Ports

Port 465: SMTPS submissions

Implicit TLS email submission. Common with clients that require encryption from the first byte.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

TCP port 465 is commonly used for SMTP message submission with implicit TLS. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host. A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections.

The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate. Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network.

A submission server listens on 465 and expects encryption immediately. The client connects from an ephemeral source port, completes the TCP handshake, and then starts the TLS handshake before sending any SMTP commands.

After the TLS channel is established, the client authenticates and submits messages for delivery. The key practical difference from STARTTLS based submission is that encryption starts from the first byte, which reduces downgrade risk if clients and servers are configured correctly.

From a security perspective, 465 should not behave like open internet relay on port 25. It is usually an authenticated service for users and apps, so abuse prevention, rate limits, and credential hygiene matter as much as TLS.

How it works in broad strokes

  1. Client connects and immediately negotiates TLS before sending any SMTP commands.
  2. Client authenticates, then submits a message using SMTP commands inside the encrypted session.
  3. Server applies submission policies such as rate limits and sender identity checks.

Concrete example

A mail app uses port 465 because it expects TLS immediately. After the TLS handshake completes, the app authenticates and submits outgoing mail to the provider.

Why it matters

You will see 465 in mail client configurations and some hosted providers. For security, implicit TLS can reduce downgrade risk if clients and servers are configured correctly. Operationally, it is still submission, not server to server relay, so it pairs with authentication and policy controls.

Security angle

  • Treat 465 as submission: require authentication and enforce sending policies.
  • Harden TLS, prefer modern versions, and monitor for auth abuse.
  • Block it from the public internet unless you intentionally provide mail submission for users.

Common pitfalls

  • Confusing 465 with port 25 relay rules and exposing it as a relay service.
  • Allowing weak authentication just because the transport is encrypted.
  • Misconfigured TLS that allows old versions or weak ciphers.