I was writing some monitoring scripting to keep a close eye on the Exchange Online mail servers, remembering that you will get a friendly name which will usually be something along the lines of:
<company>.mail.protection.outlook.com
If you can take this friendly name which will be published as an A record in DNS and look that up you will then get, in most cases for addresses that follow the IPv4 format - these will be your cluster of servers assigned by Microsoft.
What was the problem then?
Glad you asked, when I was testing the script in internally, I was able to communicate with exchange online on both ports TCP:25 and TCP:587 which are two of the most common ports for email.
However, when I repeat that test outside the company, I noticed the TCP:587 was not available publicly, and I just thought I’d write this post explaining why so if other people don’t understand why this occurs this post will explain it, if you already know this, there’s nothing to see here move along……
It is also finally worth mentioning that I was using a hybrid exchange setup (this means I have both local exchange and exchange online)
Internally (Inside Your Company Network):
Port 587 being open internally is totally fine and often necessary:
- Apps, printers, or scripts might use
smtp.office365.com:587to send mail via Exchange Online. - Users with Outlook or mail clients configured for SMTP Auth might also use it.
- Your on-prem Exchange (in hybrid) could use SMTP connections for certain mail flows or relays.
In this example yes — 587 can and should be accessible from inside your network (outbound to Microsoft).
Externally (Public Internet):
Port 587 should NOT be open inbound to your servers unless there's a specific, secured reason.
- If a server inside your company is listening on port 587 to the public internet, that's risky unless it’s locked down and explicitly required.
- Normally, Microsoft handles inbound mail for Exchange Online — you don’t need to accept public SMTP traffic on 587.