How to Open Port 25 on a VPS: Complete Postfix SMTP Setup Guide

Running your own SMTP server is still the cheapest way to send high-volume transactional and marketing email — if your VPS has Port 25 open outbound. Most mainstream cloud providers (AWS, Google Cloud, DigitalOcean, Azure) block it by default because of spam abuse history, so step one is picking a VPS that allows it.

This guide walks through a full production-grade Postfix setup on a fresh Ubuntu 22.04 VPS with Port 25 open. By the end you'll be able to send mail from you@yourdomain.com that lands in Gmail's inbox — not the spam folder.

What you need before you start

• A VPS with outbound Port 25 open (VolkNode VPS plans ship with Port 25 unblocked by default).
• A domain you control with DNS access (Cloudflare, Route 53, Namecheap — anything).
• A clean IP. Check it at mxtoolbox.com/blacklists before you start.
• rDNS / PTR record pointing back to your hostname. Most VPS control panels expose a field for this; set it to something like mail.yourdomain.com.

Step 1 — Hostname and rDNS

Gmail, Microsoft, and Yahoo all reject mail from servers whose PTR doesn't resolve forward-and-back consistently. Set it up first:

sudo hostnamectl set-hostname mail.yourdomain.com
echo "127.0.1.1 mail.yourdomain.com mail" | sudo tee -a /etc/hosts

Then, in your VPS provider's control panel, set the PTR/reverse DNS for your IPv4 to mail.yourdomain.com. Verify with:

dig -x YOUR_IP +short

Step 2 — Install Postfix

sudo apt update
sudo apt install -y postfix mailutils opendkim opendkim-tools

When the installer asks, pick "Internet Site" and enter yourdomain.com as the mail name.

Open /etc/postfix/main.cf and make sure these are set:

myhostname = mail.yourdomain.com
mydomain = yourdomain.com
myorigin = $mydomain
inet_interfaces = all
inet_protocols = ipv4
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.yourdomain.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.yourdomain.com/privkey.pem
smtpd_use_tls = yes
smtp_tls_security_level = may
smtpd_tls_security_level = may

Restart Postfix: sudo systemctl restart postfix.

Step 3 — SPF

Publish a TXT record on yourdomain.com:

v=spf1 mx a ip4:YOUR_IP -all

The -all means "reject anything else". If you also send through Mailgun, Stripe, or Google Workspace, include them: v=spf1 include:_spf.google.com ip4:YOUR_IP -all.

Step 4 — DKIM with OpenDKIM

DKIM signs every outgoing message so receivers can verify it wasn't tampered with. Generate a key:

sudo mkdir -p /etc/opendkim/keys/yourdomain.com
cd /etc/opendkim/keys/yourdomain.com
sudo opendkim-genkey -s default -d yourdomain.com
sudo chown opendkim:opendkim default.private

Copy the contents of default.txt into a TXT record named default._domainkey.yourdomain.com.

Configure /etc/opendkim.conf:

Domain                  yourdomain.com
KeyFile                 /etc/opendkim/keys/yourdomain.com/default.private
Selector                default
Socket                  inet:8891@localhost

And point Postfix at it in /etc/postfix/main.cf:

milter_protocol = 6
milter_default_action = accept
smtpd_milters = inet:localhost:8891
non_smtpd_milters = inet:localhost:8891

sudo systemctl restart opendkim postfix.

Step 5 — DMARC

DMARC tells receivers what to do when SPF or DKIM fail. Start gentle so you don't nuke legitimate mail:

_dmarc.yourdomain.com  TXT  "v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.com"

After two weeks of clean reports, tighten to p=quarantine and eventually p=reject.

Step 6 — Test

Send yourself mail:

echo "Test body" | mail -s "Test subject" you@gmail.com

Then check mail-tester.com — aim for 9/10 or higher. Anything less usually means a missing SPF, DKIM, or PTR record.

Common gotchas

• Port 25 blocked upstream. If telnet smtp.gmail.com 25 hangs, your provider is blocking outbound 25. Move to a host that doesn't — like VolkNode's VPS plans.
• Missing rDNS. Gmail rejects with "does not meet IPv6 sending guidelines" even on IPv4 if PTR is wrong.
• Fresh IP reputation. Brand-new IPs need to be warmed up — start with 50 emails/day and double every 2-3 days over 2 weeks.

Wrap-up

Port 25, Postfix, SPF, DKIM, DMARC, rDNS, TLS. That's the full stack. If any one of those six is misconfigured you'll end up in spam. Nail all of them and a $6/mo VPS will out-deliver most managed SaaS at 1/100th the price.