Symptoms
When trying to send mail from your server, the mail is never sent. Connections to other servers on port 25 refuse to connect.
Description
Many providers block access to send data out on port 25 as a way to prevent spam from being sent from their network, but, as this port is essential for communicating with external mail services, it also prevents mail from sending for legitimate users.
Despite the fact cPanel offers the option to change the port Exim listens on, you cannot use alternate ports for sending mail. Other remote servers are not configured in a way to accept mail on non-standard ports. This is why port 25 is required to be functional for mail to work correctly.
You can verify this block by using the cURL utility to attempt to connect to an external mail server. In this guide, I'll be using the PortQuiz service to verify connectivity over port 25.
On a working system, you'll see the following:
cptechs@cpanel [~] $ curl portquiz.net:25
Port 25 test successful!
On systems with this block, the error message varies slightly based on the exact version of the cURL utility, but, the utility will delay for around 300 seconds, then fail with an error similar to these:
cptechs@cpanel [~] $ curl portquiz.net:25
curl: (7) Failed to connect to portquiz.net port 25: Operation timed out
cptechs@cpanel [~] $ curl portquiz.net:25
curl: (52) Empty reply from server
You will also want to check iptables for any rules with "DROP". Any rules with "ACCEPT" are normal and expected. If you have any external or network firewalls, ensure that you check those as well:
root@server [~] # iptables -L -n | grep :25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25
Workaround
Many providers have documentation on this particular issue. Checking your hosting provider or Internet service provider's documentation or contacting their support is typically required in these situations. If your provider is unable to remove these restrictions, you will need to use a relay service.
Note that almost all residential Internet service providers block port 25 with no option to have the restriction lifted. You will need to either upgrade to a business plan or use a relay service.
Some providers block port 25 automatically but are willing to remove the block if asked. In these cases, you may need to contact their support team or review their documentation to see what steps they require. Please be aware that the provider may block the port again if they receive reports of spam.
Here are links to some of these documents from various providers:
- Alibaba Cloud
- Amazon AWS
- DigitalOcean
- Choopa/Vultr
- GoDaddy and specifically Gen 4 VPS
- Google Cloud Platform (Compute Engine)
- Huawei Cloud
- IBM/Softlayer
- Linode
- Mammoth Cloud
- Microsoft Azure
- Scaleway
- UpCloud
If you are a hosting provider with specific documentation you'd like to add to this list, please reach out to your cPanel account manager.
If the provider is not willing to open access, they might provide their own SmartHost or relay that you can use. The provider would provide any necessary details for the SmartHost if not configured by default.
SmartHost relays can introduce delay to the mail-sending process. Once your server reports a message has been successfully sent, it is the responsibility of your external relay to deliver the message to the intended recipient. Issues occurring at the relay level may need to be addressed by your relay provider.