csf firewall blocking countries - How can I allow outbound connections to email providers

[harmonypersechino5348]

Hello,

My csf firewall has CC_DENY = enabled blocking countries like China & Russia however I am wondering will that block email providers using servers in CN/RU too? I have users who may have email providers in China/Russia that I need to get delivered to so how can I allow those?

 

[cPRex]

Hey there! If you are blocking the entire country code, it would block all traffic that the firewall tools detect as coming from that region. You would need to unblock the country code or allow specific IPs in the whitelist if you need to allow access to the mail server.

 

[harmonypersechino5348]

Hey there! If you are blocking the entire country code, it would block all traffic that the firewall tools detect as coming from that region. You would need to unblock the country code or allow specific IPs in the whitelist if you need to allow access to the mail server.

They wont need access but I would need to connect to smtp.gmail.com for example. Is there no easy way other than manually adding each of their IPs to the whitelist? If anyone has a list of all major email providers IPs please share.

 

[cPRex]

I guess I'm not sure I understand the situation. I would not expect any of the Gmail servers to get processed through those two countries, as Google is officially blocked in China. Anyone sending messages to your server from Gmail would likely not be going through either of those two countries.

 

[harmonypersechino5348]

I was just using gmail smtp as an example. US is not blocked but if it was then it would fail just like qq.com seems to be.

 

[cPRex]

Ah, I see what you mean now. That's the correct behavior then, and you'd have to whitelist the individual IPs. You could also consider whitelisting the hostname of the connection as well, as outlined here:

Servers Australia Knowledge Base

Please note that cPanel is not affiliated with the CSF tools in any way, as they are completely a third-party product.

 

[Mise]

you can do a test with some free account from other country. Create the file /etc/skiprbldomains if it doesn't exist ,and include one domain name from some specific country, in example Germany:
tutanota.de

rebuild and restart Exim

# /scripts/buildeximconf
# service exim restart

and this line should appear inside /etc/exim.conf :

domainlist skip_rbl_domains = lsearch;/etc/skiprbldomains


to check if csf will allow the allowed domain name over the general block of some country, do a test using a free email Tutanota.de account blocking Germany (DE) in csf

Restart csf with DE blocked, and send one message to your server. Check the coming ip from tutanota.de with "# tail -f /var/log/exim_mainlog".
If you see the message is entering despite the DE blocked country, check also the ip truly belongs to a german network with a # whois x.x.x.x

If this works, also it should work for CN blocked with Chinese domain names.