We run our own (freebsd) mail server. It's a pretty classic, old fashioned /var/mail/username setup. We have enabled POP so that certain people can pop their mail from us, and use gmail as their mail client. However, we have no other POP users ... and I don't want POP open to the whole world ... BUT, I suspect there are a LOT of possible IPs that google will use to pop mail from us ... Is there an authoritative list ? Anyone else blocking POP access to everyone BUT google ?
Hello, On 02 mai 2011, at 00:55, George Sanders wrote:> BUT, I suspect there are a LOT of possible IPs that google will use to pop mail > from us ...You are right about that. According to my pop logs, my servers have encounter about 1000 different IPs from google (920 actually). Domain names are always like mail-[a-z][a-z][0-9]-[a-z][0-9][0-9]*.google.com By the way, I'm in europe, I'm not sure USA, Australia or Japan would see the same gmail POP clients.> Is there an authoritative list ?I don't know.> Anyone else blocking POP access to everyone BUT google ?I don't. patpro
On Mon, May 2, 2011 at 4:55 AM, George Sanders <gosand1982@yahoo.com> wrote:> > > We run our own (freebsd) mail server. ?It's a pretty classic, old fashioned > /var/mail/username setup. > > We have enabled POP so that certain people can pop their mail from us, and use > gmail as their mail client. > > However, we have no other POP users ... and I don't want POP open to the whole > world ... > > BUT, I suspect there are a LOT of possible IPs that google will use to pop mail > from us ... > > Is there an authoritative list ? > > Anyone else blocking POP access to everyone BUT google ?Didn't try it myself, just a wild guess. Hopefully google pop clients use real ssl certificates signed by google to authenticate. Mutual ssl authentication is hardly ever used, but still. Setup pop over ssl and check for google certificates instead. Gleb.
> We have enabled POP so that certain people can pop their mail from us, and use > gmail as their mail client. > > However, we have no other POP users ... and I don't want POP open to the whole > world ... > > BUT, I suspect there are a LOT of possible IPs that google will use to pop mail > from us ...While not a "strong" solution, out-of-the box, I'd suggest in /etc/hosts.allow (probably after the "paranoid" line to make inetd check fwd/reverse match) ALL : PARANOID : RFC931 20 : deny assuming you use qpopper (change as required) qpopper : .google.com : allow qpopper : x.x.x.0/255.255.255.0 : allow (your directly-connected users) qpopper : all : deny RossW