If you "...share the internet connection with one or more other organisations over whom we have very little control, asides from the config on the ASAs.", don't you think you should at least ask them for specific needs they may have? I'm not sure what your setup is, but I've been in a "shared" internet connection situation before, and you will want to consult with them first rather than arbitrarily blocking everything except for ports that your org needs or else you could have a lawsuit on your hands if you block a business-required service for one of the other orgs just because you didn't feel like asking them first...
EDIT due to totally revised question
- HTTP - TCP:80
- HTTPS- TCP:443
- POP3 - TCP:110 (secure POP is typically TCP:995)
- IMAP4- TCP:143 (secure IMAP is typically TCP:993)
- SMTP - TCP:25 (secure SMTP is typically TCP:465)
- DNS - UDP:53 (external lookups)
These services could be on other ports, but these are the standard ports. Some have mentioned other HTTP ports in the 8000 range which is possible, but public sites typically do not do this. Again, you should monitor the traffic and see if other ports are necessary before opening them up.
If you have established that these ports are indeed used by your company (you have users connecting to external mail servers over POP3, IMAP, and sending mail directly over the SMTP port) you should probably take note of which external IPs they connect to and limit the ACLs to only those IPs on the firewall. This will limit somewhat your exposure if any of your users ever gets infected with a mail worm or other similar virus.
For DNS lookups, depending on your setup, only your internal DNS servers (AD DCs if you are using AD) would be doing any lookups and your clients would use them as their DNS servers. You would typically also know which external DNS servers they are using and limit their outbound lookups to just those external DNS servers for forwarding. If your clients are doing lookups themselves, then again you would probably know which external DNS servers they are going to and limit their outbound connection to just those external servers.
In all of these ACL setups all you need is to allow the port of the service out. Any stateful firewall (I believe you had mentioned you had ASA 5505s? prior to the edit) will recognize a response from the outside and let it in as an established session (and refuse connections that have no established session).
Best Answer
There are no ports that need to be opened for full access in your outbound firewall rules.
Why? Because by proxying requests we can achieve the same thing, except with more control.
The three most common:
Then you simply setup your firewall to allow connections from the IPs associated with the machines running these services ONLY.
Basically, it's a subjective question with no real right answer.