ACL for Office 365

byates · ‎12-19-2018

I have a sensitive VLAN that needs to stay separate from my production network. They have a server on this network that sends out SMS text notifications via email. We have office 365 and i want to lock this down so they only thing that comes out of this VLAN is the notifications (emails to O365 server). Nothing needs to come back in as all it will do is send a text/email, it doesnt receive anything back.

Here is what i wrote but doing a little research i see i might need more than just the smtp server. Has anyone had to do something similar and what do i need to add?

Thanks in advance

extended ip access-list INBOUND
permit tcp 192.168.0.122 host smtp.office365.com eq 587
deny ip any any
exit
int vlan 111
ip access-group INBOUND in

extended ip access-list OUTBOUND
deny ip any any
exit

Georg Pauwen · ‎12-19-2018

Hello,

I think you need POP (995) and possible IMAP (993) as well:

extended ip access-list INBOUND
permit tcp 192.168.0.122 host smtp.office365.com eq 587

permit tcp 192.168.0.122 host pop.office365.com eq 995

permit tcp 192.168.0.122 host imap.office365.com eq 993
deny ip any any
exit
int vlan 111
ip access-group INBOUND in

byates · ‎12-19-2018

Whats weird is when i do a Wireshark capture when sending an email, i dont see any of those ports appear. All i see is HTTPS which looks like its going to one of the many MS Office 365 IPs listed in their list of IPs to allow.

Not the most experienced with Wireshark but i suspect i should see those ports show up right?

Georg Pauwen · ‎12-19-2018

Hello,

actually, I think by default POP and IMAP are SSL encrypted, and SMTP is TLS or STARTTLS encrypted, so I am not sure if Wireshark can actualy see the unencrypted ports...

byates · ‎12-19-2018

So in the ACL should I specify the port as 443?