I have just completed my setup of McAfee SaaS E-Mail Protection with Outbound Filtering (Encryption) and had some unusual setup issues. The biggest problem is that there is no easy way to list the Google e-mail servers in the outbound server setup. When in the McAfee setup for outbound e-mail servers, you must list all IP addresses (or a range using CIDR notation with a maximum size of /24) that send mail. Therefore, it became necessary to contact google to inquire about their IP addresses. Google does not release their IP addresses, but suggest that you query their SPF records (see: http://support.google.com/a/bin/answer.py?hl=en&answer=60764). When speaking to two separate representatives at Google, this was also their suggestion (they informed me that google regularly changes their IP Address range).
Of course, there is no way to include an SPF record in the McAfee setup so that McAfee inherits the IP address range from the google record. So, I simply queried the record, with the following results (_netblocks.google.com):
v=spf1 ip4:184.108.40.206/19 ip4:220.127.116.11/19 ip4:18.104.22.168/20 ip4:22.214.171.124/18 ip4:126.96.36.199/17 ip4:188.8.131.52/20 ip4:184.108.40.206/16 ip4:220.127.116.11/20 ip4:18.104.22.168/20 ip4:22.214.171.124/16
Notice the CIDR notation for these ranges, which include on the high end (the most IP addresses) of /16 and the low end (the fewest IP addresses) of /20. This means that there are 256 subnets that need to be reported when entering the /16 CIDR ranges in McAfee, as McAfee accepts a maximum of /24 (256 IP address). For instance, 126.96.36.199/16 equals 188.8.131.52 - 184.108.40.206. A /24 would include only the 256 IP address in a particular range. Therefore, to enter this block into McAfee, I had to enter the following:
220.127.116.11/24 ... all the way to 18.104.22.168/24
There is no easy way to do this. When looking at the number of potential IP address ranges for each of the blocks that google has in the SPF records, you can imagine that this took some time. I also had to make sure and enforce TLS for each of the servers, as our setup is using outbound encryption. The problem is that google could use (according to the google technicians) any of these potential IP address ranges for outbound mail and they tend to query the mail server with one IP and then send with another...all at random (I have a hard time believing that it's entirely random and google uses a particular subnet, but that's just my suspicion).
Once I added all 800 entries (if you look at the list above, there are 800 individual entries that needed to be made), I realized that if Google decides to update their SPF record to include (or amend, append, or replace) a new block, I would have to go back to the list in McAfee and update. So, I would like to pose the following suggestion:
1. Is it possible to add a way for McAfee to query an SPF record and then inhereit the blocks from that record?
2. If not, can we at least get a broader range of CIDR notations allowed in McAfee? Perhaps at the /16 level on the high end?