Google Cloud Compute blocks ports 25, 465, 587 for outgoing mail

Hi guys,
i havent yet worked out how to ensure that i have subscribed to my own threads and so am not sure if i have already posted stuff along these lines…however, this new title im sure will help someone else as i have titled it correctly now i understand why my outgoing mail refuses to work.

i know this port 25 issue has been spoken about before, however, i need clarification.

Google Cloud documentation says…

Google Compute Engine does not allow outbound connections on ports 25, 465, and 587. By default, these outbound SMTP ports are blocked because of the large amount of abuse these ports are susceptible to.

it then goes on to say…

While sending email from blocked ports is not allowed, your instances can still receive email.

In addition to the above, it now gets confusing…

Although standard email ports are blocked, you can choose a non-standard port to send email through.

If you don’t have a G Suite account or don’t want to use G Suite or a third-party mail provider, you can set up your own email server on an instance using a non-standard port. You can choose any ephemeral port that isn’t blocked by Compute Engine

So my question is this…

If Google Cloud Compute can recieve mail on port 25,465, and 587, and we can configure for example Postfix to send outgoing mail on say port 2525 (as recommended by google)

  1. Cant i just send mail on port 2525 from my virtualmin google cloud compute instance postfix server?

  2. Why do i need a relay service?

  1. I guess that’s what they are suggesting you do, so you can.

  2. Because the ‘port you are sending on’ really means ‘the port the other end is listening on’ in this case. Almost no other mail server listens on non-standard ports. You would need to set up a mail server (or subscribe to one) outside of Google that listens on the non-standard port you choose, and then relays the email on to the destination servers on standard ports.

You can’t send to arbitrary servers on non-standard ports. As noisemarine notes, you’ll need someone outside of GCE to relay mail for you. I’d started working on a video for that, but got distracted by fixing other issues when installing into a GCE instance (which are now all fixed, I think). But, basically, you need to sign up for one of the SMTP services out there…Sendgrid, Mailjet, whatever. Many have a free tier that’ll get you started without spending more money.

But, this is one of the reasons I recommend against GCE for a general purpose server. It’s a good cloud offering, but you have to outsource a lot of stuff that could ordinarily be handled in the box.

You guys are so very right. I am finding that because of some of its inherent restrictions, Google Cloud Compute does not work out at cheap as i thought when compared against Amazon, Azure, or Digital Ocean.
I am now considering changing everything over to a Digital Ocean Droplet (the biggest problem with such a change is the digital ocean datacenter locations…none of them are in my country (australia). At least with Google Cloud, i have a datacenter here on our East Coast.

I am signing up for a Sendgrid account.

Joe, could i ask…Sendgrid offers two alternatives for configuration

  1. Use their own Web API (this is the recommended option)

  2. SMTP Relay

For Virtualmin, is there any benefit using one of the above options over the other?

If i am wanting to host client websites on this server, how does this work? (ie, is there a sendgrid account for each virtualmin virtual server, or is it one account for the whole Google Cloud Instance?). My assumption is that if there is a web api, then one could have clients install this on each of their own virtualmin virtual servers?

If this is a yes vote from you, is there any likelihood of a script for this built into virtualmin so that i can automate this from whmcs when a client purchases hosting services?

I have followed the google cloud sendgrid tutorial…

i have messed something up as it doesnt work.
When i read up on how this is setup when using ISPConfig, apparently that cpanel requires almost no configuration other than to add sendgrid username and password to make it work.
What do we need to do in virtualmin to get sendgrid working?

Here is the sendgrid explaination for the error i am getting when trying to send outgoing email…

If you’re getting an “Unauthenticated Senders Not Allowed” error, the problem usually lies in authenticating with our SMTP server. This error gets triggered when there was an attempt to hand over an email message through before authenticating the connection with your SendGrid username and password.

To fix this issue, you’ll want to make sure that you’ve configured your setup to connect to using authentication, and that the credentials you’re using are the same credentials you use to login to the SendGrid.

If you’re using cPanel/Exim, you’ll want to make sure it’s configured to authenticate every time it connects to

So how do i fix this in virtualmin?

On your question about API vs SMTP relay, for general purpose mail you can only use SMTP relay. The API is their HTTP API that requires you to write your application to speak directly to it. If you want to be able to send mail from applications that don’t support that API (most of them), then you need an SMTP relay.

It looked like you had already configured smtp authentication over in the other thread you started, so I won’t address that here, but do follow up over on the new thread if you’re still getting an authentication problem.

Help to get Google to open their outgoing email ports by voting for the unblocking here:

thanks for the heads up and link gregarious,
1 vote from me. for sure this is a good idea.