Last updated: July 2026
In short: Hetzner blocks outbound ports 25 and 465 across all cloud servers by default to prevent spam. Unblocking requires at least one month of tenure and a paid first invoice. Alternatively, port 587 is completely unblocked immediately without requiring any request.
When setting up a self-hosted mail server on Hetzner Cloud, your initial attempts to deliver outgoing email directly to remote recipients will time out. This happens because Hetzner enforces strict network-level port blocking on cloud instances to protect IP reputation across its infrastructure.
Why Hetzner blocks ports 25 and 465
To stop bad actors from spinning up cloud instances for immediate spam blasts, Hetzner blocks the primary ports used for direct SMTP delivery.
According to Hetzner’s official cloud documentation:
That's why we block ports 25 and 465 by default on all cloud servers. This is a very common practice in the cloud hosting industry because it prevents abuse.
Importantly, this restriction is tied to your account hierarchy rather than individual virtual instances. Hetzner explains:
Port blocking is enforced per account. If a server is transferred to a project that is owned by another account, the port-blocking rules of the new owner will apply.
The limit request unblock process
If your architecture requires direct outbound SMTP delivery (connecting directly from your cloud server’s IP address to recipient MX records over port 25), you must submit a formal unblock request. However, Hetzner enforces strict eligibility criteria:
According to the provider’s official FAQ:
Once you have been with us for a month and paid your first invoice, you can create a limit request to unblock these ports for a valid use case. In your request, you can tell us details about your use case. We make decisions on a case-by-case basis.
In practice, this requires:
- Tenure and payment: You must wait until your account has been active for at least one full month and your first billing invoice is paid.
- Detailed justification: You must submit a limit request via the Hetzner Cloud Console detailing a valid operational use case, such as hosting an authenticated corporate mail system.
- Manual review: Support evaluates requests individually on a
case-by-case basis.
IP reputation reality check
Even after successfully unblocking port 25, self-hosting direct mail from cloud servers carries inherent deliverability challenges. Because cloud server IP addresses are dynamically assigned and recycled across thousands of tenants, entire IP subnets hosted by major cloud providers frequently suffer from pre-existing listings on strict blocklists (DNSBLs) such as Spamhaus or UCEPROTECT.
If you deliver email directly from a Hetzner Cloud IP, you must ensure your reverse DNS (PTR record) is properly configured and continuously monitor your IP deliverability across major receiving providers.
Smarthost relaying via port 587
If you cannot wait a full month or wish to bypass the reputation risks associated with cloud IP ranges, Hetzner explicitly recommends relaying outbound mail through an external delivery service over port 587.
According to Hetzner:
As an alternative, you can also use port 587 to send emails via external mail delivery services. Port 587 is not blocked and can be used without sending a limit request.
A standard Postfix configuration (/etc/postfix/main.cf) using an authenticated external smarthost over port 587 is written as:
relayhost = [smtp.provider.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
Or send reliably via Dispatch. If you want to avoid tenure waiting periods, limit requests, and ongoing IP reputation monitoring altogether, you can route your outbound mail quickly and reliably via Dispatch.
Verifying your configuration
Once your outgoing delivery pipeline is active, test your email authentication headers (SPF, DKIM, DMARC) and overall domain health using the free MXAudit scanner.
Further reading
- Hetzner Cloud — FAQ (Port 25 & 465) (retrieved: July 17, 2026)