Solved: Re: ACL for allowing Email through ASA

mahesh18 · ‎07-04-2013

Hi Everyone,

If i need to allow users to send email from outlook to certain website say www.oracle.com

Typical email xyz@oracle.com.

Should i open ACL to allow port SMTP only?

Do i need to allow ports 80 or 443 also?

Regards

Mahesh

Jouni Forss · ‎07-04-2013

Hi,

You should make sure that the ASA allows the user SMTP to either some local server (if you have one) or to a remote server.

If you have a local server then you would also allow SMTP traffic from the Internet and to the Internet.

Though I would imagine you should already have these basic things allowed on the firewall. Atleast to certain Mail servers.

The ASA doesnt really control where the user can send email. Though it can limit some SMTP traffic with the default settings or when specifically configured with certain limitations.

HTTP and HTTPS you would probably need if you were accessing a Mail server from the Client computer through a Web portal.

Though I think Outlook uses also HTTPS if configured/enabled to do so.

- Jouni

View solution in original post

Karsten Iwen · ‎07-04-2013

In my opinion, SMTP (TCP/25) should *never* be allowed for users in the outbound direction. If any of your clients gets compromised, they could easily spam the internet if you allow that. If you need outgoing mail you should only open TCP/587 which is the Submission-port. With that your users can reach their public mail-server in the internet with mandatory authentication wich is way more secure.

Sent from Cisco Technical Support iPad App

View solution in original post

Jouni Forss · ‎07-04-2013

Hi,

Generally user have a couple of Mail server through which they send their email. I dont know if you really need to allow SMTP to other servers just to send email to some other email addresses which you imply in your original post. Naturally if you users actually need to use some other mail server compared to the current mail servers then you need to allow SMTP.

Well for example, to my understanding my companys Outlook client uses HTTPS when I am outside our company network.

I think its what this Microsoft document refers to:

http://office.microsoft.com/en-us/outlook-help/use-outlook-anywhere-to-connect-to-your-exchange-server-without-vpn-HP010102444.aspx

But I would imagine this is not what you really need in this case.

And I am not the best person to answer related to this particular thing in any more depth

- Jouni

View solution in original post

Tural Ahmadov · ‎07-04-2013

443 port is for microsoft exchange owa servise, which allow access mail account from browser. If mail server is in your local network and if you allow people to access mail by browser from outside, you must write ACL and PAT for 443 port. TCP 25 and/or TCP 587 port is for outgoing mail. You must allow this port.

View solution in original post

Karsten Iwen · ‎07-04-2013

The way the email-communication works changed over the years with the beginning of SPAM. While decades ago, both the server to server, and the client to server communication was done with SMTP, TCP/25. Nowadays the servers still use that for delivering to other servers, but with SMTP, relaying mail is typically not allowed, so it's only possible to deliver to the final destination server. And many Access-Provider block TCP/25 from pure user-networks to make sure they can not start spamming the internet.

For sending mail from the client the Submission-port is used. When you sign up for an e-mail-account at one of the many mail-providers, you get a username and a password and that needs to be provided when sending mail through the submission port.

All in all we have to differentiate these two scenarios:

1) Company with an internal mail-server:
Only the server should be allowed SMTP with TCP/25 to the internet. This server is hopefully configured to restrict outgoing SPAM to the internet if an internal client gets compromised. In addition the mail-system is hopefully setup correctly with proper DNS-entries.

2) Company without internal mail-server or private users:
Outgoing communication with TCP/25 should be restricted and only TCP/587 should be allowed. To deliver the mail you have to authenticate with your username/password that you got from your mail-provider.

Sent from Cisco Technical Support iPad App

View solution in original post

Jouni Forss · ‎07-04-2013

Hi,

You should make sure that the ASA allows the user SMTP to either some local server (if you have one) or to a remote server.

If you have a local server then you would also allow SMTP traffic from the Internet and to the Internet.

Though I would imagine you should already have these basic things allowed on the firewall. Atleast to certain Mail servers.

The ASA doesnt really control where the user can send email. Though it can limit some SMTP traffic with the default settings or when specifically configured with certain limitations.

HTTP and HTTPS you would probably need if you were accessing a Mail server from the Client computer through a Web portal.

Though I think Outlook uses also HTTPS if configured/enabled to do so.

- Jouni

mahesh18 · ‎07-04-2013

Hi jouni,

There are some rules already there to allow SMTP traffic to some mail servers.

But here i need to allow SMTP to some external vendor.

Can you please explain more on this

You should make sure that the ASA allows the user SMTP to either some local server (if you have one) or to a remote server.

If you have a local server then you would also allow SMTP traffic from the Internet and to the Internet.

When you say ---Though I think Outlook uses also HTTPS if configured/enabled to do so does this mean that when we send email via outlook it uses https?

Regards

MAhesh

Jouni Forss · ‎07-04-2013

Hi,

Generally user have a couple of Mail server through which they send their email. I dont know if you really need to allow SMTP to other servers just to send email to some other email addresses which you imply in your original post. Naturally if you users actually need to use some other mail server compared to the current mail servers then you need to allow SMTP.

Well for example, to my understanding my companys Outlook client uses HTTPS when I am outside our company network.

I think its what this Microsoft document refers to:

http://office.microsoft.com/en-us/outlook-help/use-outlook-anywhere-to-connect-to-your-exchange-server-without-vpn-HP010102444.aspx

But I would imagine this is not what you really need in this case.

And I am not the best person to answer related to this particular thing in any more depth

- Jouni

Karsten Iwen · ‎07-04-2013

In my opinion, SMTP (TCP/25) should *never* be allowed for users in the outbound direction. If any of your clients gets compromised, they could easily spam the internet if you allow that. If you need outgoing mail you should only open TCP/587 which is the Submission-port. With that your users can reach their public mail-server in the internet with mandatory authentication wich is way more secure.

Sent from Cisco Technical Support iPad App

mahesh18 · ‎07-04-2013

Hi Karsten,

Normally SMTP is used to send email to server.

When you say use port 587 does it mean that i should not use SMTP port 25?

Does using port 587 will do the same job as SMTP?

When you say mandatory authen does this mean that whenever user sends outgoing email they need to put there username and password?

Regards

MAhesh

Karsten Iwen · ‎07-04-2013

The way the email-communication works changed over the years with the beginning of SPAM. While decades ago, both the server to server, and the client to server communication was done with SMTP, TCP/25. Nowadays the servers still use that for delivering to other servers, but with SMTP, relaying mail is typically not allowed, so it's only possible to deliver to the final destination server. And many Access-Provider block TCP/25 from pure user-networks to make sure they can not start spamming the internet.

For sending mail from the client the Submission-port is used. When you sign up for an e-mail-account at one of the many mail-providers, you get a username and a password and that needs to be provided when sending mail through the submission port.

All in all we have to differentiate these two scenarios:

1) Company with an internal mail-server:
Only the server should be allowed SMTP with TCP/25 to the internet. This server is hopefully configured to restrict outgoing SPAM to the internet if an internal client gets compromised. In addition the mail-system is hopefully setup correctly with proper DNS-entries.

2) Company without internal mail-server or private users:
Outgoing communication with TCP/25 should be restricted and only TCP/587 should be allowed. To deliver the mail you have to authenticate with your username/password that you got from your mail-provider.

Sent from Cisco Technical Support iPad App

mahesh18 · ‎07-05-2013

Hi Karsten,

You explained all the concept very well.

Best regards

Mahesh

Tural Ahmadov · ‎07-04-2013

443 port is for microsoft exchange owa servise, which allow access mail account from browser. If mail server is in your local network and if you allow people to access mail by browser from outside, you must write ACL and PAT for 443 port. TCP 25 and/or TCP 587 port is for outgoing mail. You must allow this port.