csf firewall blocking countries - How can I allow outbound connections to email providers

harmonypersechino5348

• March 03, 2021 13:53

Hello, My csf firewall has CC_DENY = enabled blocking countries like China & Russia however I am wondering will that block email providers using servers in CN/RU too? I have users who may have email providers in China/Russia that I need to get delivered to so how can I allow those?

• 

  cPRex Jurassic Moderator

  • March 03, 2021 19:05

  Hey there! If you are blocking the entire country code, it would block all traffic that the firewall tools detect as coming from that region. You would need to unblock the country code or allow specific IPs in the whitelist if you need to allow access to the mail server.

  0
• 

  harmonypersechino5348

  • March 03, 2021 19:10

  Hey there! If you are blocking the entire country code, it would block all traffic that the firewall tools detect as coming from that region. You would need to unblock the country code or allow specific IPs in the whitelist if you need to allow access to the mail server.

  
  They wont need access but I would need to connect to smtp.gmail.com for example. Is there no easy way other than manually adding each of their IPs to the whitelist? If anyone has a list of all major email providers IPs please share.

  0
• 

  cPRex Jurassic Moderator

  • March 03, 2021 19:24

  I guess I'm not sure I understand the situation. I would not expect any of the Gmail servers to get processed through those two countries, as Google is officially blocked in China. Anyone sending messages to your server from Gmail would likely not be going through either of those two countries.

  0
• 

  harmonypersechino5348

  • March 03, 2021 19:25

  I was just using gmail smtp as an example. US is not blocked but if it was then it would fail just like qq.com seems to be.

  0
• 

  cPRex Jurassic Moderator

  • March 03, 2021 19:30

  Ah, I see what you mean now. That's the correct behavior then, and you'd have to whitelist the individual IPs. You could also consider whitelisting the hostname of the connection as well, as outlined here:

  0
• 

  Mise

  • April 08, 2022 15:41

  you can do a test with some free account from other country. Create the file /etc/skiprbldomains if it doesn't exist ,and include one domain name from some specific country, in example Germany: tutanota.de rebuild and restart Exim # /scripts/buildeximconf # service exim restart and this line should appear inside /etc/exim.conf : domainlist skip_rbl_domains = lsearch;/etc/skiprbldomains to check if csf will allow the allowed domain name over the general block of some country, do a test using a free email Tutanota.de account blocking Germany (DE) in csf Restart csf with DE blocked, and send one message to your server. Check the coming ip from tutanota.de with "# tail -f /var/log/exim_mainlog". If you see the message is entering despite the DE blocked country, check also the ip truly belongs to a german network with a # whois x.x.x.x If this works, also it should work for CN blocked with Chinese domain names.

  0

Please sign in to leave a comment.