Last updated: July 2026

In short: Microsoft Azure blocks outbound SMTP traffic on TCP port 25 across deployed virtual machines by default. While Enterprise Agreement customers face no restriction, Enterprise Dev/Test tiers require manual unblocking via the portal. For all other subscription types, Azure recommends relaying mail over port 587.

When deploying a self-hosted email server on a Microsoft Azure Virtual Machine (VM), direct outbound delivery often fails. Whether your VM can route SMTP connections over TCP port 25 depends strictly on the Azure subscription type governing your deployment.

Platform security rationale and default block

Microsoft protects its cloud infrastructure and global IP reputation by filtering outbound mail traffic at the network edge. According to official Azure troubleshooting documentation: The Azure platform blocks outbound SMTP connections on TCP port 25 for deployed VMs. This block is to ensure better security for Microsoft partners and customers, protect Microsoft's Azure platform, and conform to industry standards.

Because this filter operates within the Azure fabric, modifying local operating system firewalls or Network Security Groups (NSGs) will not open outbound port 25.

Policy differences by subscription tier

Microsoft enforces distinct access rules across three primary subscription categories:

1. Enterprise Agreement and MCA-E (unrestricted)

For large organizational deployments operating under enterprise agreements, outbound port 25 is accessible by default: For VMs and Azure Firewall that are deployed in standard Enterprise Agreement or Microsoft Customer Agreement for enterprise (MCA-E) subscriptions, the outbound SMTP connections on TCP port 25 aren't blocked.

2. Enterprise Dev/Test (unblockable via portal)

For enterprise development and testing environments, the restriction is enabled initially but can be lifted through self-service portal diagnostics: For Enterprise Dev/Test subscriptions, port 25 is blocked by default. It's possible to have this block removed.

3. Pay-As-You-Go and standard tiers (permanently blocked)

For Pay-As-You-Go subscriptions, MSDN tiers, Cloud Solution Provider (CSP) accounts, and free trials, outbound TCP port 25 is permanently blocked. Support requests to lift the block on these consumer and standard commercial tiers are not supported.

IP reputation reality check

Even under an Enterprise Agreement where port 25 is fully unrestricted, self-hosting direct email delivery on Azure IP addresses carries significant deliverability hurdles. Because Azure public IP ranges are dynamically recycled across thousands of workloads worldwide, data center subnets inherit pre-existing reputation baggage.

Frequently, Azure VM IP blocks are listed on major blocklists (DNSBLs) such as Spamhaus and UCEPROTECT. Receiving providers (including Gmail, Yahoo, and Outlook.com) aggressively scrutinize or reject direct mail originating from Azure subnets, even when your domain publishes valid SPF and DKIM records.

The official alternative: smarthost relaying via port 587

To bypass subscription restrictions and avoid subnet deliverability traps, Microsoft explicitly recommends relaying outbound traffic through an external delivery service: We recommend you use authenticated SMTP relay services to send email from Azure VMs or from Azure App Service. Connections to authenticated SMTP relay services are typically on TCP port 587 and isn't blocked.

This submission path operates without restriction across every Azure pricing tier: Using these email delivery services on authenticated SMTP port 587 isn't restricted in Azure, regardless of the subscription type.

A standard Postfix configuration (/etc/postfix/main.cf) for relaying through an external smarthost over port 587 looks like this:

relayhost = [smtp.provider.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt

Or send reliably via Dispatch. If you want to avoid subscription tier upgrades, portal diagnostics, IP reputation monitoring, and smarthost maintenance, you can route your outbound mail quickly and securely via Dispatch.

Verifying your configuration

Once your sending infrastructure is operational, verify your email authentication setup (SPF, DKIM, DMARC) and overall domain health using the free MXAudit scanner.

Further reading