About this article
Since Email Signature Server uses port 25 to communicate to Exchange Online we need this port to be open for the traffic to pass through. In this article we will investigate the pre-requisites and implications of this, as well as how to set it up.
Sections in this article:
- How to check if port 25 is open
- Terraform Port 25 Check
- What steps to take if port 25 is not open
Starting on November 15, 2017, outbound email messages that are sent directly to external domains (such as outlook.com and gmail.com) from a virtual machine (VM) are made available only to certain subscription types in Microsoft Azure. Outbound SMTP connections that use TCP port 25 were blocked. Email Signature Server does not communicate with any external domain, it only communicates with the customers own Exchange Online server.
How to check if port 25 is open
The most accurate way to check this is to create a new virtual machine in your subscription then login and run the following command in a command prompt:
curl mail.port25.com:25. The command works for both Windows and Linux virtual machines.
- If port 25 is open, you will get a result back starting with 220:
- If port 25 is closed, the message will be:
Terraform Port 25 Check
A Terraform script is also provided to automate the creation of a Linux based VM that will check outgoing port 25 connectivity and return the results at a URL.
What steps to take if port 25 is not open
In this case a request needs to be made to Microsoft to open port 25.
- Navigate to portal.azure.com and choose Help + support -> New support request. Choose the options shown in the screenshot bellow:
- Press Next: Solutions, there is no action needed on this tab.
- On the Details tab add the following:
- Copy-paste the following text to the description section:
ATTN: Azure Virtual Networking Support
From November 15, 2017 onward port 25 is now closed by default on all new virtual machines/networks created in a subscription.
We require port 25 to be opened by default on all new virtual machines/networks created in our subscription.
We are integrating a service that will intercept and apply email signatures to emails sent from Office 365. Our services relies on Office 365 forwarding us the emails via an outbound connector. Then we apply the signature to the emails and send them back again through an Office365 inbound connector. We are sending them back to Office 365 by using this domain <tenantname>.mail.protection.outlook.com. Our service does not communicate with any external domain, it only communicates with the customers own Exchange Online server.
- Update <tenantname>.mail.protection.outlook.com to match your tenant
- For severity choose B -Moderate impact