ACL for Office 365
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2018 09:22 AM - edited 03-08-2019 04:51 PM
I have a sensitive VLAN that needs to stay separate from my production network. They have a server on this network that sends out SMS text notifications via email. We have office 365 and i want to lock this down so they only thing that comes out of this VLAN is the notifications (emails to O365 server). Nothing needs to come back in as all it will do is send a text/email, it doesnt receive anything back.
Here is what i wrote but doing a little research i see i might need more than just the smtp server. Has anyone had to do something similar and what do i need to add?
Thanks in advance
extended ip access-list INBOUND
permit tcp 192.168.0.122 host smtp.office365.com eq 587
deny ip any any
exit
int vlan 111
ip access-group INBOUND in
extended ip access-list OUTBOUND
deny ip any any
exit
- Labels:
-
LAN Switching

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2018 09:54 AM
Hello,
I think you need POP (995) and possible IMAP (993) as well:
extended ip access-list INBOUND
permit tcp 192.168.0.122 host smtp.office365.com eq 587
permit tcp 192.168.0.122 host pop.office365.com eq 995
permit tcp 192.168.0.122 host imap.office365.com eq 993
deny ip any any
exit
int vlan 111
ip access-group INBOUND in
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2018 10:12 AM
Whats weird is when i do a Wireshark capture when sending an email, i dont see any of those ports appear. All i see is HTTPS which looks like its going to one of the many MS Office 365 IPs listed in their list of IPs to allow.
Not the most experienced with Wireshark but i suspect i should see those ports show up right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2018 01:11 PM
Hello,
actually, I think by default POP and IMAP are SSL encrypted, and SMTP is TLS or STARTTLS encrypted, so I am not sure if Wireshark can actualy see the unencrypted ports...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-19-2018 03:01 PM
