Skip to main content

Enable and troubleshoot port 25 on multiple VPS IPs

Learn how to enable SMTP on all assigned IPs, fix routing and firewall issues, and bind your mail server correctly.

Andy Wallace avatar
Written by Andy Wallace
Updated over a week ago

If your VPS has port 25 open and if some IPs send email and others do not, the issue is almost always inside the VPS itself. Typical causes include missing IP bindings, strict reverse-path filtering, firewall rules, or the mail server not using the correct source IP. This guide helps you enable outbound SMTP on every assigned address.


Requirements

Make sure you have:

  • A VPS with multiple public IPs assigned.

  • SSH access as root or a sudo-enabled user.

  • Postfix or Exim installed if you plan to send mail directly.

  • DNS access to manage PTR, SPF, DKIM, and DMARC.


Step 1 — Bring up all IPs on your network interface

Your VPS must have every assigned IP configured on the active interface.
Check your interface and routing table first:

ip addr show ip route


If an IP is missing, add it using the configuration method for your distribution (Netplan, ifupdown, network-scripts, or NetworkManager). After updating your config, apply the changes:

netplan apply \
# or
systemctl restart networking \
# or
systemctl restart network \
# or
nmcli con up "System ETH0"

Choose the command appropriate for your OS.


Step 2 — Set reverse path filtering to loose (rp_filter=2)

Strict reverse-path filtering blocks replies sent from “secondary” IPs.
Use mode 2 to prevent silent packet drops.

sysctl -w net.ipv4.conf.all.rp_filter=2 \
    sysctl -w net.ipv4.conf.default.rp_filter=2 \
    sysctl -w net.ipv4.conf.ETH0.rp_filter=2

Persist these values in /etc/sysctl.conf and apply:

sysctl -p

Replace ETH0 with your actual interface name.


Step 3 — Test outbound port 25 from each IP

Install testing tools if needed:

apt-get update && \
apt-get install -y netcat-openbsd telnet swaks \
# or
yum install -y nc telnet swaks

Test SMTP connectivity while forcing the source IP:

nc -zv -s YOUR_IP_2 smtp.gmail.com 25 nc -zv -s YOUR_IP_3 smtp.gmail.com 25

You can also use swaks for deeper testing:

swaks --to test@example.com --server smtp.gmail.com --port 25 \
    --interface YOUR_IP_2 --quit-after DATA

If one IP succeeds and others fail, verify Step 1 and Step 2 again and make sure no local firewall rule blocks outbound traffic.


Step 4 — Check your OS firewall

Only your VPS firewall applies here. The LumaDock provider-side firewall is off by default unless you enable it.


UFW on Ubuntu

ufw status ufw allow 25/tcp

firewalld on RHEL-based systems

firewall-cmd --permanent --add-service=smtp firewall-cmd --reload

If you use iptables or nftables directly, confirm no DROP rules or SNAT/MASQUERADE rules interfere with your chosen source IP.


Step 5 — Bind your mail server to specific IPs

Mail servers normally send from the primary IP unless instructed otherwise.
Binding ensures each IP can send mail on port 25.


Postfix: simple global bind

# /etc/postfix/main.cf
smtp_bind_address = YOUR_IP_2
# smtp_bind_address6 = YOUR_IPV6_2   (if needed)

systemctl restart postfix


Postfix: bind different domains to different IPs

# /etc/postfix/master.cf
smtp-ip2 unix - - n - - smtp
    -o smtp_bind_address=YOUR_IP_2

smtp-ip3 unix - - n - - smtp
    -o smtp_bind_address=YOUR_IP_3
# /etc/postfix/transport
example.com       smtp-ip2:
anotherdomain.com smtp-ip3:
postmap /etc/postfix/transport \
    postconf -e 'transport_maps = hash:/etc/postfix/transport' \
    systemctl reload postfix


Exim: bind to a specific interface

# /etc/exim/exim.conf
remote_smtp:
  driver = smtp
  interface = YOUR_IP_2

Restart Exim after editing.


Step 6 — (Optional) Receive mail on port 25

If you also want to receive mail on multiple IPs:

  • Set inet_interfaces = all in Postfix.

  • Allow port 25/tcp in your firewall.

  • Create MX records for hostnames pointing to your receiving IPs.

  • Verify with:

ss -lntp | grep :25


Step 7 — Configure rDNS, SPF, DKIM, and DMARC

Most large mail providers require correct DNS configuration before accepting mail:

  • PTR must match the hostname tied to each sending IP.

  • SPF should include all sending IPs.

  • DKIM must be enabled and keys published.

  • DMARC should start with p=none before enforcing stricter policies.

Even with open port 25, missing DNS records often leads to rejected mail.


Troubleshooting

  • If only the main IP sends mail, check your bind settings in Postfix or Exim.

  • If nc -s IP2 works but actual email goes out over IP1, configure per-domain or per-sender transport rules.

  • If inbound connections are refused, confirm the MTA is listening on port 25 and not blocked by the firewall.

  • If one IP fails while others work, restart networking, reapply rp_filter settings, and verify routes.

  • On RHEL-based systems, temporarily set SELinux to permissive (setenforce 0) to rule out policy issues.

  • For IPv6, bind with smtp_bind_address6 or the equivalent Exim setting and configure AAAA + reverse DNS.


Verification checklist

  • All assigned IPs appear in ip addr.

  • rp_filter is set to loose mode.

  • Port 25 tests succeed when binding each source IP.

  • Postfix or Exim is bound to the correct IPs.

  • PTR, SPF, DKIM, and DMARC records are in place.

If you do not need to send mail directly over port 25, consider using a relay on ports 587 or 465. Relays avoid many of the filtering policies applied by large inbox providers.

Related Articles
SMTP port 25 unblock requirements
Did this answer your question?