在 VPS 的诸多用途中,除了当网站服务器外,往往都会自建个邮局,用于网站通知,标识自有域名邮箱品牌等用途。自建邮局默认要用到 SMTP 服务,需要有 25 端口的使用权。但往往大多数云服务商默认限制 25 端口出站/入站,以防止垃圾邮件滥用。

国内的大部分云服务器提供商禁止,国外如 Colocrossing Cloud 默认禁止,但可以发工单要求开通。

SMTP 被屏蔽时现象

自建邮局说难也不难,一般用 maddy 或宝塔邮局就能轻松搞定,如果你买的 VPS 所在提供商屏蔽了 SMTP 服务,那么搭建完邮件系统后,发送测试邮件将会得到这样的提示:

  • 宝塔邮局

    部分云厂商(如:阿里云,腾讯云)默认关团 25 端口,需联系厂商开通 25 端口后才能正常使用邮局服务

  • aapanel Mail Server

    Some cloud vendors (such as Google, Amazon) close port 25 by default, and you need to contact the vendor to open port 25 before you can use the post office service normally

虽然也有人提使用 465、587 端口,但 25 端口是基础,自建邮局服务默认是改不了的。

问题确认

虽然宝塔邮局这样提示了,但也不能直接一口咬定是服务商限制,也可能是宝塔邮局服务异常、配置错误、系统防火墙阻止等问题。具体问题需要我们一步步排查确认,単就 25 端口问题,我们需要测试来确认问题所在:

  1. 确认防火墙没阻止

    基本原则:打铁还需自身硬,先确认自己没问题。首先将 25 端口在防火墙中放行或干脆关闭系统防火墙,宝塔或 aapanel 面板可以添加该端口的安全策略,一些服务器提供商也需要额外在平台防火墙策略中放行,自行在相应地方完成。如果不在面板界面中管理,系统内防火墙我们一般通过 ufw 命令完成:

    1
    2
    3
    4
    ufw disable ## 关闭防火墙
    ufw status ## 查看当前策略状态
    ufw allow smtp ## 放行服务
    ufw allow 25 ## 放行端口
  2. 确保服务端口正常

    要测试 25 端口,我们就先把邮件服务端启动起来,确保 25 端口处于监听服务状态:

    1
    2
    3
    root@mail:~# netstat -npltu |grep 25
    tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 1422/master
    tcp6 0 0 :::25 :::* LISTEN 1422/master
  3. 测试端口连通性

    端口连通分入站和出站,有些服务器提供商只禁用出站,有些是出入站都禁止,我们可以通过 telnetcurltcping 等工具来完成测试判断,以 telnet 命令为例。

    • 基本用法:telnet IP/DOMAIN PORT
    • 结束 telnet 连接:CTRL + ]
    • 退出 telnet 命令:quit

    知道基本用法后,我们就可以动手测试端口连通性了,如前文所述,连通分出站和入站。入站连通直接用 网页工具 就行,出站可以使用如下命令:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    ## 测试到Gmail服务器25端口不通
    root@mail:~# telnet smtp.gmail.com 25
    Trying 142.250.141.109...
    Connection failed: Connection timed out
    root@mail:~# telnet 142.251.2.108 25
    Trying 142.251.2.108...
    ^C
    ## 测试到QQ邮箱服务器25端口不通
    root@mail:~# telnet mx1.qq.com 25
    Trying 162.62.116.184...
    ^C
    ## 测试到Gmail服务器993端口佐证网络是通的
    root@mail:~# telnet smtp.gmail.com 993
    Trying 142.250.141.109...
    Connected to smtp.gmail.com.
    Escape character is '^]'.

    如果更稳妥一点,我们可以测试更多其他端口加以佐证:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    root@mail:~# telnet smtp.gmail.com 995
    Trying 142.250.141.108...
    Connected to smtp.gmail.com.
    Escape character is '^]'.
    ^]
    telnet> quit
    Connection closed.
    root@mail:~# telnet smtp.gmail.com 587
    Trying 142.250.141.109...
    Connected to smtp.gmail.com.
    Escape character is '^]'.
    220 smtp.gmail.com ESMTP d2e1a72fcca58-74237705548sm2407484b3a.25 - gsmtp
    ^]
    telnet> quit
    Connection closed.
    root@mail:~# telnet smtp.gmail.com 465
    Trying 142.250.141.109...
    Connected to smtp.gmail.com.
    Escape character is '^]'.
    ^]

从上面一系列测试可知:该 VPS 网路正常,到其他服务器的端口访问,除了端口 25 其他的都没问题,所以 是服务器运营商禁止了 SMTP 服务 25 端口出站导致

从邮件系统功能上来看,出站和入站被禁有不同的表象:

  • 出站被禁:邮件能收不能发
  • 进站被禁:邮件收不到

申请开放 SMTP

如果遇到服务器提供商屏蔽 25 端口的情况,我们需要发工单申请开通 25 端口使用权,下面是英文工单示例:

1
2
3
4
5
6
7
8
9
10
11
12
13
Bro, I am writing to formally request assistance with the following configurations for my server hosted on your platform:

1. ‌Enable Outbound Port 25‌ ## 需求1
I want to send transactional emails (e.g., order confirmations, password resets) through a self-hosted mail server. but it does not work.

We have implemented ‌SPF, DKIM, and DMARC‌ records to ensure compliance with anti-spam policies. Please enable outbound SMTP port 25 for my VM: x.x.x.x.

2. ‌Configure PTR (Reverse DNS) Record‌ ## 需求2,需要发工单的一般都没有自助绑定平台
To improve email deliverability, we need to bind a PTR record for my server IP.

‌IP Address‌: x.x.x.x
‌PTR Value‌: mail.x.x
We confirm that the forward DNS (A record) for mail.x.x already points to x.x.x.x.

工单直接表明你有什么需求,已经做过什么设置,一般技术支持都会先询问你的意图并要求你做某些保证:

Hello,

Thank you for reaching out regarding the SMTP access on virtual servers. By default, we filter SMTP ports. Could you please provide more details on the following points:

Specific Purposes for SMTP Access:
Could you specify the primary purposes for which you require SMTP access on your virtual servers? Are you using it for outgoing email services, backups, notifications, or other applications?
Email Volume:
Approximately how many emails do you anticipate sending per hour and per day through SMTP?
Current SMTP Security Measures:
How do you currently secure your SMTP services? Are there specific security protocols or configurations in place to protect against unauthorized access or misuse?
Additional Security Measures:
Are there any additional security measures or configurations that you can implement to further mitigate risks associated with SMTP usage?
Compliance and Policies:
Have you reviewed our Terms of Service (TOS) regarding SMTP access?

Your responses to these questions will help us evaluate the feasibility and implications of enabling SMTP access on your virtual servers effectively. Please feel free to provide any additional information or concerns you may have.

我们就想弄个自建邮局,能有什么坏心思,自然要拍胸脯保证:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
Dear Michael,

Thank you for your prompt response. Below are the requested details regarding our SMTP access requirements:

1. ‌Specific Purpose for SMTP Access‌
We require SMTP access ‌exclusively for transactional notifications‌, including:
System alerts (e.g., server downtime warnings)
User account operations (e.g., password reset confirmations)
Service status updates (e.g., order completion notices).
This will NOT be used for marketing emails or bulk mailing.

2. ‌Estimated Email Volume‌
‌Daily Average‌: Less than 10 emails (primarily triggered by user actions)
‌Peak Scenarios‌: Infrequent bulk notifications (e.g., planned system maintenance alerts to all users) may temporarily reach ‌100-150 emails/hour‌, occurring fewer than 3 times monthly.
‌Monthly Total‌: Typically under 500 emails.

3. ‌Current SMTP Security Measures‌
To prevent abuse, we have implemented:
‌Mandatory Authentication‌: SMTP service requires username/password + TLS encryption.

‌Anti-Spam Compliance‌:
Valid SPF/DKIM/DMARC records configured for my domain.

4. ‌Compliance Confirmation‌
We confirm:
Full acceptance of your ‌TOS.
Immediate suspension of SMTP access if policy violations are detected.

不出意外的话,这一番操作,国外的 VPS 提供商都会给你提供 SMTP 服务放行,接下来就可以愉快地玩耍了。当然,就跟你前面承诺的那样,滥发垃圾邮件是会被收回的,甚至给你删机,好自为之!