I am currently using the following rule:
ufw allow out from my_local_ip to any port 587
This is a little too lax for my liking. I would like to tighten it up and restrict it to only gmail's smtp server ip addresses, but they are always changing. I used to just wait until an outgoing email didn't make it to its destination, then check syslog for the ip address that was blocked, then add that to the ufw configure script. However, now I have a need for much more reliability.
Is there any way to use smtp.gmail.com in ufw? I don't think so, but thought I would ask. Any other ideas? Thanks.
Update
Taking izx's suggestion, I obtained the following (abbreviated) info from whois:
$ whois 74.125.53.108
...
NetRange: 74.125.0.0 - 74.125.255.255
CIDR: 74.125.0.0/16
...
Using this info I created the following command in my ufw configuration script (I realize there are other ranges to open, this is just an example):
ufw allow out from 192.168.2.5 to 74.125.0/24.0/24 port 587
but ufw does not like that. So I changed it to:
ufw allow out from 192.168.2.5 to 74.125.0.0/24 port 587
this ufw accepted but obviously this will only block any address in this range with 0 as the third octet. So how do I get from 0-255 for the third octet as well?