Ensure that the subscription level lock for outbound connections through port 25 is removed by Microsoft Support
Since Email Signature Server uses port 25 to communicate to Exchange Online we need this port to be open for the traffic to pass through. Starting on November 15, 2017, outbound email messages that are sent directly to external domains (such as outlook.com and gmail.com) from a virtual machine (VM) are made available only to certain subscription types in Microsoft Azure. Outbound SMTP connections that use TCP port 25 were blocked. Email Signature Server does not communicate with any external domain, it only communicates with the customers own Exchange Online server.
How to check if port 25 is open
The most accurate way to check this is to create a new virtual machine in your subscription then login and run the following command in a command prompt:
curl mail.port25.com:25. The command works for both Windows and Linux virtual machines.
- If port 25 is open, you will get a result back starting with 220:
- If port 25 is closed, the message will be:
Terraform Port 25 Check
A Terraform script is also provided to automate the creation of a Linux based VM that will check outgoing port 25 connectivity and return the results at a URL.
What steps to take if port 25 is not open
In this case a request needs to be made to Microsoft to open port 25.
- Navigate to portal.azure.com and choose Help + support -> New support request. Choose the options shown in the screenshot bellow:
- Press Next: Solutions, there is no action needed on this tab.
- On the Details tab add the following:
- Copy-paste the following text to the description section:
ATTN: Azure Virtual Networking Support
From November 15, 2017 onward port 25 is now closed by default on all new virtual machines/networks created in a subscription.
We require port 25 to be opened by default on all new virtual machines/networks created in our subscription.
We are integrating a service that will intercept and apply email signatures to emails sent from Office 365. Our services relies on Office 365 forwarding us the emails via an outbound connector. Then we apply the signature to the emails and send them back again through an Office365 inbound connector. We are sending them back to Office 365 by using this domain <tenantname>.mail.protection.outlook.com. Our service does not communicate with any external domain, it only communicates with the customers own Exchange Online server.
- Update <tenantname>.mail.protection.outlook.com to match your tenant
- For severity choose B -Moderate impact
- Press Review + Create, review the details
- Press Create
Note: The related official Microsoft article can be found at the following URL.