cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
2411
Views
0
Helpful
4
Replies

ACL for Office 365

byates
Level 1
Level 1

I have a sensitive VLAN that needs to stay separate from my production network. They have a server on this network that sends out SMS text notifications via email. We have office 365 and i want to lock this down so they only thing that comes out of this VLAN is the notifications (emails to O365 server). Nothing needs to come back in as all it will do is send a text/email, it doesnt receive anything back.

Here is what i wrote but doing a little research i see i might need more than just the smtp server. Has anyone had to do something similar and what do i need to add? 

Thanks in advance

 

extended ip access-list INBOUND
permit tcp 192.168.0.122 host smtp.office365.com eq 587
deny ip any any
exit
int vlan 111 
ip access-group INBOUND in

 

extended ip access-list OUTBOUND
deny ip any any
exit

 

4 Replies 4

Hello,

 

I think you need POP (995) and possible IMAP (993) as well:

 

extended ip access-list INBOUND
permit tcp 192.168.0.122 host smtp.office365.com eq 587

permit tcp 192.168.0.122 host pop.office365.com eq 995

permit tcp 192.168.0.122 host imap.office365.com eq 993
deny ip any any
exit
int vlan 111
ip access-group INBOUND in

 

 

Whats weird is when i do a Wireshark capture when sending an email, i dont see any of those ports appear. All i see is HTTPS which looks like its going to one of the many MS Office 365 IPs listed in their list of IPs to allow. 

 

Not the most experienced with Wireshark but i suspect i should see those ports show up right?

Hello,

 

actually, I think by default POP and IMAP are SSL encrypted, and SMTP is TLS or STARTTLS encrypted, so I am not sure if Wireshark can actualy see the unencrypted ports...

So in the ACL should I specify the port as 443?