Share via

How to open port 25 for inbound email (don't need outbound on acs) for mailcow server on azure vm

Andrew McDonald 20 Reputation points
2026-04-30T15:26:54.16+00:00

I am a Pay-As-You-Go customer running a legitimate mail server on an Azure VM (Sweden Central). I am being charged for this VM but cannot receive email on it because Azure blocks inbound port 25. This renders the VM unfit for its intended and legitimate purpose. I am already using Azure Communication Services as my outbound relay — I am an invested Azure customer using multiple paid services. I am not attempting to bypass spam controls — I need inbound port 25 open so external mail servers can deliver email to my domain. SPF, DKIM, DMARC, and PTR records are all correctly configured. This is a legitimate mail server, not a spam operation. I believe charging for infrastructure that cannot perform its core function without an arbitrary restriction is unreasonable. I am requesting inbound port 25 be unblocked on this VM, or alternatively guidance on how to achieve this without upgrading to an Enterprise Agreement.
What information is needed? or how do i get in touch with someone? my support requests for this and other items are repeatedly failing!

Azure Virtual Network
Azure Virtual Network

An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.

0 comments

Answer accepted by question author

  1. Q&A Assist
    2026-04-30T15:27:12.9133333+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Inbound SMTP on TCP port 25 to Azure VMs is not blocked by the Azure platform. The platform-level restriction described in the documentation applies to outbound SMTP on port 25, and is subscription-type dependent.

    For Pay-As-You-Go subscriptions specifically:

    • Outbound port 25 is blocked from all resources and this restriction cannot be removed. An SMTP relay service (such as Azure Communication Services on port 587) must be used for outbound mail.
    • The documentation does not state any Azure platform block on inbound port 25. Inbound access is controlled by:
      • Network Security Group (NSG) rules on the VM NIC and subnet
      • Any Azure Firewall / NVA in front of the VM
      • The guest OS firewall on the VM

    To receive inbound email on port 25 to the mailcow server VM:

    1. Ensure DNS MX and A records for the mail domain point to the VM’s public IP (or to a load balancer that fronts it).
    2. In the Azure portal, on the VM’s NIC and subnet NSGs, create an inbound rule:
      • Port: 25
      • Protocol: TCP
      • Source: as required (typically Internet or restricted IP ranges)
      • Action: Allow
      • Priority: lower number than any deny rule that might block it.
    3. If using Azure Firewall or another NVA, add a DNAT rule to forward TCP 25 from the public IP to the VM’s private IP, and allow that traffic in the firewall rules.
    4. Inside the VM, open TCP 25 in the OS firewall and confirm the mailcow service is listening on port 25.

    Because Pay-As-You-Go subscriptions cannot have the outbound port 25 block removed, continue using Azure Communication Services (or another authenticated SMTP relay) for outbound mail on port 587 as recommended.

    For support contact:

    • For Pay-As-You-Go, the platform will not remove the outbound port 25 restriction. If there are issues beyond that (for example, subscription type behavior not matching the documented rules), open a Technical support request under Virtual Network or Virtual Machines, selecting the closest issue type (for SMTP issues, the documented path is under Virtual Network → “Cannot send email (SMTP/Port 25)” but exemptions are not granted for Pay-As-You-Go). Provide:
      • Subscription ID and region
      • VM name and resource group
      • Confirmation of NSG rules and firewall configuration
      • Packet captures or connection test results if inbound 25 still fails.

    There is no documented Azure mechanism to request unblocking outbound port 25 for Pay-As-You-Go subscriptions without moving to a subscription type that allows it. Inbound port 25, however, is achievable via NSG/firewall and DNS configuration as described.

    References:

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Vallepu Venkateswarlu 8,430 Reputation points Microsoft External Staff Moderator
    2026-04-30T17:08:16.5633333+00:00

    Hi @ Andrew McDonald,

    Welcome to Microsoft Q&A Platform.

    I am requesting inbound port 25 be unblocked on this VM, or alternatively guidance on how to achieve this without upgrading to an Enterprise Agreement.

    Azure restricts outbound SMTP traffic on port 25 from most services. This limitation is enforced across many subscription types to help protect the global IP reputation of Azure resources. The recommended way to send email from Azure VMs or Azure App Service is to use an authenticated SMTP relay service, which operates on TCP port 587.

    Follow the Recommended method of sending email from Azure VM

    Outbound SMTP traffic on port 25 is restricted by default and cannot be enabled without meeting specific subscription requirements, such as an Enterprise Agreement.

    However, for Azure VMs and Azure Firewall resources deployed under Enterprise Agreement or MCA-E subscriptions, outbound SMTP traffic on TCP port 25 is typically allowed.

    Ref: Enterprise and MCA-E

    Azure Communication Services – These services are used in part to maintain IP reputation that is critical for delivery reliability, Azure Communication Services provides an authenticated SMTP relay that you can use, and if you need higher throughput, you can request increased limits through a support case. Sending email over authenticated SMTP on port 587 is fully supported and not restricted in Azure for any subscription type.

    Ref: Azure Communication Services and authenticated SMTP relay service.

    I hope this information helps resolve your issue. Please feel free to ask if the provided solution does not help or if you have any additional questions.

    Please210246-screenshot-2021-12-10-121802.pngand “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

    0 comments
  2. TP 155.8K Reputation points Volunteer Moderator
    2026-04-30T15:37:55.4566667+00:00

    Hi Andrew,

    Inbound port 25 isn't normally blocked.

    Do you have inbound rule allowing TCP port 25 in your Network Security Group (NSG)?

    What operating system is the VM running? Do you have inbound OS firewall rule for TCP port 25?

    -TP

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.