How do I remove the restriction on port 25 from my Amazon EC2 instance or Lambda function?

4 minute read
1

I can't send email over port 25 from my Amazon Elastic Compute Cloud (Amazon EC2) instance or AWS Lambda function.

Short description

By default, Amazon EC2 throttles instances on port 25 as a spam prevention measure. AWS blocks outbound traffic on port 25 (SMTP) of all EC2 instances and Lambda functions on elastic network interfaces owned by any account that isn't allow listed. AWS blocks this traffic to prevent damage to AWS IP reputation and to keep legitimate traffic from being marked as spam. For more information, see Restriction on email sent using port 25.

To send outbound traffic on port 25, complete the following steps:

  1. Request that AWS remove the restriction.
  2. After you receive a response from AWS, follow the steps provided to you by AWS Support.

Resolution

Submit a request to AWS to remove the restriction

To remove the port 25 restriction on your Lambda function, first associate your function with an Amazon Virtual Private Cloud (Amazon VPC). Then, use a NAT gateway to give internet access to your Lambda function. You can't remove the port 25 restriction from non-VPC functions.

After you complete this task, request AWS to remove the port 25 restriction on either your EC2 instance or your NAT gateway:

  1. Sign in to your AWS account, and then open the Request to remove email sending limitations form.
  2. Enter your email address so that you can receive updates about your request.
  3. Include the following required information in the Use case description field:
    A clear, detailed use case for sending email messages from your EC2 instance or NAT gateway.
    A statement that outlines your plan to make sure that your account doesn't send unwanted emails.
    The AWS Region for your EC2 instance or NAT gateway.
  4. (Optional) Provide the AWS owned Elastic IP addresses that you use to send outbound email messages. Also, provide any reverse DNS (rDNS) records that AWS needs to associate with the Elastic IP addresses. When you send emails, it's a best practice to set up an rDNS record so that outbound email messages aren't flagged as spam. Use a DNS A record type to link the rDNS record to your Elastic IP address. For example, if mail.example.com is the rDNS record that you set, then create an A record for mail.example.com that points to the Elastic IP address.
  5. Choose Submit.

Note: If you have instances in more than one Region, then submit a separate request for each Region. If your instances are in a single Region, then submit only one request for that Region.

What happens next

After you submit the request form, you receive an email with the Request ID. It might take up to 48 hours to process your request. If your request is approved, then you receive an email notification. The email notifies you of default limits on the amount of email that can be sent from EC2 accounts removed. If you don't receive an update within 48 hours after you submit the request, then reply to the initial email that you received.

Note:

  • It's a best practice to use Amazon Simple Email Service (Amazon SES) to send emails. When you send emails directly from your resources, email providers can block cloud IP ranges and delay email delivery.
  • You can't use the rDNS request form in AWS GovCloud (US) Regions. However, you can submit a request from your standard account. In the Use case description, include the GovCloud Region, account ID, and EC2 instance ID or Elastic IP address.

AWS might deny your request for the following reasons:

  • There's not a valid use case description for sending mail from EC2
  • There's not a statement that indicates how you plan to make sure that this account isn't implicated in the sending of unwanted mail

Related information

Connecting to an Amazon SES SMTP endpoint

How do I remove the restriction on port 25 from my Lightsail instance?

Fully automated deployment of an open source mail server on AWS

AWS OFFICIAL
AWS OFFICIALUpdated 20 days ago
17 Comments

It is really funny that AWS scare of port 25! While you promote the best security and best cloud engineer. I try your best practice to secure my mail server EC2 but finally request to remove port 25 your email back is not allow! Oh man! or try to lock us to use aws SES? my company buy your EC2 server to host mail server but useless! end-up by not allow

Big cloud provider and cloud engineer on earth scare of port 25 :D

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

We buy EC2 to host mail server but you block port 25. Instruct us to submit form for removing then we follow all your instruction to get port 25 removed but still like customer begging your cloud service.

We use your service then we pay it we don't burn your house but end up just port 25 don't allowed. Better aws tell the world stop to use port 25 and remove it from standard internet world if you scare.

Just kindly read your team respond to customer yourself.

https://pasteboard.co/FKFyyClG4goG.png

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

Can you please post the AWS documentation or User Guide calling out the outbound port 25 block?

AWS
replied 10 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 10 months ago

i send to you and always refuse to open port 25 . and you reply with --we confirmed our original finding and cannot grant your request-- and with no reason why you can not grant request

replied 10 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 10 months ago

I've just been denied opening port 25 unblocking after spending days setting up a mail server on an EC2 instance following a great AWS tutorial: https://aws.amazon.com/blogs/opensource/fully-automated-deployment-of-an-open-source-mail-server-on-aws/

Gutted.

I've been using cPanel with Dataflame (now Tsohost) for 15 years and hundreds of clients and had this functionality out-of-the-box. Looking to move to AWS and blocked by such a simple request. Not looking for email marketing, just a more professional email for business cards and the like using a domain purchased with Route 53.

Is there any way to push this to another team or am I just stuck going back to the old host, tail between my legs?

replied 7 months ago

Let me share that I haven't received any notification email after I submitted the request form.

AWS
Luca V
replied 6 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 6 months ago

It's not clear from this article whether this restriction applies only to internet-bound destinations (EC2 --> internet SMTP), or whether this also applies to EC2s reaching down a DX to on-prem SMTP relays (completely outside of AWS, privately routed down our dedicated DirectConnect).

replied 6 months ago

My hands are tied as I cannot get port 25 unblocked despite raising the request multiple times. I do not get any confirmation upon raising a request and also there's no way if anyone is working on the request or not. I simply do not know how to get this working. And please do not respond stating that the Knowledge Center will be reviewed and updated, that's not what I need.

replied 6 months ago

I just got a poor form letter to my request stating one or more of

"This account, or those linked to it, have been identified as having atleast one of the following: * A history of violations of the AWS Acceptable Use Policy * A history of being not consistently in good standing with billing * Not provided a valid/clear use case to warrant sending mail from EC2"

This makes no sense. I've no personal history with AWS. This account is only a few weeks old. So the first two don't apply. My use case was put clearly:

"Use Case: Having recently switched ISPs, despite having fixed IPs for a business account, I haven't been able to get them to provide appropriate rDNS. A work around is to move our mail server from on-premise to an EC2 instance currently working as one of our authoritative DNS. As a sysadmin running mail servers since 1995, I can lock it down against any attempt to subvert it for spam."

What part of this is invalid or unclear? It gets more complex, because my full plan is to have a primary MX at AWS, switch my current primary MX here to be the backup MX. This is for a handful of domains and users. It's too complex a setup for Amazon's SES. Nor do I want to pay extra for that.

I'm also a consultant for a much larger firm with massive AWS deployment, for whom I also administer Postfix servers on AWS. They're in very good standing. That's the only other context in which AWS knows me.

Whit
replied 6 months ago

Does this apply for the inbound SMTP traffic? Seems like port 25 is blocked on Network Load Balancer for the inbound traffic.

replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago

Blocking port 25? Seriously? It's like offering a car without wheels – technically there, but utterly pointless. Cloud computing without smooth email integration is like having a smartphone with no signal. Let's rethink this, shall we.

replied 2 months ago