25, 465, 587… What port should I use?
Written by Travis Swientek
Categories: Email DIY
4 minute read time
It’s a common question that we receive here at Mailgun. To ensure connectivity to our Simple Mail Transfer Protocol (SMTP) endpoint, Mailgun offers multiple port options, but which one should you use? Let’s first take a historical look at each port and then we’ll discuss today’s methodology for usage. If you’re not a history buff, go to “Todays Usage”.
In 1982, the University of Southern California submitted a proposal to the Internet Engineering Task Force (IETF). Request For Comments (RFC) 821 was published, establishing port 25 as the default transmission channel for internet email. 30 years later, we still use port 25 as the primary means of transmitting email between two mail servers. A few RFCs have obsoleted the initial SMTP RFC, however, the basis for SMTP remains the same or similar.
In December of 1998, R. Gellens and J. Klensin submitted RFC 2476 in support of adding a new specification for internet email communications. The RFC proposed a split of the traditional message submission and message relay concept. The RFC defined that message submission should occur over port 587 to ensure new policy and security requirements don’t interfere with the traditional relay traffic over message relay port 25.
What about port 465? Interestingly, port 465 was never published as an official SMTP transmission or submission channel by the IETF. Instead, the Internet Assigned Numbers Authority (IANA), who maintains much of the core internet infrastructure, registered port 465 for SMTPS. The purpose was to establish a port for SMTP to operate using Secure Sockets Layer (SSL). SSL is commonly used for encrypting communications over the internet.
The port was assigned for about one year when it was revoked in support of securing SMTP communications using Transport Layer Security (TLS). The nail in the coffin was a new protocol command “STARTTLS”, introduced in RFC 2487. This command allows SMTP servers to communicate over existing ports by advertising whether the destination server supports TLS encryption. If so, the sending server can upgrade the connection using the “STARTTLS” SMTP command.
Mailgun supports TLS connections, which you can verify by connecting and issuing a “ehlo” from a command line interface. The resultant “250 STARTTLS” confirms the endpoint accepts TLS connection requests.
> telnet smtp.mailgun.org 587 Trying 220.127.116.11... Connected to smtp.mailgun.org. Escape character is '^]'. 220 ak47 ESMTP ready > ehlo blog.mailgun.com 250-ak47 250-AUTH PLAIN LOGIN 250-SIZE 52428800 250-8BITMIME 250-ENHANCEDSTATUSCODES 250 STARTTLS
You can test using the same command sequence on any SMTP server. Try Gmail or Yahoo, “telnet gmail-smtp-in.l.google.com 25” or “telnet mta7.am0.yahoodns.net 25”.
What about today… How are these ports different?
This port continues to be used primarily for SMTP relaying. SMTP relaying is the transmittal of email from email server to email server.
In most cases, modern SMTP clients (Outlook, Mail, Thunderbird, etc) shouldn’t use this port. It is traditionally blocked, by residential ISPs and Cloud Hosting Providers, to curb the amount of spam that is relayed from compromised computers or servers. Unless you’re specifically managing a mail server, you should have no traffic traversing this port on your computer or server.
IANA has reassigned a new service to this port, and it should no longer be used for SMTP communications.
However, because it was once recognized by IANA as valid, there may be legacy systems that are only capable of using this connection method. As a result, Mailgun supports SSL connections via port 465. Typically, you will use this port only if your application demands it. A quick Google search, and you’ll find many consumer ISP articles that suggest port 465 as the recommended setup. Hopefully this ends soon! It is not RFC compliant.
This is the default mail submission port. When a mail client or server is submitting an email to be routed by a proper mail server, it should always use this port.
All Mailgun customers should consider using this port as default, unless you’re explicitly blocked by your upstream network or hosting provider. This port, coupled with TLS encryption, will ensure that email is submitted securely and following the guidelines set out by the IETF.
This port is not endorsed by the IETF nor IANA. Instead, Mailgun provides it as an alternate port, which mirrors port 587, in the event the above ports are blocked. Because 2525 is a non-traditional high port number, it is typically allowed on consumer ISPs and Cloud Hosting providers, like Google Compute Engine. If you’ve tried the above ports, but experience connectivity issues, try port 2525. This port also supports TLS encryption.
To SMTP or not to SMTP
SMTP has been around for years, and many folks ask us whether they should use SMTP or Mailgun’s API endpoint. We certainly recognize there is some level of vendor lock-in associated with building around an API. However, SMTP is extremely “chatty” and may lead to less performant mail submission to Mailgun.
For example, consider the typical TLS mail conversation between my computer and Mailgun’s SMTP endpoint:
> openssl s_client -starttls smtp -crlf -connect smtp.mailgun.org:587 250 STARTTLS > ehlo blog.mailgun.com 250-ak47 250-AUTH PLAIN LOGIN 250-SIZE 52428800 250-8BITMIME 250-ENHANCEDSTATUSCODES > AUTH PLAIN AHBvc3RtYXN0ZXJAc2FtcGxlcy5tYWlsZ3VuLm9yZwAza2g5dW11am9yYTU= 235 2.0.0 OK > MAIL FROM:<firstname.lastname@example.org> 250 Sender address accepted > RCPT TO:<email@example.com> 250 Recipient address accepted > DATA 354 Continue > This is a test of SMTP over port 587. > . 250 Great success > QUIT 221 See you later. Yours truly, Mailgun
As you can see, the above communication is quite cumbersome with lots of back and forth between sender and receiver. We open a connection to the SMTP server, issue the EHLO command, authenticate, set the MAIL FROM, set the RCPT TO, DATA command, send the data, period to close, and finally receive confirmation the message was queued.
Compare this with an HTTPs payload:
> openssl s_client -connect api.mailgun.net:443 > POST /v2/samples.mailgun.org/messages HTTP/1.1 > Authorization: Basic YXBpOmtleS0zYXg2eG5qcDI5amQ2ZmRzNGdjMzczc2d2anh0ZW9sMA== > Content-Type: application/x-www-form-urlencoded > Content-Length: 126 > > from=test%40samples.mailgun.org&to=recipient%40samples.mailgun.org&subject=Testing& > text=This+is+a+test+of+HTTP+over+port+443! HTTP/1.1 200 OK
Here, we initiate a connection, pass the HTTP POST payload and receive a 200 OK from the API endpoint. We don’t have to issue a sequence of commands and wait for a response from the server after each command.
In summary, where performance is desired, Mailgun recommends utilizing our API endpoint. The amount of back and forth “chatting” is much less. And with our API SDKs, connecting up is pretty simple.
If you’re not interested in connecting via API, our SMTP endpoints are ready for your mail. Just don’t forget… port 587 is where the party is at!
See our Documentation for more information.
Published on: October 21, 2014 | Modified on: June 13, 2018