port 25 help

Hello Dalyn Rhoades

Azure does not allow outbound SMTP traffic on port 25 from most of its services. This restriction is in place for many subscription types to help maintain the global IP reputation of Azure resources.

Check the below steps to find port 25 enabled on your subscription. Go to the “Diagnose and solve problems” blade, select “Cannot send email (SMTP–Port 25),” and start the Port 25 diagnostic.

If your subscription is not an Enterprise Agreement or MCA-E, it is recommended to use an authenticated SMTP relay service, as previously mentioned.

https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-network/troubleshoot-outbound-smtp-connectivity#enterprise-and-mca-e
To send email from Azure VMs or Azure App Service, use an authenticated SMTP relay service on TCP port 587. Outbound SMTP connections on TCP port 25 are blocked to enhance security, protect the Azure platform, and follow industry best practices. Check the reference documents:

https://learn.microsoft.com/en-us/azure/communication-services/overview

https://learn.microsoft.com/en-us/azure/communication-services/quickstarts/email/send-email-smtp/smtp-authentication?tabs=built-in-role

Check the below reference thread to find answer: https://learn.microsoft.com/en-us/answers/questions/5625166/how-can-i-request-azure-to-unblock-outbound-smtp-p

I hope the above answer helps you! Please let us know if you have any further questions.

Please don't forget to "upvote" where the information provided will help you, this can be beneficial to other members of the community.

Hi Dalyn Rhoades,

Thanks for reaching out in Microsoft Q&A forum,

Your Test-NetConnection failed on port 25 because Azure blocks outbound SMTP traffic on port 25 by default for nearly all subscription types. This is a platform-level restriction enforced by Azure to prevent spam and protect the global IP reputation of Azure resources, not a problem with your Windows Firewall, network configuration, or DNS.

The key evidence is that your ping succeeded (7 ms RTT) but the TCP connection failed. This confirms that the remote host is reachable, but Azure's fabric layer is silently dropping outbound port 25 traffic before it even leaves your

👁 User's image

Gmail still listens on port 25, but Azure blocks outbound connections to it unless you have an Enterprise Agreement (EA) or MCA-E subscription. Even Enterprise Dev/Test subscriptions have port 25 blocked by default, though you can request an exemption through the Azure portal.

The simplest and most reliable fix is to use Gmail's authenticated SMTP on port 587 (or 465 if you prefer implicit TLS). These ports are not blocked by Azure and work with all subscription types. Test connectivity with:

Test-NetConnection -ComputerName smtp.gmail.com -Port 587

You should see TcpTestSucceeded : True. Then configure your email client or application to use:

• SMTP server: smtp.gmail.com
• Port: 587 (with STARTTLS) or 465 (with implicit SSL/TLS)
• Authentication: Your Gmail address and an App Password (requires 2FA enabled) or OAuth2

If you do have an Enterprise Agreement or Enterprise Dev/Test subscription and must use port 25, you can request an exemption:

• Open the Azure portal and navigate to your Virtual Network resource
• Click Diagnose and solve problems
• Select Cannot send email (SMTP–Port 25)
• Run the diagnostic to submit the unblock request

For non-EA subscriptions, port 25 cannot be unblocked. In that case, using port 587 with authenticated SMTP is Microsoft's recommended approach for sending email from Azure VMs or App Service.

Microsoft Document:

• Troubleshoot outbound SMTP connectivity in Azure: https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-network/troubleshoot-outbound-smtp-connectivity
• Azure Firewall known issues and limitations: https://learn.microsoft.com/en-us/troubleshoot/azure/firewall/firewall-known-issues

Kindly let us know if the above helps or you need further assistance on this issue.

Please do not forget to 👁 210246-screenshot-2021-12-10-121802.png
and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

That's expected. Refer to https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-network/troubleshoot-outbound-smtp-connectivity for details:

Outbound email messages that are sent directly to external domains (such as outlook.com and gmail.com) from a virtual machine (VM) are made available only to certain subscription types in Microsoft Azure. This article helps you resolve SMTP connectivity issues and configure reliable email delivery from your Azure VMs.

Recommended method of sending email

We recommend you use authenticated SMTP relay services to send email from Azure VMs or from Azure App Service. Connections to authenticated SMTP relay services are typically on TCP port 587 and isn't blocked. These services are used in part to maintain IP reputation that is critical for delivery reliability. Azure Communication Services offers an authenticated SMTP relay service. Ensure that the default rate limits are appropriate for your application and open a support case to raise them if needed.

Using these email delivery services on authenticated SMTP port 587 isn't restricted in Azure, regardless of the subscription type.

Enterprise and MCA-E

For VMs and Azure Firewall that are deployed in standard Enterprise Agreement or Microsoft Customer Agreement for enterprise (MCA-E) subscriptions, the outbound SMTP connections on TCP port 25 aren't blocked. However, there's no guarantee that external domains accept the incoming emails from the VMs and Azure Firewall. For emails rejected or filtered by the external domains, contact the email service providers of the external domains to resolve the problems. These problems aren't covered by Azure support.

For Enterprise Dev/Test subscriptions, port 25 is blocked by default. It's possible to have this block removed. To request to have the block removed, go to the Cannot send email (SMTP-Port 25) section of the Diagnose and Solve section in the Azure Virtual Network resource in the Azure portal and run the diagnostic. This process exempts the qualified enterprise dev/test subscriptions automatically.

After the subscription is exempted from this block, the VMs must be stopped, deallocated, and then restarted to get the new network policy, all VMs in that subscription are exempted going forward. If the virtual network owned by the exempted subscription has a delegated subnet (to an App Service Environment for example), you must add and remove a new temporary subnet in the Virtual Network. The exemption applies only to the subscription requested and only to VM traffic that is routed directly to the internet.

All other subscription types

The Azure platform blocks outbound SMTP connections on TCP port 25 for deployed VMs. This block is to ensure better security for Microsoft partners and customers, protect Microsoft's Azure platform, and conform to industry standards.

If you're using a subscription type that isn't an Enterprise Agreement or MCA-E, we encourage you to use an authenticated SMTP relay service, as outlined earlier in this article.

If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

hth

Marcin