Many VPS providers block outbound port 25 (SMTP) by default to prevent spam abuse. Hetzner and OVH leave port 25 open. DigitalOcean and Vultr block it but accept unblock requests via support ticket. AWS and Google Cloud block it and make unblocking difficult or impossible. If you can't get port 25 unblocked, use an external SMTP relay (SendGrid, Mailgun, AWS SES) as a smarthost — your server handles everything except final delivery.
VPS Blocked Port 25: How to Fix or Work Around SMTP Restrictions
Port 25 Blocked: Diagnosis and Solutions
Port 25 is the standard port for server-to-server email delivery. When your VPS provider blocks it, your mail server can receive email but can't deliver outbound to other servers. You'll see connection timeouts in your Postfix logs and mail piling up in the queue.
Testing Port 25
From your VPS:
# Test outbound port 25
telnet gmail-smtp-in.l.google.com 25
# Expected if open:
# Trying 142.250.x.x...
# Connected to gmail-smtp-in.l.google.com.
# 220 mx.google.com ESMTP
# Expected if blocked:
# Trying 142.250.x.x...
# (hangs, then times out)
# Alternative test:
nc -zv gmail-smtp-in.l.google.com 25 -w 5
If the connection times out, port 25 is blocked.
Provider Policies
| Provider | Port 25 Default | Unblock Process | Success Rate |
|---|---|---|---|
| Hetzner | Open | N/A | N/A |
| OVH | Open | N/A | N/A |
| DigitalOcean | Blocked | Support ticket | High (1-3 days) |
| Vultr | Blocked | Support ticket | High (1-2 days) |
| Linode | Blocked (new accounts) | Support ticket | High |
| AWS EC2 | Blocked | Request form | Moderate |
| AWS Lightsail | Blocked | Same as EC2 | Moderate |
| Google Cloud | Blocked | Very difficult | Low |
| Azure | Blocked | Enterprise only | Low |
| Oracle Cloud | Blocked | Support ticket | Moderate |
Requesting Unblock
DigitalOcean
- Open a support ticket at cloud.digitalocean.com/support
- Subject: "Request to unblock SMTP port 25"
- Include:
- Your droplet ID
- The domain you'll be sending from
- Brief description of your mail server use case
- Confirmation you'll follow anti-spam best practices
- Wait 1-3 business days
Tips for approval:
- Use a paid account (not free trial)
- Have an established account history
- Be specific about your use case (not "I want to send email")
- Mention you'll implement SPF, DKIM, DMARC
Vultr
- Open a support ticket at my.vultr.com/support
- Request SMTP port 25 access
- Provide your instance ID and use case
- Typically approved within 1-2 business days
AWS
- Submit the AWS SMTP Request Form
- Provide your Elastic IP, use case, and expected volume
- Describe your bounce/complaint handling procedures
- Wait 1-5 business days
- AWS may ask follow-up questions or deny the request
AWS is more selective. New accounts with no history are sometimes denied. Consider using SES instead.
Google Cloud / Azure
Google Cloud effectively doesn't allow port 25 for most use cases. Azure restricts it to enterprise agreements. Don't plan on running a mail server on either platform.
Workaround: Smarthost Relay
If you can't get port 25 unblocked — or prefer not to manage outbound delivery — configure your server to relay through an external SMTP service.
Your mail server handles:
- Mailbox management (IMAP)
- Inbound delivery (port 25 inbound is usually open)
- DKIM signing
- Spam filtering
- User authentication
The relay handles:
- Outbound delivery to recipient servers
- Port 25 connectivity
- Delivery retries
Postfix Smarthost Configuration
# /etc/postfix/main.cf
relayhost = [smtp.mailgun.org]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
Create the credentials file:
# /etc/postfix/sasl_passwd
[smtp.mailgun.org]:587 [email protected]:your-api-key
# Secure and hash it
chmod 600 /etc/postfix/sasl_passwd
postmap /etc/postfix/sasl_passwd
systemctl restart postfix
Relay Service Options
| Service | Cost | Notes |
|---|---|---|
| Mailgun | $0.80/1K after free tier | Good for moderate volume |
| SendGrid | $0.50/1K+ | Familiar to most users |
| Amazon SES | $0.10/1K | Cheapest per-message |
| Postmark | $1.25/1K | Best transactional reputation |
| SMTP2GO | $0.80/1K+ | Relay-focused service |
Trade-offs of Smarthost Approach
Advantages:
- Works on any VPS, even with port 25 blocked
- Leverages relay service's delivery infrastructure
- Reduces your IP reputation management burden
Disadvantages:
- Per-message cost adds up at scale
- DKIM may need to be signed by the relay (dual-signing recommended)
- Adds dependency on a third-party service
- Slightly increased delivery latency
Practitioner note: I've set up smarthosts for clients on DigitalOcean who didn't want to wait for port 25 approval. Mailgun as a relay costs pennies for low-volume servers and eliminates the port 25 issue entirely. For clients under 50K emails/month, the convenience outweighs the cost.
The Best Approach: Choose the Right Provider
The simplest solution is to use a provider that doesn't block port 25:
- Hetzner — port 25 open, $4/month ARM instances
- OVH — port 25 open, multiple datacenter regions
If you're currently on a provider that blocks port 25 and you haven't deployed yet, migrating to Hetzner or OVH eliminates the problem entirely. If you're already deployed, the smarthost approach avoids migration.
Practitioner note: Every new self-hosted email project I start goes on Hetzner unless the client has a specific reason for another provider. The port 25 issue wastes 1-3 days on DigitalOcean and Vultr, and is sometimes a dead end on AWS. Life is too short to fight your hosting provider for basic SMTP access.
If you're stuck with a blocked port 25 and need help configuring a smarthost relay, schedule a consultation — I'll set up the relay and verify outbound delivery works correctly.
Sources
- DigitalOcean: SMTP Blocking Policy
- Vultr: Blocked Ports
- AWS: EC2 Email Sending
- Hetzner: Cloud Documentation
v1.0 · April 2026
Frequently Asked Questions
Why do VPS providers block port 25?
To prevent spam. Fresh VPS instances are frequently provisioned by spammers who blast email and abandon the server. Blocking port 25 by default eliminates this abuse vector. Legitimate mail server operators can request unblocking.
How do I check if port 25 is blocked?
From your VPS, run: 'telnet gmail-smtp-in.l.google.com 25'. If you get a connection and see a 220 response, port 25 is open. If it times out or shows 'Connection refused', port 25 is blocked by your provider.
Can I run a mail server without port 25?
You can receive email on port 25 (inbound is rarely blocked) and use ports 587/465 for client submission. But outbound server-to-server delivery requires port 25. Without it, you need a relay/smarthost for outbound delivery.
What's a smarthost workaround?
Configure your mail server to relay outbound email through an external SMTP service (SendGrid, Mailgun, SES) that has port 25 access. Your server handles everything — mailboxes, filtering, DKIM signing — except the final delivery hop.
Want this handled for you?
Free 30-minute strategy call. Walk away with a plan either way.