在cPanel/WHM Centos服务器上授予Google对SMTP的访问权,而不公布SMTP授权?
在我的服务器上不断发生的分布式smtp身份验证攻击促使我禁止未指定的IP连接到我的服务器上的smtp并通过它发送邮件。非常有效。说明: 但是,如果不启用双因素身份验证,我现在就无法使用Google Mail Gmail为新帐户“以身份发送邮件”,因为我正在为客户端远程设置双因素身份验证,或者在服务器上重新打开smtp身份验证 我的另一个选择是白名单谷歌邮件的IP地址 谷歌搜索发现了一种检索当前谷歌IP范围的方法,使用了我从本页复制的以下内容: 这将返回包含在Google的SPF记录中的域列表,例如: _netblocks.google.com、_netblocks2.google.com、_netblocks3.google.com 现在查找与这些域关联的DNS记录,一次查找一个,如下所示:在cPanel/WHM Centos服务器上授予Google对SMTP的访问权,而不公布SMTP授权?,smtp,gmail,cpanel,whm,two-factor-authentication,Smtp,Gmail,Cpanel,Whm,Two Factor Authentication,在我的服务器上不断发生的分布式smtp身份验证攻击促使我禁止未指定的IP连接到我的服务器上的smtp并通过它发送邮件。非常有效。说明: 但是,如果不启用双因素身份验证,我现在就无法使用Google Mail Gmail为新帐户“以身份发送邮件”,因为我正在为客户端远程设置双因素身份验证,或者在服务器上重新打开smtp身份验证 我的另一个选择是白名单谷歌邮件的IP地址 谷歌搜索发现了一种检索当前谷歌IP范围的方法,使用了我从本页复制的以下内容: 这将返回包含在Google的SPF记录中的域列表,例
nslookup -q=TXT _netblocks.google.com 8.8.8.8
nslookup -q=TXT _netblocks2.google.com 8.8.8.8
nslookup -q=TXT _netblocks3.google.com 8.8.8.8
// Grab current Google SPF IPs...
$dns = dns_get_record('_spf.google.com', DNS_TXT);
if (!$dns)
{
echo "FAILED TO RETRIEVE DNS RECORD<br />\n";
exit;
}
// The variable in which to store the results
$ranges = array();
// Of interest in particular to us is...
$val = $dns[0]['txt'];
preg_match_all("/include:[^\s]+\s/", $val, $matches);
if (sizeof($matches[0]) <= 0)
{
echo "BAD DATA RECEIVED OR FAILED TO DECODE DATA<br />\n";
exit;
}
foreach ($matches[0] as $match)
{
$match = trim($match);
$domain = trim(preg_replace("/include\:/", "", $match));
// Now do it all again for this domain to get the IP range
$dns = dns_get_record($domain, DNS_TXT);
if (!$dns)
{
echo "DNS LOOKUP FAILURE AT PASS 2<br />\n";
exit;
}
$val = $dns[0]['txt'];
preg_match_all("/ip\d:[^\s]+\s/", $val, $ips);
if (sizeof($ips[0])<=0)
{
// At time of writing this is entirely possible as _netblocks3.google.com
// currently holds NO IP ranges
}
else
{
foreach ($ips[0] as $ip)
{
$ip = trim($ip);
if ($ip <> '')
{
$ip = preg_replace("/ip\d\:/", "", $ip);
$ranges[] = $ip;
}
}
}
}
// To be here means we made it without a major problem. Form the new IP range for
// the smtp auth file (/etc/csf/csf.smtpauth) and compare with the existing. Update only if there has
// been a change. Also update only if there are at least N ranges found.
// When I wrote this there were 11 IPV4 ranges and 6 IPV6 ranges so setting
// low limit to 10
$limit = 10;
$filename = '/etc/csf/csf.smtpauth';
if (sizeof($ranges) < $limit)
{
echo "NOT UPDATING RANGES, TOO FEW DISCOVERED, PROBLEM?";
exit;
}
$filerange = "# GOOGLE SPF RESULTS START\n";
$filerange .= join("\n", $ranges);
$filerange .= "\n# GOOGLE SPF RESULTS END";
// Read in existing conf file
$econf = file_get_contents($filename);
if (sizeof($econf)<=0)
{
echo "FAILED TO READ $filename<br />\n";
exit;
}
// Extract the block
if (!preg_match("/\# GOOGLE SPF RESULTS START.+\# GOOGLE SPF RESULTS END/s", $econf, $matches))
{
echo "FAILED TO FIND EXISTING BLOCK. CORRUPT AUTH FILE?<br />\n";
exit;
}
if ($filerange == $matches[0])
{
// IT'S THE SAME DO NOT UPDATE IT!;
exit;
}
// Replace the block entirely
$econf = preg_replace("/\# GOOGLE SPF RESULTS START.+\# GOOGLE SPF RESULTS END/s", $filerange, $econf);
// Write out the new file contents
file_put_contents($filename, $econf);
// Trigger a CSF/LFD restart by creating trigger file.
touch("restartcsflfd");
// Grab current Google SPF IPs...
$dns = dns_get_record('_spf.google.com', DNS_TXT);
if (!$dns)
{
echo "FAILED TO RETRIEVE DNS RECORD<br />\n";
exit;
}
// The variable in which to store the results
$ranges = array();
// Of interest in particular to us is...
$val = $dns[0]['txt'];
preg_match_all("/include:[^\s]+\s/", $val, $matches);
if (sizeof($matches[0]) <= 0)
{
echo "BAD DATA RECEIVED OR FAILED TO DECODE DATA<br />\n";
exit;
}
foreach ($matches[0] as $match)
{
$match = trim($match);
$domain = trim(preg_replace("/include\:/", "", $match));
// Now do it all again for this domain to get the IP range
$dns = dns_get_record($domain, DNS_TXT);
if (!$dns)
{
echo "DNS LOOKUP FAILURE AT PASS 2<br />\n";
exit;
}
$val = $dns[0]['txt'];
preg_match_all("/ip\d:[^\s]+\s/", $val, $ips);
if (sizeof($ips[0])<=0)
{
// At time of writing this is entirely possible as _netblocks3.google.com
// currently holds NO IP ranges
}
else
{
foreach ($ips[0] as $ip)
{
$ip = trim($ip);
if ($ip <> '')
{
$ip = preg_replace("/ip\d\:/", "", $ip);
$ranges[] = $ip;
}
}
}
}
// To be here means we made it without a major problem. Form the new IP range for
// the smtp auth file (/etc/csf/csf.smtpauth) and compare with the existing. Update only if there has
// been a change. Also update only if there are at least N ranges found.
// When I wrote this there were 11 IPV4 ranges and 6 IPV6 ranges so setting
// low limit to 10
$limit = 10;
$filename = '/etc/csf/csf.smtpauth';
if (sizeof($ranges) < $limit)
{
echo "NOT UPDATING RANGES, TOO FEW DISCOVERED, PROBLEM?";
exit;
}
$filerange = "# GOOGLE SPF RESULTS START\n";
$filerange .= join("\n", $ranges);
$filerange .= "\n# GOOGLE SPF RESULTS END";
// Read in existing conf file
$econf = file_get_contents($filename);
if (sizeof($econf)<=0)
{
echo "FAILED TO READ $filename<br />\n";
exit;
}
// Extract the block
if (!preg_match("/\# GOOGLE SPF RESULTS START.+\# GOOGLE SPF RESULTS END/s", $econf, $matches))
{
echo "FAILED TO FIND EXISTING BLOCK. CORRUPT AUTH FILE?<br />\n";
exit;
}
if ($filerange == $matches[0])
{
// IT'S THE SAME DO NOT UPDATE IT!;
exit;
}
// Replace the block entirely
$econf = preg_replace("/\# GOOGLE SPF RESULTS START.+\# GOOGLE SPF RESULTS END/s", $filerange, $econf);
// Write out the new file contents
file_put_contents($filename, $econf);
// Trigger a CSF/LFD restart by creating trigger file.
touch("restartcsflfd");
#!/bin/bash
if [ -f /path-to-file/restartcsflfd ];
then
csf -r
/etc/init.d/lfd restart
rm -f restartcsflfd
echo "RE-STARTED CSF and LFD"
fi