How do I remove the restriction on port 25 from my Amazon EC2 instance or Lambda function?

4 minute read
0

I want to learn how to remove the port 25 restriction to send email from my Amazon EC2 instances or AWS Lambda functions. I want to follow the steps to request removal of the email sending limitation.

Short description

By default, Amazon Elastic Cloud Compute (Amazon EC2) throttles instances on the Simple Mail Transfer Protocol (SMTP) port 25 to prevent spam from being sent out. AWS blocks outbound traffic on port 25 for all EC2 instances and Lambda functions on elastic network interfaces with the accounts that aren't allow listed. For more information, see Restriction on email sent using port 25.

Note: For Amazon EC2 inbound SMPT traffic, the port 25 restriction performs on the instance-level that is related to each Region. The inbound traffic isn't blocked on the Network Load Balancer.

Resolution

Submit a request to AWS to remove the restriction

Before the port 25 restrictions on your Lambda function are removed, you must first associate your function with an Amazon Virtual Private Cloud (Amazon VPC). Then, use a Network Address Translation (NAT) gateway to give internet access to your Lambda function. You can't remove the port 25 restriction from non-Amazon VPC functions.

After you complete these two tasks, you can request that AWS remove the port 25 restriction on either your EC2 instance or your NAT gateway:

  1. Sign in to your AWS account, and then open the Request to remove email sending limitations form.
  2. To receive updates about your request, enter your email address.
  3. Enter the following required information into the Use case description field:
    A clear, detailed use case for the need to send email messages from an EC2 instance or NAT gateway.
    A statement that outlines your plan to make sure that your account doesn't send unwanted emails.
    The AWS Region for your EC2 instance or NAT gateway.
  4. (Optional) Provide the AWS owned Elastic IP addresses that you use to send outbound email messages. Provide any reverse DNS (rDNS) records that AWS needs to associate with the Elastic IP addresses. To prevent outbound email messages from being flagged as spam, set up an rDNS record. Use a DNS A record type to link the rDNS record to your Elastic IP address. For example, if mail.example.com is the rDNS record that you set, then create an A record for mail.example.com that points to the Elastic IP address.
  5. Choose Submit.

Note: If you have instances in more than one Region, then you must submit a separate request for each Region. If your instances are in a single Region, then be sure to submit only one request for that Region.

Receive an email notification

After you submit the request form, you will receive an email with the request ID. Your request might take up to 48 hours to process. If your request is approved, then you receive an email notification. The email notifies you of the default limits on the amount of email that can be sent from the Amazon EC2 accounts. If you don't receive an update within 48 hours after you submit the request, then reply to the email that you received.

Note:

  • You can use Amazon Simple Email Service (Amazon SES) to send emails. When you send emails directly from your resources, email providers can block cloud IP ranges and delay email delivery.
  • You can't use the rDNS request form in AWS GovCloud (US) Regions. However, you can submit a request from your standard account. In the Use case description field, include the AWS GovCloud (US) Region, account ID, and EC2 instance ID or Elastic IP address.

AWS might deny your request for the following reasons:

  • You didn't present a valid use case that explains why you want to send an email from an EC2 instance.
  • You didn't present a statement that outlines your plan to be sure that your account doesn't send unwanted emails.

Related information

Connecting to an Amazon SES SMTP endpoint

How do I remove the restriction on port 25 from my Lightsail instance?

Fully automated deployment of an open source mail server on AWS

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago
26 Comments

It is really funny that AWS scare of port 25! While you promote the best security and best cloud engineer. I try your best practice to secure my mail server EC2 but finally request to remove port 25 your email back is not allow! Oh man! or try to lock us to use aws SES? my company buy your EC2 server to host mail server but useless! end-up by not allow

Big cloud provider and cloud engineer on earth scare of port 25 :D

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

We buy EC2 to host mail server but you block port 25. Instruct us to submit form for removing then we follow all your instruction to get port 25 removed but still like customer begging your cloud service.

We use your service then we pay it we don't burn your house but end up just port 25 don't allowed. Better aws tell the world stop to use port 25 and remove it from standard internet world if you scare.

Just kindly read your team respond to customer yourself.

https://pasteboard.co/FKFyyClG4goG.png

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

Can you please post the AWS documentation or User Guide calling out the outbound port 25 block?

AWS
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

i send to you and always refuse to open port 25 . and you reply with --we confirmed our original finding and cannot grant your request-- and with no reason why you can not grant request

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

I've just been denied opening port 25 unblocking after spending days setting up a mail server on an EC2 instance following a great AWS tutorial: https://aws.amazon.com/blogs/opensource/fully-automated-deployment-of-an-open-source-mail-server-on-aws/

Gutted.

I've been using cPanel with Dataflame (now Tsohost) for 15 years and hundreds of clients and had this functionality out-of-the-box. Looking to move to AWS and blocked by such a simple request. Not looking for email marketing, just a more professional email for business cards and the like using a domain purchased with Route 53.

Is there any way to push this to another team or am I just stuck going back to the old host, tail between my legs?

replied a year ago

Let me share that I haven't received any notification email after I submitted the request form.

AWS
Luca V
replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied a year ago

It's not clear from this article whether this restriction applies only to internet-bound destinations (EC2 --> internet SMTP), or whether this also applies to EC2s reaching down a DX to on-prem SMTP relays (completely outside of AWS, privately routed down our dedicated DirectConnect).

replied a year ago

My hands are tied as I cannot get port 25 unblocked despite raising the request multiple times. I do not get any confirmation upon raising a request and also there's no way if anyone is working on the request or not. I simply do not know how to get this working. And please do not respond stating that the Knowledge Center will be reviewed and updated, that's not what I need.

replied a year ago

I just got a poor form letter to my request stating one or more of

"This account, or those linked to it, have been identified as having atleast one of the following: * A history of violations of the AWS Acceptable Use Policy * A history of being not consistently in good standing with billing * Not provided a valid/clear use case to warrant sending mail from EC2"

This makes no sense. I've no personal history with AWS. This account is only a few weeks old. So the first two don't apply. My use case was put clearly:

"Use Case: Having recently switched ISPs, despite having fixed IPs for a business account, I haven't been able to get them to provide appropriate rDNS. A work around is to move our mail server from on-premise to an EC2 instance currently working as one of our authoritative DNS. As a sysadmin running mail servers since 1995, I can lock it down against any attempt to subvert it for spam."

What part of this is invalid or unclear? It gets more complex, because my full plan is to have a primary MX at AWS, switch my current primary MX here to be the backup MX. This is for a handful of domains and users. It's too complex a setup for Amazon's SES. Nor do I want to pay extra for that.

I'm also a consultant for a much larger firm with massive AWS deployment, for whom I also administer Postfix servers on AWS. They're in very good standing. That's the only other context in which AWS knows me.

Whit
replied a year ago

Does this apply for the inbound SMTP traffic? Seems like port 25 is blocked on Network Load Balancer for the inbound traffic.

replied 10 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 10 months ago

Blocking port 25? Seriously? It's like offering a car without wheels – technically there, but utterly pointless. Cloud computing without smooth email integration is like having a smartphone with no signal. Let's rethink this, shall we.

replied 9 months ago

After setting up the mail server and implementing all the necessary security parameters, including configuring an Elastic IP and setting up reverse DNS, I submitted a request to unblock the restriction on port 25. However, the response I received indicated a preference for promoting their SES services without any particular reasons. My account is completely new and without any problems. Please let me know how this issue can be resolved.

Hello,

Thank you for submitting your request to have the email sending limit removed from your account and/or for an rDNS update.

After a thorough review, we confirmed our original finding and cannot grant your request.

Please consider looking into the Simple Email Service (SES) https://aws.amazon.com/ses/.

We cannot assist you further with this issue and we may not respond to additional messages on this subject.

replied 5 months ago

Its a very complicated process without any easy guide to enable my AWS Lightsail WordPress instance to send E-mails. Is there any simple step-by-step guide to follow? If not, I am willing to pay for AWS staff to help me get my server setup for sending E-mails. I am specifically interested in enabling php mail function on my CenTOS server.

And if none of this is possible, can anyone point me towards a better solution?

Thanks.

Amir

profile picture
Amir
replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago

It will never work. Still says I have "A history of violations of the AWS Acceptable Use Policy", "A history of being not consistently in good standing with billing" and "Not provided a valid/clear use case to warrant sending mail from EC2". It's all nonsense. I just need a personal email server without all of automatic sending.

Auuu
replied 4 months ago

It says "we confirmed our original finding and cannot grant your request" and suggest their SES again. It's never possible to unblock your smtp via https://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/ec2-email-limit-rdns-request . Maybe there is still hopes if you are company. But for individual user, unblock port 25 is impossible.

Auuu
replied 4 months ago

Forever "After a thorough review, we confirmed our original finding and cannot grant your request", I doubt is there anyone who really unblocked port 25 from https://aws-portal.amazon.com/gp/aws/html-forms-controller/contactus/ec2-email-limit-rdns-request ?

Auuu
replied 4 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 4 months ago

It is indeed difficult to remove the restriction on port 25. The solution provided by AWS is very confusing and lengthy, and there is no guarantee that the problem can be solved. It may even require paid technical consultation to solve it. It is very unreasonable to simply ban port 25 without notice. If your company wants to ban port 25, it should remind customers to be cautious before purchasing the service, instead of letting subsequent users discover it themselves and recommending their own SES products after failing to remove it. Disappointing service.

replied 2 months ago

I've encountered this difficulty as well. Until now AWS has been very professional, but the support request was answered with the dreaded copy-and-paste of "A history of violations of the AWS Acceptable Use Policy", "A history of being not consistently in good standing with billing" and "Not provided a valid/clear use case to warrant sending mail from EC2". The account never had a violation, never had billing issues and the usecase was a simple personal mailserver with heightened security.

Upon asking support which of these 3 issues I ran afoul I got another copy-and-paste snippet "we confirmed our original finding and cannot grant your request", again without explanation.

I must say, I expected better. At least a personalised "here's what you need to do to comply" should have been included!

Flo
replied a month ago