smtp port 25 is blocked - need to unblock

Question

smtp port 25 is blocked - need to unblock

Vahabudeen Pathiyampara 0

Hi Team,

Please help unblock the port 25 (smtp) from the below vnets . vms in our vnets are not able to connect our smtp server on port 25 .

Please let us know if you need more info

Thank you

Marcin Policht 45,880 Reputation points MVP Moderator

2025-04-21T15:33:38.6666667+00:00

This is by design. For details and workarounds, refer to https://learn.microsoft.com/en-us/azure/virtual-network/troubleshoot-outbound-smtp-connectivity

Outbound email messages that are sent directly to external domains (such as outlook.com and gmail.com) from a virtual machine (VM) are made available only to certain subscription types in Microsoft Azure.

Important

For the following examples, the process applies mainly to Azure Virtual Machines & Azure Virtual Machine Scale Sets resources (Microsoft.Compute/virtualMachines & Microsoft.Compute/virtualMachineScaleSets).

It's possible to use port 25 for outbound communication on Azure App Service and Azure Functions through the virtual network integration feature or when App Service Environment v3 is used.

It's also possible to send port 25 outbound communication through Azure Firewall. However, the following subscription limitations described still apply. Sending email on Port 25 is unsupported for all other Azure Platform-as-a-Service (PaaS) resources.

Recommended method of sending email

We recommend you use authenticated SMTP relay services to send email from Azure VMs or from Azure App Service. Connections to authenticated SMTP relay services are typically on TCP port 587 which isn't blocked. These services are used in part to maintain IP reputation which is critical for delivery reliability. Azure Communication Services offers an authenticated SMTP relay service. Ensure that the default rate limits are appropriate for your application and open a support case to raise them if needed.

Using these email delivery services on authenticated SMTP port 587 isn't restricted in Azure, regardless of the subscription type.

Enterprise and MCA-E

For VMs and Azure Firewall that are deployed in standard Enterprise Agreement or Microsoft Customer Agreement for enterprise (MCA-E) subscriptions, the outbound SMTP connections on TCP port 25 aren't blocked. However, there's no guarantee that external domains accept the incoming emails from the VMs and Azure Firewall. For emails rejected or filtered by the external domains, contact the email service providers of the external domains to resolve the problems. These problems aren't covered by Azure support.

For Enterprise Dev/Test subscriptions, port 25 is blocked by default. It's possible to have this block removed. To request to have the block removed, go to the Cannot send email (SMTP-Port 25) section of the Diagnose and Solve section in the Azure Virtual Network resource in the Azure portal and run the diagnostic. This process exempts the qualified enterprise dev/test subscriptions automatically.

After the subscription is exempted from this block, the VMs must be stopped, deallocated, and then restarted to get the new network policy, all VMs in that subscription are exempted going forward. If the virtual network owned by the exempted subscription has a delegated subnet (to an App Service Environment for example), you must add and remove a new temporary subnet in the Virtual Network. The exemption applies only to the subscription requested and only to VM traffic that is routed directly to the internet.

All Other Subscription Types

The Azure platform blocks outbound SMTP connections on TCP port 25 for deployed VMs. This block is to ensure better security for Microsoft partners and customers, protect Microsoft's Azure platform, and conform to industry standards.

If you're using a subscription type that isn't an Enterprise Agreement or MCA-E, we encourage you to use an authenticated SMTP relay service, as outlined earlier in this article.

Changing subscription type

If you change your subscription type from Enterprise Agreement or MCA-E to another type of subscription, changes to your deployments might result in outbound SMTP being blocked.

Need help? Contact support

If you're using an Enterprise Agreement or MCA-E subscription and still need help, contact support to get your problem resolved quickly. Use this issue type: Technical > Virtual Network > Cannot send email (SMTP/Port 25).

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin
Luis Arias 8,606 Reputation points Moderator

2025-04-21T20:42:05.83+00:00

Hello Vahabudeen,

Welcome to Q&A, If your VMs (Sources VMs and Destination VMs SMTP Relay) are located in Vnets conected each other, You only need to add a NSG rule , here how you can do it: https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic?tabs=portal

As mention in the other responds there are many consideration if you have a more complex configuration.

If the information helped address your question, please Accept the answer.

Luis
Vahabudeen Pathiyampara 0 Reputation points

2025-04-22T07:01:23.57+00:00

Hi @Marcin Policht,

I followed the documentation and attempted to unblock port 25, but the output seemed inconclusive—it didn’t appear to detect anything, or perhaps that’s expected?

In any case, I stopped (deallocated) the instance and restarted it after running the diagnostics, but port 25 still appears to be blocked.

Is there any way we can raise a support case for a callback, so this can be addressed immediately?
Nikhil Duserla 6,960 Reputation points Microsoft External Staff Moderator

2025-04-22T13:14:00.8+00:00

Hi @Vahabudeen Pathiyampara,

Please follow below steps as shown in screenshots.

Let me know if you have any further issues. I am happy to assist you back.
Vahabudeen Pathiyampara 0 Reputation points

2025-04-22T14:17:36.1366667+00:00

Hi @Nikhil Duserla ,

Thanks for your response. I followed the steps you suggested, but I’m still seeing the same result.
Nikhil Duserla 6,960 Reputation points Microsoft External Staff Moderator

2025-04-22T14:56:05.59+00:00

Hi @Vahabudeen Pathiyampara,

Thank you for your response. Please check with your ISP has a policy of blocking outbound port 25 connections, except to their official outgoing SMTP servers and try with different network. also try-

Navigate to control panel>>system and security>>Windows defender firewall>>Advanced settings>> Inbound rules>>add new rule>> select port>>Enter a custom rule name, e.g. TCP "Port 25">>allow the connection>>(Domain+Private+Public).

Check whether SMTP port 25 is opened or not

Open up a command prompt.

Type “telnet <server_ip> 25” then hit enter.

Once you are determined the results. Type quit and hit enter

If you have any further queries, do let us know.
Vahabudeen Pathiyampara 0 Reputation points

2025-04-23T11:42:35.3533333+00:00

Hi @Nikhil Duserla

There’s no external ISP involved in this setup. The SMTP server is Office 365, and the SMTP agent is installed on a Linux VM within Azure.

So, the communication is happening from the Azure VNet to Office 365.

Please note, the SMTP communication over port 25 works perfectly fine from any of our on prem environments—this issue only occurs within Azure.

Hope this helps clarify the situation.
Oscar Bergenbrink 0 Reputation points

2025-04-23T13:06:55.8133333+00:00

Hi. I'm going to add some insights here, I'm from the same company as Vahabudeen.

The main goal here is to set up an outgoing email server from the VM in Azure that should be able to send email as any of the office 365 users without the users having to authenticate individually. We thought this would be possible with a connector with certificate authentication.

As far as we have been able to find in the documentation available this should be done with using the mx-record as the relay endpoint and over port 25. If this assumption is incorrect, then please help with solving the actual problem: Using the connector to send emails from an internal service but using office 365.

Setting up all users with oAuth is not going to be a manageble solution, and we can not have one mailbox with deligated rights to send as any user.

We are in a hurry to find a solution here, since we are migrating our entire ERP to a new solution in Azure and our current solution will be unavailable shortly due to the license agreement which will expire. So if a call is a better option to sort this out quickly, then please schedule it with Vahabudeen or me.

1 answer

Your answer

Luis Arias 8,606 Reputation points Moderator

2025-04-21T20:42:05.83+00:00

Hello Vahabudeen,

Welcome to Q&A, If your VMs (Sources VMs and Destination VMs SMTP Relay) are located in Vnets conected each other, You only need to add a NSG rule , here how you can do it: https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-filter-network-traffic?tabs=portal

As mention in the other responds there are many consideration if you have a more complex configuration.

If the information helped address your question, please Accept the answer.

Luis
Vahabudeen Pathiyampara 0 Reputation points

2025-04-22T07:01:23.57+00:00

Hi @Marcin Policht,

I followed the documentation and attempted to unblock port 25, but the output seemed inconclusive—it didn’t appear to detect anything, or perhaps that’s expected?

In any case, I stopped (deallocated) the instance and restarted it after running the diagnostics, but port 25 still appears to be blocked.

Is there any way we can raise a support case for a callback, so this can be addressed immediately?
Nikhil Duserla 6,960 Reputation points Microsoft External Staff Moderator

2025-04-22T13:14:00.8+00:00

Hi @Vahabudeen Pathiyampara,

Please follow below steps as shown in screenshots.

Let me know if you have any further issues. I am happy to assist you back.
Vahabudeen Pathiyampara 0 Reputation points

2025-04-22T14:17:36.1366667+00:00

Hi @Nikhil Duserla ,

Thanks for your response. I followed the steps you suggested, but I’m still seeing the same result.
Nikhil Duserla 6,960 Reputation points Microsoft External Staff Moderator

2025-04-22T14:56:05.59+00:00

Hi @Vahabudeen Pathiyampara,

Thank you for your response. Please check with your ISP has a policy of blocking outbound port 25 connections, except to their official outgoing SMTP servers and try with different network. also try-

Navigate to control panel>>system and security>>Windows defender firewall>>Advanced settings>> Inbound rules>>add new rule>> select port>>Enter a custom rule name, e.g. TCP "Port 25">>allow the connection>>(Domain+Private+Public).

Check whether SMTP port 25 is opened or not

Open up a command prompt.

Type “telnet <server_ip> 25” then hit enter.

Once you are determined the results. Type quit and hit enter

If you have any further queries, do let us know.
Vahabudeen Pathiyampara 0 Reputation points

2025-04-23T11:42:35.3533333+00:00

Hi @Nikhil Duserla

There’s no external ISP involved in this setup. The SMTP server is Office 365, and the SMTP agent is installed on a Linux VM within Azure.

So, the communication is happening from the Azure VNet to Office 365.

Please note, the SMTP communication over port 25 works perfectly fine from any of our on prem environments—this issue only occurs within Azure.

Hope this helps clarify the situation.
Oscar Bergenbrink 0 Reputation points

2025-04-23T13:06:55.8133333+00:00

Hi. I'm going to add some insights here, I'm from the same company as Vahabudeen.

The main goal here is to set up an outgoing email server from the VM in Azure that should be able to send email as any of the office 365 users without the users having to authenticate individually. We thought this would be possible with a connector with certificate authentication.

As far as we have been able to find in the documentation available this should be done with using the mx-record as the relay endpoint and over port 25. If this assumption is incorrect, then please help with solving the actual problem: Using the connector to send emails from an internal service but using office 365.

Setting up all users with oAuth is not going to be a manageble solution, and we can not have one mailbox with deligated rights to send as any user.

We are in a hurry to find a solution here, since we are migrating our entire ERP to a new solution in Azure and our current solution will be unavailable shortly due to the license agreement which will expire. So if a call is a better option to sort this out quickly, then please schedule it with Vahabudeen or me.

Answer 1

Hello Vahabudeen Pathiyampara,

In Azure, outbound SMTP traffic on TCP port 25 is blocked by default for most subscription types, including from VMs.

This is confirmed in MS documentation-

"The Azure platform blocks outbound SMTP connections on TCP port 25 for deployed VMs. This block is to ensure better security for Microsoft partners and customers, protect Microsoft's Azure platform, and conform to industry standards."

Troubleshoot outbound SMTP connectivity in Azure Microsoft Learn

enter image description here

Even though Office 365 allows SMTP relay over port 25, Azure VMs cannot send unauthenticated email over port 25 unless certain conditions are met.

How to fix it?

Ans- You have two options-

Option 1: Instead of port 25, you should configure your application or SMTP agent to use SMTP submission over port 587 with authentication.

Microsoft officially recommends this method:

"We recommend you use authenticated SMTP relay services to send email from Azure VMs. Connections to authenticated SMTP relay services are typically on TCP port 587 which isn't blocked."

Troubleshoot outbound SMTP connectivity in Azure Microsoft Learn

enter image description here

For Office 365 SMTP submission setup, Microsoft states:

"Use SMTP AUTH client submission (Option 1) to send emails from devices or applications through Microsoft 365 or Office 365. SMTP AUTH uses TCP port 587."

Set up SMTP client submission in Microsoft 365 | Microsoft Learn

You can authenticate with an Office 365 licensed mailbox to relay emails securely.

Option 2: If your Azure subscription is an Enterprise Agreement (EA) or Microsoft Customer Agreement for Enterprise (MCA-E) subscription, you can request to have the port 25 block removed.

As per Microsoft document-

"For VMs deployed in standard Enterprise Agreement or MCA-E subscriptions, the outbound SMTP connections on TCP port 25 aren't blocked."

"To request to have the block removed, go to the Diagnose and Solve Problems section of the Virtual Network resource in the Azure portal and run the diagnostic."

Troubleshoot outbound SMTP connectivity in Azure Microsoft Learn

After the unblock request is approved, you must stop, deallocate, and restart the VM to apply the new network policies.

Hope this clarifies your query.

Share via

smtp port 25 is blocked - need to unblock

1 answer

Your answer