Recently, I setup a new Exchange 2016 environment in my lab at home and installed an Exchange Edge server in order to receive and send mails. Due to router limitations (unitymedia killed the required configuration in my router to forward incoming traffic on port 25 to a specific private IP) I decided to provision the Exchange Edge VM in Azure. Due to connection issues (target host cannot be reached) to Exchange Online Protection used as SMTP relay service via port 25 I had to do some research what the reason could be that no connection can be established and found an interesting Microsoft blog post.
https://blogs.msdn.microsoft.com/mast/2017/11/15/enhanced-azure-security-for-sending-emails-november-2017-update/
Since public IP addresses offered in Azure had been set on blacklists by more and more blacklist providers due to increasing mail spam sent from Azure services/VMs, Microsoft decided to restrict certain subscription models for outgoing mails on port 25. This behaviour lead to less mail spam and Microsoft Azure Public IPs were being removed from blacklists again.
In case you would like to setup an email service in Azure to send outgoing mails via port 25. There are now two ways what you can do to send mails from an Azure VM to any mail service provider:
1. You use an authenticated SMTP relay service – “authenticated” means an eligeble SMTP relay provider like SendGrid to which mails can be sent from any Azure service (e.g. VM or App Service). This service can also be provisioned via the Azure Marketplace. Notice the free plan you can use to send outbound mails for free, see below picture.
2. You own an Enterprise Agreement (EA) subscription which is not affected by Microsoft’s security implementation. If you are using a Pay-As-You-Go (PAYG) subscription you have the ability to raise a support ticket (issue type “Technical” –> “Virtual Network” –> “Connectivity” –> “Cannot send e-mail (SMTP/Port 25)”) to enable all your public IPs within your subscription to send outgoing mails.
In case you are a customer of a Cloud Service Provider (CSP), you should contact your CSP in order to let unblock your subscription.
In case you have any other subscription modell, e.g. Azure Pass or MSDN subscription, Microsoft will not unblock your subscription.
If you would like to receive mails using your SMTP service, there is no restriction. Incoming mails on port 25 are allowed and not controlled by Microsoft.
If you are able to use SMTP/TLS to encrypt your mail exchange on port 587, this will also work. Please consider that only outgoing mails via port 25 are blocked for the said subscription models. In case you want to make use of Exchange Online Protection as your mail relay, keep in mind that EOP does not accept incoming connections on port 587.
SendGrid Plans:
