Configuring secure SMTP ports can be confusing. Users and sometimes even system administrators aren't sure when to use port 25, 587, or 465. This article should help clarify things.
Unlike most network protocols, which only have a single port number commonly associated to them (e.g. FTP = 21, SFTP = 22, etc.), SMTP or Simple Mail Transfer Protocol has at least 3. They are port numbers 25, 587, and 465. Time to get acquainted with each one. Some mail service providers also offer port 2525 but it's not as common as the other 3, so we won't be discussing it here.
SMTP Port 25
Port 25 is the oldest of the four. It was the port number assigned to SMTP when the protocol was first introduced in the now obsolete RFC 821 back in 1982, about 33 years ago. In spite its age and the arrival of the other port numbers, port 25 is still very much widely used.
However, because this port was often exploited by malicious individuals in order to spread spam and malware, it's now blocked by several ISPs. If you're an end user setting up an email client and port 25 doesn't work, that's likely the reason. You'll then have to try the other port numbers.
But didn't we just say port 25 is still "widely used"? That's right. But not for submitting email messages from an email client to an email server. Rather, it's supposed to be used for relaying messages from one mail server to another mail server. This is of course just an idealisation because there are still people who don't adhere to this practice.
If you want to get a little more technical, port 25 is supposed to be used (again an idealisation) for relaying messages between MTAs (Mail Transfer Agents) or from MSAs (Mail Submission Agents) to MTAs.
SMTP Port 587
Whereas port 25 is the recommended port number for SMTP communications between mail servers (i.e., for relaying messages), port 587 is the one recommended for message submissions by mail clients to mail servers. To illustrate,
In fact, this is stipulated in RFC 2476, which says that "Port 587 is reserved for email message submission...". Thus, port 587 is also known as the message submission port, while port 25 is also known as the message relay port.
All submission servers or MSAs are mandated to implement SMTP authentication, a process wherein an SMTP client is required to log-in and authenticate with the (MSA) mail server it's connecting to before it can be granted access. Because port 587 is associated with these submission servers, then the use of port 587 typically implies the use of authentication.
It's this authentication mechanism that prevents the propagation of spam and malware, and is also the reason why port 587 is now preferred over port 25 in mail (client to server) submissions.
SMTP Port 465
This port was first introduced when users started looking for ways to secure email messages. The idea that emerged then was to encrypt messages using SSL (Secure Sockets Layer). But at that time, doing so meant using a separate port.
The use of two different ports, one for plaintext messages and another for encrypted messages, can also be found in other network protocols like:
- FTP - 21 for plaintext and 990 for encrypted (via Implicit SSL);
- IMAP - 143 for plaintext and 993 for encrypted;
- POP - 110 for plaintext and 995 for encrypted.
In SMTP, the port chosen for encrypted connections was 465.
Unfortunately, port 465 was never recognized by the IETF (Internet Engineering Task Force), the body charged to develop Internet standards, as an official port for SMTP. Instead, the IANA (Internet Assigned Numbers Authority) assigned it to SMTPS (Simple Mail Transfer Protocol), a now depracated method for securing SMTP.
Today, SMTP can be secured even when using the same port (e.g. 587). A plaintext SMTP connection can be upgraded to a secure connection encrypted by either TLS (Transport Layer Security) or SSL by simply executing the STARTTLS command, provided of course the server supports it.
To summarize, the recommendation is that:
- port 587 should only be used for submissions (i.e., mail client to mail server),
- port 25 should only be used for relaying (i.e., mail server to mail server communications), and
- port 465 should no longer be used at all.
Although not all email service providers adhere to these recommendations, these are idealisations that we should all be working to achieve in order to eliminate the confusion surrounding SMTP port configuration.
Are you a developer?
If you are and you use Java, Secure iNet Factory includes some easy to use Java-based components for developing applications that support SMTP, IMAP, POP3 and several other networking protocols. Download it now.
For those who use .NET, there's Email Factory for .NET as well.