Postfix via Webmin/Virtualmin on Azure

General
1

I am hosting an email server (Postfix) on my Azure cloud in a Virtualmin VM. I have setup the Azure Network Security Group settings to allow inbound/outbound traffic on port 25 but email server either returns “Network is unreachable” or “Connection timed out”. telnet on port 25 also fails. I have purchased a domain, and am now setting up a mail server on a subdomain. Please assist.

2

You’re encountering a common issue with port 25 on cloud providers like Azure—even though you’ve opened port 25 in your Network Security Group (NSG), Azure by default blocks outbound traffic on port 25 for spam prevention and security reasons.

Summary of the Issue

  • Inbound on port 25: Azure allows this if NSG permits it.
  • Outbound on port 25: Blocked by Azure by default on most subscriptions (including Pay-as-you-Go, MSDN, etc.).

Error Messages Explained

  • Network is unreachable / Connection timed out during SMTP (port 25) testing via Telnet.
  • These errors mean your server can’t establish outgoing SMTP connections to other mail servers (e.g., Gmail, Yahoo).

Solution Options

Option 1: Use an SMTP Relay (Recommended for Azure)

Use a trusted SMTP relay (a.k.a. “smart host”) to send mail. Popular choices:

  • SendGrid (official Azure partner)
  • Mailgun
  • Amazon SES
  • Postmark
  • SMTP2GO

Postfix Relay Setup Example (e.g., SendGrid): Edit /etc/postfix/main.cf:

relayhost = [smtp.sendgrid.net]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous

Then create /etc/postfix/sasl_passwd:

[smtp.sendgrid.net]:587 apikey:SG.xxxxxxxx

Run:

postmap /etc/postfix/sasl_passwd
chmod 600 /etc/postfix/sasl_passwd*
systemctl restart postfix

Option 2: Request port 25 unblocking from Azure (Enterprise Only)

  • Azure only allows port 25 unblocking for Enterprise or paid support plan customers.
  • You must submit a support request via the Azure Portal under “Networking” → “Can’t send email on port 25”.

Note: If you’re on a free or standard Pay-as-you-Go plan, this request will likely be denied.

Option 3: Use alternative ports (587 or 465) for sending

These ports are used for authenticated SMTP, but receiving mail on port 25 is still required if you want to run your own mail server (MTA).

So this only helps with sending, not receiving.

Additional Setup Tips

  • Ensure DNS is properly configured:
    • A record for mail.example.com
    • MX record pointing to mail.example.com
    • SPF, DKIM, DMARC records set up for mail delivery
  • Open required ports in NSG:
    • TCP 25 (for receiving mail)
    • TCP 587 (for sending mail via submission)
    • TCP 993/143 (IMAP)
    • TCP 465/110 (SMTP/POP3, optional)

Recommendation

Unless you’re on Azure’s Enterprise plan, it’s best to relay mail via a third-party SMTP provider. This avoids Azure’s port 25 restrictions and improves your email deliverability.