Enable SMTPS Port 465 in Postfix SMTP Server For Email Submission

In previous articles, we discussed how you can quickly set up your own mail server by using iRedMail or Modoboa, and also how to set up mail server from scratch on Ubuntu. This tutorial will be showing you how to enable SMTPS port 465 in Postfix SMTP server, so Microsoft Outlook users can send emails. SMTPS stands for Simple Mail Transfer Protocol Secure.

Why Enable SMTPS

Usually mail clients like Thunderbird submit outgoing emails to SMTP server over port 587, encrypted with STARTTLS. However, some mail clients (particularly Microsoft Outlook) can only submit outgoing emails over port 465, the SMTPS port. By default, both iRedMail and Modoboa only enables submission over port 587.

Enable SMTPS Port 465 in Postfix SMTP Server

SMTPS used as submission protocol is confusing, isn’t it? Let me explain. Originally in 1997, IANA (Internet Assigned Numbers Authority) assigned port 465 for SMTPS, which was intended to be used to encrypt communication between one SMTP server to another SMTP server, like mail.google.com and mail.yahoo.com. Later, STARTTLS came along, which allows SMTP servers to talk to each other securely over the existing SMTP port 25, so there’s no need to dedicate port 465 for secure SMTP any more. The SMTPS port was revoked. However, some mail clients like Microsoft Outlook erroneously interpreted smtps as submissions and used port 465 for email submission and it’s still the case to this day.

Another reason to enable port 465 submission is that it’s now encouraged by IETF (Internet Engineering Task Force). There are two approaches to secure email communications:

  • Use STARTTLS on existing port (like STARTTLS on port 587)
  • Implicit TLS on another dedicated port (For example, IMAP on port 143, IMAPS on port 993)

Now IETF  believes that the STARTTLS approach isn’t perfect and started promoting the use of implicit TLS. It published RFC 8314 in January 2018 to encourage the use of port 465 for email submission, and RFC 8461 in September 2018 to encourage the use of MTA-STS for secure SMTP. Port 465 is likely to be renamed as the submissions port.

Note: Almost all mail clients can also submit outgoing emails on port 25, but most residential ISPs block port 25.

How to Enable SMTPS Port 465 in Postfix SMTP Server

Edit the Postfix master.cf file.

sudo nano /etc/postfix/master.cf

If you are using iRedMail, add the following lines at the end of this file.

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o content_filter=smtp-amavis:[127.0.0.1]:10026

If you are using Modoboa, add the following lines at the end of this file.

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_proxy_filter=inet:[127.0.0.1]:10026

If you followed my setting up mail server from scratch tutorial, add the following lines instead.

smtps     inet  n       -       y       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
  -o smtpd_sasl_type=dovecot
  -o smtpd_sasl_path=private/auth

Save and close the file. Restart Postfix for the change to take effect.

sudo systemctl restart postfix

Open TCP Port 465 in Firewall

If you are using UFW on Debian/Ubuntu, then run the following command to open TCP port 465.

sudo ufw allow 465/tcp

If you use firewalld on CentOS, then run the following commands to open TCP port 465.

sudo firwall-cmd --permanent --add-service=smtps
sudo systemctl reload firewalld

If you are using iptables, then run the following command.

sudo iptables -A INPUT -p tcp --dport 465 -j ACCEPT

Configure Mail Clients to Use Port 465 for Submission

Microsoft Outlook supports submission on port 465 only, so you don’t need to do special configuration. Mozilla Thunderbird defaults to port 587 for submission. It also supports port 465 with SSL/TLS encryption.

SMTPS port 465 postfix

Conclusion

I hope this tutorial helped you enable SMTPS port 465 in Postfix SMTP server. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂

Rate this tutorial
[Total: 3 Average: 5]

17 Responses to “Enable SMTPS Port 465 in Postfix SMTP Server For Email Submission

  • frapulle
    1 year ago

    I haven’t the lines in Iredmail, what should i do?

  • frapulle
    1 year ago

    I followed this tutorial: https://www.linuxbabe.com/mail-server/ubuntu-18-04-iredmail-email-server

    I added those lines at the end of master.cf file.

    smtps     inet  n       -       y       -       -       smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
      -o content_filter=smtp-amavis:[127.0.0.1]:10026

    But if I connect my SMTP with Sendblaster on port 465, it doesn’t work. Do you know what the problem is?

    • How to enable port 465 if we using Mail in a Box in our vps? The default is startssl 587 it didn’t give any info about using port 465. Thanks!

  • i have the same problem.

  • There is a typo in your text regarding RFC, it’s RFC 8314 instead of RFC 8134.

  • breanne clark
    4 months ago

    hi i followed your tutorial on How to Quickly Set up a Mail Server on Ubuntu 18.04 with Modoboa.
    My question now is, haven’t done all the installation, how do i get the smtp details of the server to send emails on applications like turbo mailer?

    • If you follow my tutorial, then the SMTP hostname will be like mail.example.com. You can use port 587 with STARTTLS encryption, or use port 465 with SSL/TLS encryption to submit outgoing emails.

  • breanne clark
    4 months ago

    ok i tried and it worked but if i want to connect still on gammadyne mailer using port 465 it fails. do i need to still enable port 465 just like the tutorial hers suggests? because have not done that yet. and when i test my email reputation i scored 10/10 but it still hits spam in gmail,aol and outlook but hits inbox in yahoomail.

  • In your server from scratch tutorial, under “submission inet”, there’s
    -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
    but in this one here, you don’t have it listed there. Why’s that?

    Also, I followed the instructions (trying both ways), and I couldn’t get it. Firefox keeps picking up port 587 / STARTTLS / “Normal password”, but I’m trying to get it to be 465 / SSL/TLS / “Encrypted password”.

    Is there anything else that may be causing this to fail?

    • Nevermind, I finally figured it out. Took me days of trying different configurations… 🙁

      • Hi Steve, could you post your solution?
        I am currently hitting the same problem. Outbound Port 587 is working, but not 465.
        My master.cf config:

        smtps inet n – y – – smtpd
        -o syslog_name=postfix/smtps
        -o smtpd_tls_wrappermode=yes
        -o smtpd_sasl_auth_enable=yes
        -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
        -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
        -o smtpd_sasl_type=dovecot
        -o smtpd_sasl_path=private/auth

      • I think i got the real error now, but i have no solution. I made a telnet on localhost via port 465 and the log says the following:

        Result:
        Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: initializing the server-side TLS engine
        Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: connect from localhost[127.0.0.1]
        Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: setting up TLS connection from localhost[127.0.0.1]
        Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: localhost[127.0.0.1]: TLS cipher list “aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH”
        Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: SSL_accept:before SSL initialization
        Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: read from 55BB69523500 [55BB69528AE3] (5 bytes => 0 (0x0))
        Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: read from 55BB69523500 [55BB69528AE3] (5 bytes => 5 (0x5))
        Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: 0000 65 68 6c 6f ehlo
        Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: 0004 –
        Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: SSL_accept:error in error
        Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: SSL_accept error from localhost[127.0.0.1]: -1
        Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:

        Anyone spotted this error before? I used the howto´s https://www.linuxbabe.com/mail-server/setup-basic-postfix-mail-sever-ubuntu and https://www.linuxbabe.com/mail-server/secure-email-server-ubuntu-postfix-dovecot with the nginx option. The letsencrypt set up was successfull too.

        • Steve
          2 weeks ago

          Hey Alex, I didn’t post my solution right away, because I’m still breaking and fixing it as I’m working on hardening it, so I didn’t want to end up posting something that other people would find via a google search and then copy & paste, only to break their servers, too. I’ll definitely come back and post it when I’m done.

          Keep in mind that “my solution” may not match “your solution” or “the solution”, though. I’m running Plesk, instead of cPanel or Webmin, and Plesk ends up taking over some of the functions (which is why I keep on breaking and fixing). After being up for a couple days, I just spent the whole day sleeping.

          Don’t forget to enable fail2ban and cut off access when you’re not working on it, “ufw deny 465 && ufw deny 587 && ufw deny 993”. My logs have shown failed connection attempts using dictionary attack usernames ([email protected], [email protected], [email protected], [email protected]…) and when you go to work on it again, turn everything back on with “ufw allow 465 && ufw allow 587 && ufw allow 993”.

          Again, when I figure out my solution, I’ll come back and post it.

    • In Thunderbird, when you select TLS with Normal Password, then the password will be encrypted with TLS on the wire.

Leave a Comment

  • Comments with links are moderated by admin before published.
  • Your email address will not be published.
  • Use <pre> ... </pre> HTML tag to quote the output from your terminal/console.
  • Please use the community (https://community.linuxbabe.com) for questions unrelated to this article.
  • I don't have time to answer every question. Making a donation would incentivize me to spend more time answering questions.


The maximum upload file size: 2 MB.
You can upload: image.