Enable SMTPS Port 465 in Postfix SMTP Server For Email Submission

In previous articles, we discussed how you can quickly set up your own mail server by using iRedMail or Modoboa, and also how to set up mail server from scratch on Ubuntu. This tutorial will be showing you how to enable SMTPS port 465 in Postfix SMTP server, so Microsoft Outlook users can send emails. SMTPS stands for Simple Mail Transfer Protocol Secure.

Why Enable SMTPS

Usually mail clients like Thunderbird submit outgoing emails to SMTP server over port 587, encrypted with STARTTLS. However, some mail clients (particularly Microsoft Outlook) can only submit outgoing emails over port 465, the SMTPS port. By default, both iRedMail and Modoboa only enables submission over port 587.

Enable SMTPS Port 465 in Postfix SMTP Server

SMTPS used as submission protocol is confusing, isn’t it? Let me explain. Originally in 1997, IANA (Internet Assigned Numbers Authority) assigned port 465 for SMTPS, which was intended to be used to encrypt communication between one SMTP server to another SMTP server, like mail.google.com and mail.yahoo.com. Later, STARTTLS came along, which allows SMTP servers to talk to each other securely over the existing SMTP port 25, so there’s no need to dedicate port 465 for secure SMTP any more. The SMTPS port was revoked. However, some mail clients like Microsoft Outlook erroneously interpreted smtps as submissions and used port 465 for email submission and it’s still the case to this day.

Another reason to enable port 465 submission is that it’s now encouraged by IETF (Internet Engineering Task Force). There are two approaches to secure email communications:

  • Use STARTTLS on existing port (like STARTTLS on port 587)
  • Implicit TLS on another dedicated port (For example, IMAP on port 143, IMAPS on port 993)

Now IETF  believes that the STARTTLS approach isn’t perfect and started promoting the use of implicit TLS. It published RFC 8314 in January 2018 to encourage the use of port 465 for email submission, and RFC 8461 in September 2018 to encourage the use of MTA-STS for secure SMTP. Port 465 is likely to be renamed as the submissions port.

Note: Almost all mail clients can also submit outgoing emails on port 25, but most residential ISPs block port 25.

How to Enable SMTPS Port 465 in Postfix SMTP Server

Edit the Postfix master.cf file.

sudo nano /etc/postfix/master.cf

If you are using iRedMail, add the following lines at the end of this file.

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026

If you are using Modoboa, add the following lines at the end of this file.

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_proxy_filter=inet:[127.0.0.1]:10026

If you followed my setting up mail server from scratch tutorial, add the following lines instead.

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

Save and close the file. Restart Postfix for the change to take effect.

sudo systemctl restart postfix

Open TCP Port 465 in Firewall

If you are using UFW on Debian/Ubuntu, then run the following command to open TCP port 465.

sudo ufw allow 465/tcp

If you use firewalld on CentOS, then run the following commands to open TCP port 465.

sudo firewall-cmd --permanent --add-service=smtps
sudo systemctl reload firewalld

If you are using iptables, then run the following command.

sudo iptables -A INPUT -p tcp --dport 465 -j ACCEPT

Configure Mail Clients to Use Port 465 for Submission

Microsoft Outlook supports submission on port 465 only, so you don’t need to do special configuration. Mozilla Thunderbird defaults to port 587 for submission. It also supports port 465 with SSL/TLS encryption.

SMTPS-port-465-postfix-smtp-server

Conclusion

I hope this tutorial helped you enable SMTPS port 465 in Postfix SMTP server. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 3 Average: 5]

32 Responses to “Enable SMTPS Port 465 in Postfix SMTP Server For Email Submission

  • frapulle
    2 years ago

    I haven’t the lines in Iredmail, what should i do?

  • frapulle
    2 years ago

    I followed this tutorial: https://www.linuxbabe.com/mail-server/ubuntu-18-04-iredmail-email-server

    I added those lines at the end of master.cf file.

    smtps     inet  n       -       y       -       -       smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
      -o content_filter=smtp-amavis:[127.0.0.1]:10026

    But if I connect my SMTP with Sendblaster on port 465, it doesn’t work. Do you know what the problem is?

    • How to enable port 465 if we using Mail in a Box in our vps? The default is startssl 587 it didn’t give any info about using port 465. Thanks!

  • peter
    2 years ago

    i have the same problem.

  • There is a typo in your text regarding RFC, it’s RFC 8314 instead of RFC 8134.

  • breanne clark
    1 year ago

    hi i followed your tutorial on How to Quickly Set up a Mail Server on Ubuntu 18.04 with Modoboa.
    My question now is, haven’t done all the installation, how do i get the smtp details of the server to send emails on applications like turbo mailer?

    • If you follow my tutorial, then the SMTP hostname will be like mail.example.com. You can use port 587 with STARTTLS encryption, or use port 465 with SSL/TLS encryption to submit outgoing emails.

  • breanne clark
    1 year ago

    ok i tried and it worked but if i want to connect still on gammadyne mailer using port 465 it fails. do i need to still enable port 465 just like the tutorial hers suggests? because have not done that yet. and when i test my email reputation i scored 10/10 but it still hits spam in gmail,aol and outlook but hits inbox in yahoomail.

  • Steve
    1 year ago

    In your server from scratch tutorial, under “submission inet”, there’s
    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    but in this one here, you don’t have it listed there. Why’s that?

    Also, I followed the instructions (trying both ways), and I couldn’t get it. Firefox keeps picking up port 587 / STARTTLS / “Normal password”, but I’m trying to get it to be 465 / SSL/TLS / “Encrypted password”.

    Is there anything else that may be causing this to fail?

    • Steve
      1 year ago

      Nevermind, I finally figured it out. Took me days of trying different configurations… 🙁

      • Alex
        1 year ago

        Hi Steve, could you post your solution?
        I am currently hitting the same problem. Outbound Port 587 is working, but not 465.
        My master.cf config:

        smtps inet n – y – – smtpd
        -o syslog_name=postfix/smtps
        -o smtpd_tls_wrappermode=yes
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
        -o smtpd_sasl_type=dovecot
        -o smtpd_sasl_path=private/auth

      • Alex
        1 year ago

        I think i got the real error now, but i have no solution. I made a telnet on localhost via port 465 and the log says the following:

        Result:
        Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: initializing the server-side TLS engine
        Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: connect from localhost[127.0.0.1]
        Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: setting up TLS connection from localhost[127.0.0.1]
        Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: localhost[127.0.0.1]: TLS cipher list “aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH”
        Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: SSL_accept:before SSL initialization
        Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: read from 55BB69523500 [55BB69528AE3] (5 bytes => 0 (0x0))
        Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: read from 55BB69523500 [55BB69528AE3] (5 bytes => 5 (0x5))
        Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: 0000 65 68 6c 6f ehlo
        Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: 0004 –
        Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: SSL_accept:error in error
        Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: SSL_accept error from localhost[127.0.0.1]: -1
        Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:

        Anyone spotted this error before? I used the howto´s https://www.linuxbabe.com/mail-server/setup-basic-postfix-mail-sever-ubuntu and https://www.linuxbabe.com/mail-server/secure-email-server-ubuntu-postfix-dovecot with the nginx option. The letsencrypt set up was successfull too.

        • Steve
          1 year ago

          Hey Alex, I didn’t post my solution right away, because I’m still breaking and fixing it as I’m working on hardening it, so I didn’t want to end up posting something that other people would find via a google search and then copy & paste, only to break their servers, too. I’ll definitely come back and post it when I’m done.

          Keep in mind that “my solution” may not match “your solution” or “the solution”, though. I’m running Plesk, instead of cPanel or Webmin, and Plesk ends up taking over some of the functions (which is why I keep on breaking and fixing). After being up for a couple days, I just spent the whole day sleeping.

          Don’t forget to enable fail2ban and cut off access when you’re not working on it, “ufw deny 465 && ufw deny 587 && ufw deny 993”. My logs have shown failed connection attempts using dictionary attack usernames ([email protected], [email protected], [email protected], [email protected]…) and when you go to work on it again, turn everything back on with “ufw allow 465 && ufw allow 587 && ufw allow 993”.

          Again, when I figure out my solution, I’ll come back and post it.

    • In Thunderbird, when you select TLS with Normal Password, then the password will be encrypted with TLS on the wire.

  • zeeshan mustafa
    12 months ago

    i am using modoboa but receiving lots of spams what should i do ?

      • Nepa Luzinka
        4 months ago

        The best by far means of blocking spam is by forcing the use of encryption / STARTTLS by adding the following override to:
        -o smtpd_tls_security_level=encrypt

        • Encryption doesn’t prevent email spam.

        • Nepa Luzinka
          4 months ago

          PS: Cannot reply to response, but I understand that encryption does not prevent spam on its own, however, the number of spammers’ email servers that cannot handle a tls connection is unbelievable. Try it! I have used this technic in conjunction with (and to a lesser extent) SpamAssassin /amavis to totally rid inboxes of spam.

  • Hello Xiao Guoan,
    I would just like to say a massive thank you for the time you have spent building these tutorials. they have been a breeze to follow.

    Would you consider a series of tutorials on Hardenize .com how to button up all the additional checks?

    Again thank you so much.

  • Psiu Cose
    6 months ago

    “Submission” requires port 25 unlocked?

    • It’s almost always that you should use port 587 or 465 to submit emails from an email client to your SMTP server. So you don’t need port 25 open on the email client’s network.

      Port 25 should be open on the SMTP server. It’s not a requirement on the email client (Mozilla Thunderbird, Microsoft Outlook, etc).

  • Dan Graves
    3 months ago

    I followed this tutorial, my server is running fine on port 587 but port 465 is not working. I tired a few solutions but they did not work and i had to restore the settings as per this tutorial. Any advice?

  • Have you check to see if the port is opened -canyouseeme . org-

  • Adelard K.
    1 month ago

    Hello all,

    I works for me. After editing Postfix master.cf file with this at the end of the file :

    smtps inet n – y – – smtpd
    -o syslog_name=postfix/smtps
    -o smtpd_tls_wrappermode=yes
    -o smtpd_sasl_auth_enable=yes
    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
    -o smtpd_sasl_type=dovecot
    -o smtpd_sasl_path=private/auth
    -o content_filter=smtp-amavis:[127.0.0.1]:10026

    You should configure the outlook mail client with the parameters described on the image attached.

  • Sonic
    3 weeks ago

    sudo firwall-cmd –permanent –add-service=smtps
    should be:
    sudo firewall-cmd –permanent –add-service=smtps

  • Rodrigo Vieira
    2 weeks ago
    Jul 20 01:37:34 mail postfix/postqueue[2104]: fatal: /etc/postfix/main.cf, line 367: missing '=' after attribute name: "smtps     inet  n       -       y       -       -       smtpd  -o syslog_name=postfix/smtps  -o smtpd_tls_wrappermode=yes  -o smtpd_sasl_auth_enable=yes  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject  -o content_filter=smtp-amavis:[127.0.0.1]:10026"
    

    How to fix? Remove the spaces in “smtps inet n – ” …?

    • It already tells that in the /etc/postfix/main.cf file on line 367, an equal sign is missing, so you should probably check the main.cf file.

      In the following code, there should not be any spaces around the equal sign.

      smtps     inet  n       -       y       -       -       smtpd
        -o syslog_name=postfix/smtps
        -o smtpd_tls_wrappermode=yes
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
        -o content_filter=smtp-amavis:[127.0.0.1]:10026
      

Comments are closed. For paid support, please contact [email protected]