Last updated: July 2026
In short: netcup blocks incoming and outgoing SMTP connections by default using an integrated firewall rule (“netcup Mail block”). Unlike providers requiring manual support tickets or tenure waiting periods, netcup allows you to remove this restriction immediately via self-service in the Server Control Panel (SCP).
When deploying a root server or VPS on netcup to host a mail server, your outgoing and incoming mail connections on port 25 will initially fail. This restriction is caused by a pre-configured firewall policy applied automatically by the provider.
Why netcup enforces a default mail block
To protect its IP ranges from abuse and prevent compromised servers from blasting spam across the internet, netcup applies a default firewall rule to new instances.
According to netcup’s official server documentation:
Additionally, rules are set by default to prevent email spamming. However, you can view these rules and remove them if necessary.
This restriction applies broadly to mail delivery traffic. netcup explains:
To enable emails via SMTP, the default firewall policy must be removed, as it blocks incoming and outgoing SMTP connections by default.
How to remove the Mail block in SCP
Unlike hosting providers that require extensive support inquiries or monthly billing milestones, netcup empowers administrators to remove the restriction directly inside the Server Control Panel (SCP).
The official removal instructions from netcup are straightforward:
Select your server in the Server Control Panel (SCP). Go to the menu item Firewall. In the netcup Mail block policy, click the Delete button on the right.
Once the policy is deleted, network changes propagate within seconds, opening both outbound (ports 25, 465, 587) and inbound (port 25) mail traffic.
IP reputation reality check
Even though unblocking SMTP at netcup only takes a few clicks, self-hosting direct email delivery still requires managing your IP reputation. Because virtual server IP ranges are recycled across customers, hosting subnets are frequently monitored or listed by major blocklists (DNSBLs) such as Spamhaus or UCEPROTECT.
If you deliver email directly using your netcup server IP, you must configure a clean reverse DNS (PTR record) inside the SCP and actively monitor your IP reputation, as strict receivers like Gmail and Microsoft 365 penalize unaligned or poorly reputed server subnets.
Smarthost relaying via port 587
To bypass reputation bottlenecks associated with hosting provider subnets, you can route your outgoing messages through an external smarthost relay. The relay service accepts your authenticated messages over port 587 and delivers them across dedicated, highly reputed IP pools.
A standard Postfix configuration (/etc/postfix/main.cf) for relaying through an external smarthost is written as:
relayhost = [smtp.provider.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
Or send reliably via Dispatch. If you want to avoid firewall rule management, blocklist monitoring, and ongoing smarthost maintenance, you can route your outbound mail quickly and securely via Dispatch.
Verifying your configuration
Once your firewall policy is removed or your smarthost relay is active, check your email authentication headers (SPF, DKIM, DMARC) and overall domain health using the free MXAudit scanner.
Further reading
- netcup Helpcenter — Server Firewall (retrieved: July 17, 2026)