Why Most VPS Providers Block Port 25 — and How to Get It Open

You deploy a fresh VPS on AWS, DigitalOcean, or Google Cloud, install Postfix, and the first test mail just… hangs. No error, no bounce — just silence. If you've been here, you've run into the universal default: outbound TCP 25 is blocked.

This post explains why the big clouds block Port 25, what your unblock options look like in practice, and how to pick a VPS where you don't have to fight your own provider.

The short history

Port 25 is the original SMTP port — the one every mail server on the public internet listens on. Between 2002 and 2010, spammers rented the cheapest cloud boxes they could find, hammered Port 25 as hard as they could, and vanished. The networks those boxes lived on ended up on spam blacklists like Spamhaus SBL, which meant every other customer on that IP range also got rejected by Gmail and Outlook.

Cloud providers reacted the only way they could: block Port 25 outbound by default on the entire network, then decide case-by-case who gets to use it.

Who blocks Port 25 today

Provider	Default	Unblock available?
AWS EC2	Blocked	Yes — form; EC2 only, not Lambda/Lightsail
Google Cloud	Blocked	No — use a relay (SendGrid, Mailgun) only
Microsoft Azure	Blocked	Pay-as-you-go only, subscription review
DigitalOcean	Blocked	Yes — account age + payment history required
Linode (Akamai)	Blocked	Yes — support ticket, new accounts denied
Vultr	Blocked	Yes — ticket, case-by-case
Oracle Cloud	Blocked	No
Hetzner	Open	Default open on most plans
OVH	Open	Default open
VolkNode	Open	Default open on every plan

What "unblock" actually means

If your provider offers an unblock, it's rarely instant:

1. You submit a form describing your use case (transactional mail for a SaaS, newsletter, etc.).
2. They check your account age, payment method, and usage history.
3. They often deny new accounts — you need 30-90 days and real spend on the platform first.
4. Approval can take 3-10 business days.
5. The unblock is often per-region and per-instance, not account-wide. Start a new instance? Re-submit.

If you just want to send order confirmation emails for a side project, that's a lot of friction.

The alternatives

Option A: Use a relay. SendGrid, Mailgun, Amazon SES, and Postmark all expose HTTPS APIs and submission ports (587 or 465) that every cloud allows. This is the right answer for most SaaS. You pay per email (~$0.80–$1 per thousand), skip blocklists, and never touch Port 25.

Option B: Use a provider where Port 25 is open by default. Hetzner, OVH, and specialist hosts like VolkNode don't block it. This matters when:

• You're building a mail service itself (newsletter platform, email marketing tool) and need to initiate SMTP handshakes to remote MX records — a relay can't replace that.
• You need cold outreach where per-message API pricing doesn't fit.
• You're learning how SMTP works and need to see the raw protocol.
• You want your own deliverability — your sender reputation on your IP, not your relay's reputation.

How to validate before you commit

Before you rent a VPS for email, confirm Port 25 actually works:

# On a test VPS from the provider
telnet smtp.gmail.com 25
# Should get:  220 mx.google.com ESMTP ...
# If it hangs, Port 25 is blocked

Some providers advertise "Port 25 open" but still block to specific destinations (Microsoft 365 is a common one). Test against smtp.gmail.com, smtp-mail.outlook.com, and mx.yandex.ru to be sure.

What you should actually do

• Transactional email for a SaaS? Use SendGrid or SES as a relay. Keep it simple, pay per email.
• Cold outreach, newsletters, or running a mail platform? Rent a VPS where Port 25 is open by default and set up your own Postfix stack. Our Port 25 Open VPS line is purpose-built for this.
• Already on AWS/GCP and stuck? File the unblock form, use SES as a temporary relay, and plan the migration if you're denied.

Port 25 blocking is a network-layer decision, not something you can code around. The simplest fix is to host where it's already open.