Last updated: July 2026
In short: Amazon Web Services (AWS) blocks outbound port 25 traffic from Amazon EC2 instances to all public IPv4 and IPv6 addresses by default. Removing the restriction requires submitting a manual, per-Region unblock request. As a primary alternative, AWS recommends using Amazon SES.
When deploying a self-hosted mail infrastructure on an Amazon Elastic Compute Cloud (Amazon EC2) instance, direct outbound SMTP connections to remote servers will time out. This network-level resource restriction is enforced across the AWS cloud infrastructure to prevent spam and protect global IP reputation.
Scope and default restriction rules
The port 25 restriction distinguishes strictly between internal virtual private cloud (VPC) communication and public internet routing. According to the official EC2 user guide:
By default, Amazon EC2 allows outbound traffic over port 25 only to private IPv4 addresses. Traffic over port 25 is blocked to public IPv4 addresses and IPv6 addresses. You can request that this restriction be removed.
This means internal mail forwarding between private IPv4 instances within your VPC works without intervention, whereas direct SMTP connections over port 25 to external internet MX gateways are blocked at the AWS network boundary.
Submitting per-Region unblock requests
If your application architecture requires direct outbound delivery over port 25, you must submit a formal unblock application. According to the AWS Knowledge Center:
To remove the restriction on port 25, you must submit a request to AWS.
A critical operational detail for multi-region deployments is that restriction removals do not propagate globally across your AWS account. As documented by AWS:
If you have instances in more than one AWS Region, then you must submit a separate request for each Region.
During the review process, AWS support evaluates your sending use case, expected daily volume, assigned Elastic IP addresses, and reverse DNS (PTR) setup before deciding whether to lift the regional restriction.
IP reputation reality check
Even if AWS approves your limit request and unblocks port 25 in your operating Region, self-hosting direct email delivery from EC2 instances carries massive deliverability hurdles. Because the global pool of Amazon EC2 IP addresses is dynamically recycled across millions of cloud customers, entire AWS IP blocks inherit pre-existing negative reputations.
Frequently, Elastic IPs are listed on major blocklists (DNSBLs) such as Spamhaus or UCEPROTECT. Receiving providers (including Gmail, Yahoo, and Microsoft 365) heavily scrutinize or outright reject direct email traffic originating from EC2 IP ranges, even when your domain publishes perfect SPF and DKIM records.
The official alternative: Amazon SES and port 587
To avoid per-Region unblock delays and bypass the negative reputation of EC2 IP pools, AWS officially guides users toward its managed email service:
use Amazon Simple Email Service (Amazon SES) to send email from your instances or Lambda functions.
Additionally, you can route outbound mail through any external smarthost relay over port 587 (Submission), as port 587 is not affected by the EC2 port restriction.
A standard Postfix configuration (/etc/postfix/main.cf) using an external smarthost over port 587 looks like this:
relayhost = [smtp.provider.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
Or send reliably via Dispatch. If you want to avoid regional unblock requests, Elastic IP reputation issues, blocklist troubleshooting, and configuring Amazon SES or smarthosts, you can route your outbound mail quickly and securely via Dispatch.
Verifying your configuration
Once your restriction is lifted or your smarthost relay is active, audit your email authentication headers (SPF, DKIM, DMARC) and domain health using the free MXAudit scanner.
Further reading
- Amazon EC2 User Guide — Resource limits (Port 25) (retrieved: July 16, 2026)
- AWS Knowledge Center — How do I remove the restriction on port 25 from my EC2 instance? (retrieved: July 16, 2026)