Last updated: July 2026
In short: STRATO blocks outbound SMTP port 25 by default across specific server lines (notably documented for Windows Root Servers) for security reasons. Unblocking requires contacting customer support directly and ensuring proper reverse DNS configuration. Alternatively, port 587 remains open for smarthost relays.
When deploying a self-hosted mail server (such as Postfix or Microsoft Exchange) on a STRATO virtual or root server, direct outbound delivery to remote mail systems often fails by default. This occurs due to a network-level security restriction applied by STRATO to prevent outbound spam.
Per-product scope and official policy
STRATO specifically documents its network firewall restrictions within its product-level FAQ articles. Rather than claiming an undocumented global ban across all hosting packages, STRATO details the policy for affected server categories.
In its technical documentation for Windows Root Servers, STRATO states explicitly:
Aus Sicherheitsgründen ist der SMTP-Port 25 (ausgehend) gesperrt. Wenn Sie den SMTP-Port freischalten möchten, wenden Sie sich bitte an den Support.
(Note: STRATO’s primary server documentation is published in German. The official quote translates as: “For security reasons, SMTP port 25 (outbound) is blocked. If you want to unblock the SMTP port, please contact support.”)
Requesting an unblock from support
To deliver email directly from your STRATO server IP to recipient MX gateways over port 25, you must submit a request to customer support.
Before approving an unblock, STRATO support expects the server environment to be properly configured for legitimate mail processing. This includes publishing a clean hostname and configuring a matching reverse DNS (PTR) record in the STRATO customer portal so remote receivers do not reject traffic due to missing reverse lookups.
IP reputation reality check
Even after support successfully removes the port 25 block, self-hosting direct mail delivery on hosting center subnets poses deliverability challenges. Because data center IP pools are frequently targeted by spammers, major email providers (including Gmail, Outlook, and Yahoo) enforce rigorous reputation filtering across server subnets.
Even with valid SPF and DKIM signatures, messages sent directly from STRATO root or virtual server IPs risk landing in spam folders or facing blocklists (such as Spamhaus or UCEPROTECT).
Smarthost relaying via port 587
To bypass support tickets and avoid the deliverability pitfalls of hosting subnets, you can route your outbound mail via port 587 (Submission) through an authenticated smarthost relay. Port 587 is designed for client submission and is not subject to the outbound port 25 restriction.
A standard Postfix configuration (/etc/postfix/main.cf) for relaying through an external smarthost is structured as:
relayhost = [smtp.provider.com]:587
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_tls_security_level = encrypt
Or send reliably via Dispatch. If you want to avoid support tickets, reverse DNS management, IP blocklist monitoring, and smarthost maintenance entirely, you can route your outbound mail securely via Dispatch.
Verifying your configuration
Once your sending workflow is active, verify your email authentication setup (SPF, DKIM, DMARC) and reverse DNS alignment using the free MXAudit scanner.
Further reading
- STRATO FAQ — Wie stelle ich die Netzwerk-Firewall bei meinem Windows Root Server ein? (retrieved: July 17, 2026)
- STRATO FAQ — STRATO Server als Mailserver: Was kann ich tun, wenn meine E-Mails von anderen Providern abgelehnt werden? (retrieved: July 17, 2026)