Access Control List to Allow Email

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Happy New Year to all!!

Working on ACL on Cisco routers, was wondering if anyone has any good links to info? always seem to find just the basic stuff - want to learn more!! Anyway my problem is as follows - 2 subnets - A and B , email server in A and users B, and need to create an ACL to allow users in B to only send email to the server and no other traffic. So quick brainstorm and would it be an ACL allowing IMAP, POP3 and SMTP and denying everything else? Or would i need to allow other forms of communication as well associated with email (of which im not sure that they are!) Any help please?

zimbo

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

For *sending* email you normally only use SMTP.

You may also need filters on the MTA (i.e. exchange if in Microsoft land).

Harry.

 

Been a while since I set up any Cisco devices, so I looked through a bunch of notes I had taken over the years and I believe you're going to need to add something along the lines of this:

access-list 150 permit udp host xx.xx.xx.xx range 16384 32767 any
access-list 150 permit udp host xx.xx.xx.xx any range 16384 32767
access-list 151 permit udp host xx.xx.xx.xx eq 5060 any
access-list 151 permit udp host xx.xx.xx.xx any eq 5060
access-list 152 permit tcp any eq telnet xx.xx.xx.xx 0.0.0.255
access-list 152 permit tcp any xx.xx.xx.xx 0.0.0.255 eq telnet

or

access-list 150 deny udp host xx.xx.xx.xx range 16384 32767 any
access-list 150 deny udp host xx.xx.xx.xx any range 16384 32767
access-list 151 deny udp host xx.xx.xx.xx eq 5060 any
access-list 151 deny udp host xx.xx.xx.xx any eq 5060
access-list 152 deny tcp any eq telnet xx.xx.xx.xx 0.0.0.255
access-list 152 deny tcp any xx.xx.xx.xx 0.0.0.255 eq telnet

depending on what you want to allow or deny.

 

Email server can send any traffic on its side, its the client side that has to have ACL implemented so judging from what you just said:

We need to allow Telnet through destined for the email server and we need to allow replies back from the email server correct?

Second you have mentioned port 5060 - that is IMAP right? @ Harry - so SMTP must be allowed through client-side?

I been doing my research as well would it be correct if the protocols involved were Telnet, IMAP or POP3 and SMTP?

 

I believe that best practice is only to open the ports you require.

Normally, most people communitcate via SMTP which is Port 25, Telnet I think is Port 23.

What client are your users using? is it Outlook? in Subnet B and the Email Server is it Exchange 2003? in Subnet A. If this is the case then you will most likely need to deploy RPC over HTTP for access there is a guide here by MS.

Hope that helps, and anymore information you can provide about the physical layout e.g. is the Server in the DMZ, what is the email server, what are the clients using?

 

craigie thanks for the info mate. One thing i didnt mention is this isnt a real world scenario - its from an academic point of view. I need to write the ACL to allow users to access email in another subnet and thats that. There are two parts to this - one being DNS which i have worked out ( took me since sept to read up on ACLs - but hell i have learnt alot!) I dont want the actual ACL i just want to know which services/proctols email would require - so far im guessing i would only require port 25 and 23 open - would this allow users to retrieve email - without knowing whatever other services are running on the email server?

Thanks for the help so far!

Edit here is the DNS ACL i have in place - which works!

Code:

Router#show access-lists 
Extended IP access list 101
    permit icmp any host 192.168.20.10 echo
    permit icmp any host 192.168.20.10 port-unreachable
    permit udp any host 192.168.20.10 eq domain
    permit udp any eq domain host 192.168.20.10 gt 32767
    permit icmp any 192.168.20.0 0.0.0.255 echo-reply
    permit icmp any 192.168.20.0 0.0.0.255 port-unreachable
    deny ip any any

 

Yes it would, but it depends on how 'your' clients would access 'their' email. The most common ones as you have already mentioned are:

Port 23 - Telnet
Port 25 - SMTP

Then followed by:

Port 110 - POP3
Port 143 - IMAP4

Then followed by:

Port 102 - MTA .X400
Port 443 - HTTP SSL
Port 993 - IMAP SSL
Port 995 - POP3 SSL

Personally, I would say Port 23 and 25 would suffice.

 

When you mean how the client access their email are you talking about which protocols are in place and what security mechanisms they are using?

 

Hehe, all I mean if they are using POP3 then only open Port 110, if they are using SMTP only open Port 25 etc etc.

Looks like you have figured it all out, well done that man!

 

Would hope so!! Havent spent the last 3 yrs doing my degree least i can do is configure a simple ACL. Mind you have the class still cant tell you what a router looks like and what a switch looks like LMAO. Thanks for the help mate!!