-Address-Ranges-Whitelisting/blob/master/Download/csfallowgoogle.tar.gz - Uncompress the file by running the command
tar zfvx csfallowgoogle.tar.gz
Now you need to setup cron jobs to tell the server to execute these scripts at a specific time in a sequential order and every day as we need to daily update the IP address ranges.
- Run the command
vi /etc/crontab - Hit the
ikey on your keyboard to start inserting. - Copy and paste the following in the crontab file.
25 16 * * * root bin/bash /usr/local/customscripts/csfallowgoogle/google.sh > /usr/local/customscripts/csfallowgoogle/results.txt 2>&1
26 16 * * * root bin/bash /usr/local/customscripts/csfallowgoogle/appendport25.sh
27 16 * * * root bin/bash /usr/local/customscripts/csfallowgoogle/appendport465.sh
28 16 * * * root bin/bash /usr/local/customscripts/csfallowgoogle/tofinalgoogleips.sh
29 16 * * * root /usr/sbin/csf -r >/dev/null 2>&1
30 16 * * * root /usr/sbin/lfd –r
- Hit the
Esckey on your keyboard to exit the editing environment. - Type
:wqand pressEnterto save edits and exit the file.
Now we've configured the server to execute the program using cron jobs starting at 4:25pm every day at server's time zone.
Last thing is to include the file finalgoogleips.txt inside the firewall configuration file so that the firewall opens SMTP communication for those listed IPs.
- Run the command
vi /etc/csf/csf.allow - Hit the
ikey on your keyboard to initiate the editing interface. - Copy and paste the following line:
include /usr/local/customscripts/csfallowgoogle/finalgoogleips.txt - Press the
Esckey on your keyboard. - Run the command
:wqto save and exit. - Run the command
csf –rfollowed bylfd –rto restart the firewall.
Congratulations! You are all set now and your server is set to allow Google IP address ranges for SMTP communications.
Please leave a comment or send me an email at minahafzalla@gmail.com if you have any questions.