I am hosting an email server (Postfix) on my Azure cloud in a Virtualmin VM. I have setup the Azure Network Security Group settings to allow inbound/outbound traffic on port 25 but email server either returns “Network is unreachable” or “Connection timed out”. telnet on port 25 also fails. I have purchased a domain, and am now setting up a mail server on a subdomain. Please assist.
You’re encountering a common issue with port 25 on cloud providers like Azure—even though you’ve opened port 25 in your Network Security Group (NSG), Azure by default blocks outbound traffic on port 25 for spam prevention and security reasons.
Summary of the Issue
- Inbound on port 25: Azure allows this if NSG permits it.
- Outbound on port 25: Blocked by Azure by default on most subscriptions (including Pay-as-you-Go, MSDN, etc.).
Error Messages Explained
Network is unreachable
/Connection timed out
during SMTP (port 25) testing via Telnet.- These errors mean your server can’t establish outgoing SMTP connections to other mail servers (e.g., Gmail, Yahoo).
Solution Options
Option 1: Use an SMTP Relay (Recommended for Azure)
Use a trusted SMTP relay (a.k.a. “smart host”) to send mail. Popular choices:
- SendGrid (official Azure partner)
- Mailgun
- Amazon SES
- Postmark
- SMTP2GO
Postfix Relay Setup Example (e.g., SendGrid): Edit /etc/postfix/main.cf
:
relayhost = [smtp.sendgrid.net]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
Then create /etc/postfix/sasl_passwd
:
[smtp.sendgrid.net]:587 apikey:SG.xxxxxxxx
Run:
postmap /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd*
systemctl restart postfix
Option 2: Request port 25 unblocking from Azure (Enterprise Only)
- Azure only allows port 25 unblocking for Enterprise or paid support plan customers.
- You must submit a support request via the Azure Portal under “Networking” → “Can’t send email on port 25”.
Note: If you’re on a free or standard Pay-as-you-Go plan, this request will likely be denied.
Option 3: Use alternative ports (587 or 465) for sending
These ports are used for authenticated SMTP, but receiving mail on port 25 is still required if you want to run your own mail server (MTA).
So this only helps with sending, not receiving.
Additional Setup Tips
- Ensure DNS is properly configured:
- A record for
mail.example.com
- MX record pointing to
mail.example.com
- SPF, DKIM, DMARC records set up for mail delivery
- A record for
- Open required ports in NSG:
- TCP 25 (for receiving mail)
- TCP 587 (for sending mail via submission)
- TCP 993/143 (IMAP)
- TCP 465/110 (SMTP/POP3, optional)
Recommendation
Unless you’re on Azure’s Enterprise plan, it’s best to relay mail via a third-party SMTP provider. This avoids Azure’s port 25 restrictions and improves your email deliverability.