Google Compute Engine does not allow outbound connections on ports 25, 465, and 587 but you can still set up your instance to send mail using partner services like SendGrid, Mailgun, or using Google Apps.
For example, SendGrid and Mailgun supports sending email through port 2525 for Compute Engine customers, while Google Apps customers can send email through ports 587 or 465 using their Google Apps domain. Lastly, you can also set up your own email server on any of the ports not blocked by Compute Engine.
This document compares some of the options you have for sending mail and provides general recommendations. While sending email from blocked ports is not allowed, your instances can still receive email.
Why are standard email ports blocked?
By default, standard outbound SMTP ports are blocked because of the large amount of abuse these ports are susceptible to. In addition, having a trusted third-party provider such as SendGrid or Mailgun relieves Compute Engine and you from maintaining IP reputation with your receivers.
Deciding which email service to use
SendGrid and Mailgun are Compute Engine's third-party partners that offer a free tier for Compute Engine customers to set up and send email through their servers. If you don't have a Google Apps account, use these third-party partner to take advantage of features like click tracking, analytics, APIs, and other features to meet your email needs.
Alternatively, if you are familiar with Google Apps and are already paying for a Google Apps account that supports email, you can set up a relay service to send email through Google Apps. Note that Gmail and Google Apps enforce limits for email activity. For details, see Google Apps email sending limits.
If you don't have a Google Apps account or don't want to use Google Apps or SendGrid, you can set up your own email server on an instance using a non-standard port. You can choose any ephemeral port that isn't blocked by Compute Engine.
Set up email services from an instance
- To use SendGrid or Mailgun: Follow the instructions for Sending Email using SendGrid or Sending Email using Mailgun.
- To use a Google Apps domain: Follow the instructions for SMTP relay service settings on the Google Apps documentation. Note that SMTP relaying through Google Apps is only allowed through ports 465 or 587. Port 25 is not supported through Google Apps.
If you want to use your own email server on a custom port, use the documentation specific to your email service to configure a custom email port.
Sending mail through corporate mail servers
In some cases, you might have a corporate mail server that is already running an email service for you. If you need to send mail through a corporate mail server but are blocked by the port restrictions described at the top of this page, you can use a VPN to bypass these restrictions. This requires running a VPN client on your Compute Engine cluster, and a VPN server on your corporate network router. This would allow your instance to appear "inside" your corporate firewall, and allow unrestricted access to your corporate mail server.
There are security implications for this configuration, and you should ensure that your Compute Engine instance only has access to the services it requires, and nothing more.