5

I run my own mail server on Azure for my domain. After deploying a new VM that will replace my existing server I stumbled upon the inability to run trivial email diagnostic tests like port25's DKIM tester. I found this Microsoft article showing that MS decided to shut down the ability for new deployments to run port 25 and that a support request should be made to unlock port 25 outbound.

The article says that the support request must be for a technical issue, however my subscription does not allow technical support requests unless I buy a paid MSDN subscription.

I run my own domain on a very low budget and mostly for fun than for profit, but I am trying to reduce the number of servers after shutting down my ecommerce hosting business. So I wouldn't like to pay for a subscription that is worth more than the two servers I currently run.

How can I request port 25 unlock and go through Microsoft's screening without the ability to issue technical requests?

usr-local-ΕΨΗΕΛΩΝ
  • 2,339
  • 7
  • 33
  • 50
  • Comment: I have been running successfully my own mail server for **years** having only once 4 spam emails sent from my server after my login was `pwned` (in fact it appears in haveibeenpwned.com exploited passwords), and I was able identify the issue and to fix it in less than 24 hours before someone contacted me for spam abuse report. – usr-local-ΕΨΗΕΛΩΝ Apr 02 '18 at 12:41
  • 1
    Comment: AWS have the same restrictions though they remove them without the need of support contract(you just have to wait a week or so...). My advise, move to a real hosting provider. I moved from AWS to a German hoster after they sent me an e-mail threatening me not to run `nmap` between my servers. Now I pay a total of 12EUR per month for two mail servers with 2 vCPUs/4GB memory/40GB SSD each, try getting that from Azure or AWS. – Daniel Apr 02 '18 at 13:33
  • Microsoft (and AWS) don't have these restrictions because they don't trust you personally, and your history with email is somewhat irrelevant. These restrictions are in place because they are a massive provider and a prime target for use for spam and other mail based attacks, these limitations are in place to stop the malicious uses who are very much out there. – Sam Cogan Apr 02 '18 at 13:41
  • I don't disagree the restriction, they are a needed act to respond to the increase of spam for little cost/time. You can get a spam farm in minutes with a stolen credit card and a Powershell script. However I don't agree with completely banning port 25 for everyone in the future because adding intermediaries also introduces privacy issues (see GDPR) – usr-local-ΕΨΗΕΛΩΝ Apr 02 '18 at 13:50
  • 1
    Its a win-win for them (AWS, Azure) since both offer paid hosted mail service. We keep siloing and segregating the Internet under the banner of false security, while in fact we trust the entire system on 4 companies. Internet is not just HTTP. Try to use open and ethical hosting companies until they still exist. (and we are VERY off-topic) – Daniel Apr 02 '18 at 14:35
  • I'm voting to close this question as off-topic because I have solved the problem myself contacting Microsoft directly – usr-local-ΕΨΗΕΛΩΝ Apr 03 '18 at 11:43
  • @usr-local-ΕΨΗΕΛΩΝ Why not include what worked for you as an answer? – ZX9 Aug 09 '20 at 20:24

1 Answers1

2

The answer is in the article you linked: use an authenticated and encrypted mail submission agent.

However, this will limit your ability to connect to MTAs on port 25. Presumably, this is by design, as there are less attentive Azure customers contributing to the junk mail problem.

Recommended Method of Sending E-mail

Microsoft recommends that Azure customers employ authenticated SMTP relay services (typically connected via TCP port 587 or 443, but often support other ports too) to send e-mail from Azure VMs or from Azure App Services. These services specialize in sender reputation to minimize the possibility 3rd party e-mail providers will reject the message. Such SMTP relay services include but are not limited to Exchange Online Protection and SendGrid.

Use of these e-mail delivery services is in no way restricted in Azure regardless of subscription type.

John Mahowald
  • 30,009
  • 1
  • 17
  • 32
  • But they cost additional money. I want to give a try with Microsoft unblocking me, otherwise I will need to reconsider my cloud budget or reconsider my cloud provider (e.g. VPSVille does not have such restrictions but will kill you on the first spam report) – usr-local-ΕΨΗΕΛΩΝ Apr 02 '18 at 13:30
  • Sendgrid offers 25.000 mails a month for free, so if you are under that then you can use that. If you still need the port unblocking then you will need to raise a support ticket. – Sam Cogan Apr 02 '18 at 13:39
  • Not everyone is happy with being forced to farm this out to a third party. There is a fundamental lack of control here. The issue for me is being blocked off from something that is necessary for development of publicly useful apps unless I take on additional, onerous setup steps or put everything in the hands of another company I never really wanted to use and who may not fully support my product vision. Microsoft claim with one mouth to be in favour of an open and free internet/software, and with the other say and do things that can only imply the opposite. – Peter David Carter Nov 22 '19 at 14:10
  • If your MTAs use auth over 587 you are not blocked. Extra validation for port 25 isn't about proprietary anything, it is to slow the ridiculous amount of junk email. For every experienced mail admin like yourself, there is another that appreciates the recommendation to make running a MTA someone else's problem. – John Mahowald Nov 22 '19 at 16:51