Choosing the right SMTP port determines how encryption is negotiated between your client and the mail server. The four ports you will encounter — 25, 465, 587, and 2525 — each have a specific role and encryption behavior.
SMTP test port 587 — the modern submission standard
Port 587 is defined by RFC 6409 as the mail submission port. The connection starts in plain text, and the client upgrades it to TLS by sending the STARTTLS command after EHLO. Once the server responds 220 Ready to start TLS, both sides negotiate a TLS handshake and all subsequent data (including AUTH credentials) is encrypted.
Key facts:
- Supported by virtually every current provider and MTA.
- Requires the client to explicitly request encryption via STARTTLS.
- If STARTTLS fails or the server does not advertise it, the session remains unencrypted (unless the client enforces it — which SMTP Tester does when security is set to STARTTLS).
- This is the recommended default for apps, scripts, and mail clients.
SMTP test port 465 — implicit TLS (SMTPS)
Port 465 uses implicit TLS: the TLS handshake begins immediately when the TCP connection is established, before any SMTP commands are exchanged. The client connects, negotiates TLS, and only then sends EHLO.
Key facts:
- Originally assigned for SMTPS in 1997, revoked, then re-endorsed by RFC 8314 (2018).
- Functionally as secure as 587 — the difference is only when TLS negotiation occurs.
- Some older clients and libraries default to this port for "SSL mode."
- If you connect to 465 without initiating a TLS handshake, the connection will hang or fail because the server expects the TLS ClientHello immediately.
Test SMTP port 25 — server-to-server relay
Port 25 is the original SMTP port, now used primarily for server-to-server (MX) relay — one mail server delivering to another. It is not intended for authenticated submission from applications or end users.
Key facts:
- Most cloud providers (AWS, GCP, Azure, DigitalOcean) block outbound port 25 by default to prevent spam.
- Residential ISPs often block it too.
- Connections on port 25 are typically unauthenticated (the receiving server accepts mail for its own domains based on MX records).
- Some MTAs (Postfix, PowerMTA, KumoMTA) accept local injection on port 25 from trusted IPs without AUTH, but this should not be exposed to the internet without access controls.
Port 2525 — unofficial fallback
Port 2525 is not registered with IANA, but many transactional email providers (SendGrid, Mailgun, Brevo, Postmark, Mailjet) listen on it as a fallback when port 587 is blocked. It uses STARTTLS, exactly like 587 — the only difference is the port number.
Use 2525 when:
- Your network or firewall blocks outbound 587.
- Your hosting provider restricts non-standard outbound traffic but whitelists 2525.
- You want a quick test without requesting a firewall change.
Comparison table
| Port | Encryption | Use case | Blocked by default? |
|---|---|---|---|
| 587 | STARTTLS (upgrade after EHLO) | Authenticated submission from apps | Rarely |
| 465 | Implicit TLS (on connect) | Authenticated submission (legacy/RFC 8314) | Rarely |
| 25 | Optional STARTTLS (relay) | Server-to-server relay | Often (cloud/ISP) |
| 2525 | STARTTLS (same as 587) | Fallback when 587 blocked | Rarely |
How SMTP Tester handles ports
SMTP Tester auto-selects a security mode when you change the port:
- Port 465 → TLS (implicit)
- Port 25 → None
- Port 587, 2525, or any other → STARTTLS
You can override this manually. If the security mode does not match what the server expects, you will see either a connection timeout (wrong mode on 465) or a STARTTLS command used when not advertised error.
After a successful connection, the TLS diagnostics panel shows the negotiated protocol version (TLS 1.2, 1.3), cipher suite, certificate subject, issuer, and days until expiry — so you can confirm encryption actually occurred without needing openssl s_client.
What to do when a port is blocked
Symptoms of a blocked port:
- Connection timeout (no server greeting at all).
- "Connection refused" if the port is filtered at the server level.
- The transcript stops at "Connecting..." with no 220 response.
Steps to resolve:
- Try port 465 if 587 times out (or vice versa).
- Try port 2525 — widely supported by transactional providers.
- Check outbound firewall rules on your network or cloud instance.
- Ask your hosting provider if they block outbound SMTP ports.
- If you run your own MTA, verify the listener is bound to the public interface and the port is open in
iptables/ufw/security groups.
STARTTLS vs implicit TLS — which is more secure?
Both are equally secure once the TLS handshake completes. The security of the connection depends on the TLS version and cipher negotiated, not on whether encryption was initiated before or after EHLO.
The historical concern with STARTTLS was downgrade attacks: a network attacker could strip the STARTTLS advertisement from the EHLO response, causing the client to send credentials in the clear. Modern clients mitigate this by enforcing STARTTLS (refusing to proceed without it) — which is what SMTP Tester does when security is set to STARTTLS rather than "none."
Implicit TLS (465) avoids this concern entirely because encryption is non-optional — if TLS fails, the connection fails. This makes 465 slightly simpler from a security perspective, but in practice both are fine for authenticated submission with a modern client.
Quick decision guide
- Building an app or script: use 587 + STARTTLS (widest compatibility).
- Provider documentation says 465: use 465 + TLS (equally secure).
- Port 587 is blocked on your network: try 2525 first, then 465.
- Testing a relay MTA (Postfix, Exim): port 25, no auth, STARTTLS optional.
- Not sure: start with 587 and STARTTLS — you can always change later.