SEPPmail VMs in Azure and AWS

In recent weeks, customers and partners have occasionally reported to us that it was not possible to operate a SEPPmail VM in Azure. Sending outgoing emails on port 25 was not possible despite Azure Enterprise Subscription and opening a Microsoft support call, so parallel integration with an email system could not be configured.

Existing SEPPmail VMs should continue to work. Switching to a different subscription may result in restrictions or even a functional stop.

We would now like to proactively point out that Microsoft is obviously gradually restricting the scope of use of SMTP-sending devices. Here is a status from our point of view, without any claim to completeness.

Current policies from Azure

Enterprise and Microsoft customer contracts (EA and MCA-E):

For VMs in these subscriptions, outbound SMTP traffic over port 25 is not blocked by default.

However, port 25 is blocked by default for Enterprise Dev/Test subscriptions. To remove this block, you can use the “Diagnostics and Remediation” function in the Azure portal under the “Virtual Network” resource and request an exception. After approval, the affected VM must be restarted in order to apply the changes.

Other subscription types:

For subscriptions outside of EA and MCA-E, Azure will block outbound connections on port 25 by default. This policy is in place to improve security and comply with industry standards.Strategien für VMs, die Port 25 zwingend benötigen

  1. Request an exception for port 25

If your subscription allows it, you can request an exception to unblock port 25. To do this, proceed as follows:

  • Navigate to the “Virtual network” resource in the Azure portal.
  • Use the “Diagnostics and troubleshooting” function to submit a request.
  • After approval, the affected VM must be restarted.
  1. Use alternative subscriptions

If your current subscription does not allow an exception for port 25, you should consider switching to an Enterprise subscription or another suitable category that does not block port 25.

  1. Strengthen security measures

The operation of port 25 entails security risks such as spam distribution. You should therefore take additional measures such as

  • Restrictions at IP or firewall level to allow only authorized traffic.
  • Implement mechanisms to detect and prevent abuse.

Upcoming prospects for Port 25 on Azure

Microsoft has not currently announced any plans to completely block port 25 for all subscriptions. However, it is possible that the guidelines could change in the future to further increase security standards. Therefore, check whether your subscription allows an exception for port 25 and request it in good time if necessary.

Follow the policy updates from Microsoft regularly to be prepared for changes.

If this is not possible in your subscription, find alternative hosting providers that offer this service or operate the SEPPmail appliance in your data center. Alternatively, switch to the SEPPmail.cloud if your company policy and the setup of the appliance allow it.

We have found something similar for Amazon Web Services; however, we have so few customers on this platform that we have not done any further research here.