Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Trick about Access-List

Dear My reader,

I have this idea in my mind, and i am searching for your advice, in order to go ahead and implement it or stop even thinking about it.

the idea is :-

My mail server is hosted in my isp side, and inside my company here i do not have any internal mail server at all, for any communications going on .

all the users used to use the POP3 Account and using the SMTP account to send / receive E-mails.

the only thing which is worest is ,if i have no internet, i will be unable completely to send / receive any E-mails from outside at all.

now, imagine MY SMTP SERVER WAS .

( This is Public IP ).

and MY POP3 Server was

( This is Public IP ) .

and my doamain was XYZ.COM .


Now, here is my question,

can i add or write an Access-list to Deny for example user who is his E-mail ( within my doamin ) like:-

SAM @ from sending any E-mails at all to another user in the same Domain like ( AHMED @ ) .


my question is, can i implement this idea, in stead of write an access-list to deny or permit the POP3 or SMTP completely for this User ?

i need to do this on one of my users inside my LAN.

he is using POP3 account and he is connected to the Internet through my Router.

so Please guys, can any one tell me how to implement this idea if its possible ?

New Member

Re: Trick about Access-List

It looks like you want to do packet filtering into the data portion of the packet. The source address is shown outside of the data portion of the packet not the sender name. I don't believe this is possible by a simple ACL. Plus if you were able to do this and you for some reason had a high volume of emails at one time you would DOS yourself because all of the routing processor time would be analying packets. You may want to look into a specific device for helping filter email.

Re: Trick about Access-List


I dont thinkso the ACL will help you in doing the above.

If your office is having the Firewall, you can setup the Mail Server in DMZ zone where the pop3 and smtp will be avalaible local for the LAN user's and the User's whoever is roaming will have access to Mail Server also via internet. Keeping in Mail Server in DMZ will avoid the outside traffic coming inside the LAN network.

By keeping the Mail Server in DMZ you no need to depend on the Internet from ISP. Keeping the Mail Server in ISP and accessing the mail's via ISP-Internet is not recommended.

Thinkso this will help you.Please Rate


Guru Prasad R

New Member

Re: Trick about Access-List

I agree with the previous post. I don?t think that a layer-3 device is the right choice to perform layer-7 inspection and filtering. I?ve worked with firewalls that have a feature named "resource inspection". If you apply that functionality to your SMTP (or pop3) rules, you can prevent your inside zone to send mails to your own domain. I have not seen PIXES do this but I would bet they can. On the other hand, with a little work you might be able to obtain the same result using a linux box inside your lan and let IT become yoour application firewalls. This functionality is part of a mail relay in itself.

Whatever option yoou take, I suggest you stop thinking of ACLS as the solution for your problem and (as previously suggested) consider adding an element capable of layer-7 inspection on your network.

CreatePlease to create content