SORBS Blocking Email from Gmail

A family member reported that she hadn't received an email message sent to her today by a Gmail user who had sent her message in reply to the family member's email to her. Since I administer the Sendmail email server she uses, I checked the Sendmail log file at /var/log/maillog. I saw the outgoing email sent to the Gmail address, but no incoming email from that address. So I sent email messages from a Gmail account I have as well as email messages from other external addresses to the root account on the server. The other email messages arrived, but none I sent from the Gmail account arrived. So I ran tcpdump on the server to capture data to/from port 25 on the system, which is the well-known port for Simple Mail Transfer Protocol (SMTP) traffic. I then sent another email message to the root account on the Sendmail server from my Gmail account. After allowing several minutes for an attempted delivery from the Gmail server to occur, I stopped the packet capture with Ctrl-C.

Wireshark Crash Course
Wireshark Crash Course
1x1px

# tcpdump -i enp1s4 port 25 -w smtp_2017-04-30.pcap
tcpdump: listening on enp1s4, link-type EN10MB (Ethernet), capture size 65535 bytes
^C225 packets captured
225 packets received by filter
0 packets dropped by kernel
# ls -lh smtp_2017-04-30.pcap 
-rw-r--r--. 1 tcpdump tcpdump 33K Apr 30 12:33 smtp_2017-04-30.pcap
#

The -i option to the tcpdump command tells it what network interface it should listen on. In the case of this particular server, the interface is enp1s4; you can use the ifconfig -a command on a Linux system to see the available network interfaces. The -w option instructs tcpdump to write the packets it captures to the file name that follows the option. Tcpdump can save the captured data in pcap form. This Sendmail server was a Linux system, but tcpdump is available for Microsoft Windows systems as WinDump; it requires WinPcap be installed.

After I captured the data, I transferred the pcap file to another system where I installed Wireshark to analyze the data; I find the graphical user interface (GUI) of Wireshark makes it easier for me to analyze network traffic. Using Wireshark, I found that a Gmail server with IP address 209.85.223.169 (mail-io0-f169.google.com) connected to the Sendmail server, which responded with its banner. The Google server then issued an EHLO command, the Sendmail server responded with a list of commands it supports, and then the Gmail server issed a MAIL FROM: command at which point the Sendmail server responded with "550 5.7.1 Spam Block:mail from 209.85.223.159 refused - see http://dnsbl.sorbs.net". The Gmail server issued a QUIT command after it receivd the 550 reply.

Wireshark - SORBS

I use the Spam and Open Relay Blocking System (SORBS) block list on the Sendmail server to reduce the amount of spam reaching users' inboxes. Since I could see that email from Gmail was being blocked by Sendmail when it checked the Gmail server's IP address against the SORBS blacklist, I then looked in today's mail log file for any references to SORBS and Google and saw a lot of them.

Udemy - April2516-25off-sitewide120x600



# grep sorbs /var/log/maillog | grep google
Apr 30 10:31:32 moonpoint sendmail[20046]: ruleset=check_relay, arg1=mail-oi0-f4
4.google.com, arg2=127.0.0.6, relay=mail-oi0-f44.google.com [209.85.218.44], rej
ect=550 5.7.1 Spam Block:mail from 209.85.218.44 refused - see http://dnsbl.sorb
s.net/
Apr 30 10:38:25 moonpoint sendmail[20293]: ruleset=check_relay, arg1=mail-oi0-f4
7.google.com, arg2=127.0.0.6, relay=mail-oi0-f47.google.com [209.85.218.47], rej
ect=550 5.7.1 Spam Block:mail from 209.85.218.47 refused - see http://dnsbl.sorb
s.net/
Apr 30 10:53:34 moonpoint sendmail[20523]: ruleset=check_relay, arg1=mail-oi0-f4
2.google.com, arg2=127.0.0.6, relay=mail-oi0-f42.google.com [209.85.218.42], rej
ect=550 5.7.1 Spam Block:mail from 209.85.218.42 refused - see http://dnsbl.sorb
s.net/
Apr 30 11:07:38 moonpoint sendmail[22088]: ruleset=check_relay, arg1=mail-it0-f5
1.google.com, arg2=127.0.0.6, relay=mail-it0-f51.google.com [209.85.214.51], rej
ect=550 5.7.1 Spam Block:mail from 209.85.214.51 refused - see http://dnsbl.sorb
s.net/
Apr 30 11:08:44 moonpoint sendmail[22106]: ruleset=check_relay, arg1=mail-oi0-f4
5.google.com, arg2=127.0.0.6, relay=mail-oi0-f45.google.com [209.85.218.45], rej
ect=550 5.7.1 Spam Block:mail from 209.85.218.45 refused - see http://dnsbl.sorb
s.net/
Apr 30 11:13:59 moonpoint sendmail[22245]: ruleset=check_relay, arg1=mail-it0-f5
0.google.com, arg2=127.0.0.6, relay=mail-it0-f50.google.com [209.85.214.50], rej
ect=550 5.7.1 Spam Block:mail from 209.85.214.50 refused - see http://dnsbl.sorb
s.net/
Apr 30 11:16:05 moonpoint sendmail[22320]: ruleset=check_relay, arg1=mail-oi0-f5
1.google.com, arg2=127.0.0.6, relay=mail-oi0-f51.google.com [209.85.218.51], rej
ect=550 5.7.1 Spam Block:mail from 209.85.218.51 refused - see http://dnsbl.sorb
s.net/
Apr 30 11:17:35 moonpoint sendmail[22335]: ruleset=check_relay, arg1=mail-io0-f1
70.google.com, arg2=127.0.0.6, relay=mail-io0-f170.google.com [209.85.223.170], 
reject=550 5.7.1 Spam Block:mail from 209.85.223.170 refused - see http://dnsbl.
sorbs.net/
Apr 30 11:25:34 moonpoint sendmail[22898]: ruleset=check_relay, arg1=mail-io0-f1
81.google.com, arg2=127.0.0.6, relay=mail-io0-f181.google.com [209.85.223.181], 
reject=550 5.7.1 Spam Block:mail from 209.85.223.181 refused - see http://dnsbl.
sorbs.net/
Apr 30 11:27:01 moonpoint sendmail[22941]: ruleset=check_relay, arg1=mail-it0-f5
0.google.com, arg2=127.0.0.6, relay=mail-it0-f50.google.com [209.85.214.50], rej
ect=550 5.7.1 Spam Block:mail from 209.85.214.50 refused - see http://dnsbl.sorb
s.net/
Apr 30 11:29:41 moonpoint sendmail[23537]: ruleset=check_relay, arg1=mail-oi0-f4
3.google.com, arg2=127.0.0.6, relay=mail-oi0-f43.google.com [209.85.218.43], rej
ect=550 5.7.1 Spam Block:mail from 209.85.218.43 refused - see http://dnsbl.sorb
s.net/
Apr 30 11:30:28 moonpoint sendmail[23571]: ruleset=check_relay, arg1=mail-oi0-f4
9.google.com, arg2=127.0.0.6, relay=mail-oi0-f49.google.com [209.85.218.49], rej
ect=550 5.7.1 Spam Block:mail from 209.85.218.49 refused - see http://dnsbl.sorb
s.net/
Apr 30 11:31:43 moonpoint sendmail[23593]: ruleset=check_relay, arg1=mail-oi0-f5
4.google.com, arg2=127.0.0.6, relay=mail-oi0-f54.google.com [209.85.218.54], rej
ect=550 5.7.1 Spam Block:mail from 209.85.218.54 refused - see http://dnsbl.sorb
s.net/
Apr 30 11:32:43 moonpoint sendmail[23613]: ruleset=check_relay, arg1=mail-it0-f4
6.google.com, arg2=127.0.0.6, relay=mail-it0-f46.google.com [209.85.214.46], rej
ect=550 5.7.1 Spam Block:mail from 209.85.214.46 refused - see http://dnsbl.sorb
s.net/
Apr 30 11:33:31 moonpoint sendmail[23626]: ruleset=check_relay, arg1=mail-it0-f4
1.google.com, arg2=127.0.0.6, relay=mail-it0-f41.google.com [209.85.214.41], rej
ect=550 5.7.1 Spam Block:mail from 209.85.214.41 refused - see http://dnsbl.sorb
s.net/
Apr 30 11:35:01 moonpoint sendmail[23716]: ruleset=check_relay, arg1=mail-oi0-f4
5.google.com, arg2=127.0.0.6, relay=mail-oi0-f45.google.com [209.85.218.45], rej
ect=550 5.7.1 Spam Block:mail from 209.85.218.45 refused - see http://dnsbl.sorb
s.net/
Apr 30 11:45:08 moonpoint sendmail[23949]: ruleset=check_relay, arg1=mail-io0-f1
78.google.com, arg2=127.0.0.6, relay=mail-io0-f178.google.com [209.85.223.178], 
reject=550 5.7.1 Spam Block:mail from 209.85.223.178 refused - see http://dnsbl.
sorbs.net/
Apr 30 11:53:37 moonpoint sendmail[24064]: ruleset=check_relay, arg1=mail-oi0-f5
4.google.com, arg2=127.0.0.6, relay=mail-oi0-f54.google.com [209.85.218.54], rej
ect=550 5.7.1 Spam Block:mail from 209.85.218.54 refused - see http://dnsbl.sorb
s.net/
Apr 30 12:05:44 moonpoint sendmail[25532]: ruleset=check_relay, arg1=mail-io0-f1
80.google.com, arg2=127.0.0.6, relay=mail-io0-f180.google.com [209.85.223.180], 
reject=550 5.7.1 Spam Block:mail from 209.85.223.180 refused - see http://dnsbl.
sorbs.net/
Apr 30 12:16:13 moonpoint sendmail[26021]: ruleset=check_relay, arg1=mail-io0-f1
69.google.com, arg2=127.0.0.6, relay=mail-io0-f169.google.com [209.85.223.169], 
reject=550 5.7.1 Spam Block:mail from 209.85.223.169 refused - see http://dnsbl.
sorbs.net/
Apr 30 12:18:14 moonpoint sendmail[26079]: ruleset=check_relay, arg1=mail-io0-f1
75.google.com, arg2=127.0.0.6, relay=mail-io0-f175.google.com [209.85.223.175],
reject=550 5.7.1 Spam Block:mail from 209.85.223.175 refused - see http://dnsbl.
sorbs.net/
Apr 30 12:18:57 moonpoint sendmail[26107]: ruleset=check_relay, arg1=mail-io0-f1
70.google.com, arg2=127.0.0.6, relay=mail-io0-f170.google.com [209.85.223.170], 
reject=550 5.7.1 Spam Block:mail from 209.85.223.170 refused - see http://dnsbl.
sorbs.net/
Apr 30 12:24:24 moonpoint sendmail[26265]: ruleset=check_relay, arg1=mail-io0-f1
69.google.com, arg2=127.0.0.6, relay=mail-io0-f169.google.com [209.85.223.169], 
reject=550 5.7.1 Spam Block:mail from 209.85.223.169 refused - see http://dnsbl.
sorbs.net/
Apr 30 12:26:06 moonpoint sendmail[26666]: ruleset=check_relay, arg1=mail-io0-f1
69.google.com, arg2=127.0.0.6, relay=mail-io0-f169.google.com [209.85.223.169], 
reject=550 5.7.1 Spam Block:mail from 209.85.223.169 refused - see http://dnsbl.
sorbs.net/
Apr 30 12:41:16 moonpoint sendmail[27751]: ruleset=check_relay, arg1=mail-io0-f1
76.google.com, arg2=127.0.0.6, relay=mail-io0-f176.google.com [209.85.223.176], 
reject=550 5.7.1 Spam Block:mail from 209.85.223.176 refused - see http://dnsbl.
sorbs.net/
Apr 30 12:55:57 moonpoint sendmail[28554]: ruleset=check_relay, arg1=mail-io0-f1
69.google.com, arg2=127.0.0.6, relay=mail-io0-f169.google.com [209.85.223.169], 
reject=550 5.7.1 Spam Block:mail from 209.85.223.169 refused - see http://dnsbl.
sorbs.net/
Apr 30 13:07:14 moonpoint sendmail[29525]: ruleset=check_relay, arg1=mail-io0-f1
69.google.com, arg2=127.0.0.6, relay=mail-io0-f169.google.com [209.85.223.169], 
reject=550 5.7.1 Spam Block:mail from 209.85.223.169 refused - see http://dnsbl.
sorbs.net/
Apr 30 13:07:22 moonpoint sendmail[29526]: ruleset=check_relay, arg1=mail-io0-f1
72.google.com, arg2=127.0.0.6, relay=mail-io0-f172.google.com [209.85.223.172], 
reject=550 5.7.1 Spam Block:mail from 209.85.223.172 refused - see http://dnsbl.
sorbs.net/
Apr 30 13:18:22 moonpoint sendmail[29782]: ruleset=check_relay, arg1=mail-io0-f1
69.google.com, arg2=127.0.0.6, relay=mail-io0-f169.google.com [209.85.223.169], 
reject=550 5.7.1 Spam Block:mail from 209.85.223.169 refused - see http://dnsbl.
sorbs.net/
Apr 30 13:53:49 moonpoint sendmail[31651]: ruleset=check_relay, arg1=mail-io0-f1
69.google.com, arg2=127.0.0.6, relay=mail-io0-f169.google.com [209.85.223.169], 
reject=550 5.7.1 Spam Block:mail from 209.85.223.169 refused - see http://dnsbl.
sorbs.net/
#

From the log file, I found that SORBS was blocking quite a few Gmail addresses today. When I looked up IP addresses on the SORBS website, I found results like the following:

Summary information for 209.85.223.169/32

Note: Times shown are for the latest entry only! Found 2 network entries and 0 host/domain entries.

Problem Entries, (listings will cause email problems.)
142 "Spam" entries [19:45:26 28 Apr 2017 GMT+00].
209.85.223.169 - 142 entries [19:45:26 28 Apr 2017 GMT+00].

The blocks are due to the follwing lines in /etc/mail/sendmail.mc .

FEATURE(`blacklist_recipients')dnl
FEATURE(`dnsbl',`dnsbl.sorbs.net',`550 Spam Block: mail from $&{client_addr} refused - see http://dnsbl.sorbs.net/')dnl

I don't want the Sendmail server blocking email from so many Gmail servers. Rather than remove the SORBS blocklist entry from /etc/mail/sendmail.mc , I whitelisted IP address ranges used by Google for its Gmail mail service using IP address ranges I found on the Google support site at Email bounces because your IP address is blacklisted in the "Show me Gmail IP addresses to whitelist section.

64.18.0.0/20
64.233.160.0/19
66.102.0.0/20
66.249.80.0/20
72.14.192.0/18
74.125.0.0/16
108.177.8.0/21
172.217.0.0/19
173.194.0.0/16
207.126.144.0/20
209.85.128.0/17
216.58.192.0/19
216.239.32.0/19
2001:4860:4000::/36
2404:6800:4000::/36
2607:f8b0:4000::/36
2800:3f0:4000::/36
2a00:1450:4000::/36
2c0f:fb50:4000::/36

The last six address ranges are IPv6 ranges; the prior ones are IPv4 address ranges. To stop the IP address blocking by Sendmail due to the use of the SORBS blacklist, I added the following lines to the /etc/mail/access file.

# Gmail
64.18.0.0/20                            RELAY
64.233.160.0/19                         RELAY
66.102.0.0/20                           RELAY
66.249.80.0/20                          RELAY
72.14.192.0/18                          RELAY
74.125.0.0/16                           RELAY
108.177.8.0/21                          RELAY
172.217.0.0/19                          RELAY
173.194.0.0/16                          RELAY
207.126.144.0/20                        RELAY
209.85.128.0/17                         RELAY
216.58.192.0/19                         RELAY
216.239.32.0/19                         RELAY
2001:4860:4000::/36                     RELAY
2404:6800:4000::/36                     RELAY
2607:f8b0:4000::/36                     RELAY
2800:3f0:4000::/36                      RELAY
2a00:1450:4000::/36                     RELAY
2c0f:fb50:4000::/36                     RELAY

I then rebuilt the access database map by issuing the command below from the root account:

# makemap hash /etc/mail/access </etc/mail/access
#

Once I did that, I was then able to successfully send email from my Gmail account to email accounts on the Sendmail server. And, surprisingly, prior email messages that I had sent when the SORBS block list was preventing email deliveries from Gmail servers then arrived as well, as did the message from the Gmail user that led to the family member reporting the problem to me. Since a 550 error code indicates a permanent delivery problem, unlike some other SMTP reply codes I didn't expect a Gmail SMTP server to attempt to deliver those messages again.