Enable SMTPS Port 465 in Postfix SMTP Server For Email Submission
In previous articles, we discussed how you can quickly set up your own mail server by using iRedMail or Modoboa, and also how to set up mail server from scratch on Ubuntu. This tutorial will be showing you how to enable SMTPS port 465 in Postfix SMTP server, so Microsoft Outlook users can send emails. SMTPS stands for Simple Mail Transfer Protocol Secure.
Why Enable SMTPS
Usually mail clients like Thunderbird submit outgoing emails to SMTP server over port 587, encrypted with STARTTLS. However, some mail clients (particularly Microsoft Outlook) can only submit outgoing emails over port 465, the SMTPS port. By default, both iRedMail and Modoboa only enables submission over port 587.
SMTPS used as submission protocol is confusing, isn’t it? Let me explain. Originally in 1997, IANA (Internet Assigned Numbers Authority) assigned port 465 for SMTPS, which was intended to be used to encrypt communication between one SMTP server to another SMTP server, like mail.google.com and mail.yahoo.com. Later, STARTTLS came along, which allows SMTP servers to talk to each other securely over the existing SMTP port 25, so there’s no need to dedicate port 465 for secure SMTP any more. The SMTPS port was revoked. However, some mail clients like Microsoft Outlook erroneously interpreted smtps as submissions and used port 465 for email submission and it’s still the case to this day.
Another reason to enable port 465 submission is that it’s now encouraged by IETF (Internet Engineering Task Force). There are two approaches to secure email communications:
- Use STARTTLS on existing port (like STARTTLS on port 587)
- Implicit TLS on another dedicated port (For example, IMAP on port 143, IMAPS on port 993)
Now IETF believes that the STARTTLS approach isn’t perfect and started promoting the use of implicit TLS. It published RFC 8314 in January 2018 to encourage the use of port 465 for email submission, and RFC 8461 in September 2018 to encourage the use of MTA-STS for secure SMTP. Port 465 is likely to be renamed as the submissions port.
Note: Almost all mail clients can also submit outgoing emails on port 25, but most residential ISPs block port 25.
How to Enable SMTPS Port 465 in Postfix SMTP Server
Edit the Postfix master.cf file.
sudo nano /etc/postfix/master.cf
If you are using iRedMail, add the following lines at the end of this file.
smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o content_filter=smtp-amavis:[127.0.0.1]:10026
If you are using Modoboa, add the following lines at the end of this file.
smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_proxy_filter=inet:[127.0.0.1]:10026
If you followed my setting up mail server from scratch tutorial, add the following lines instead.
smtps inet n - y - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_relay_restrictions=permit_sasl_authenticated,reject -o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject -o smtpd_sasl_type=dovecot -o smtpd_sasl_path=private/auth
Save and close the file. Restart Postfix for the change to take effect.
sudo systemctl restart postfix
Open TCP Port 465 in Firewall
If you are using UFW on Debian/Ubuntu, then run the following command to open TCP port 465.
sudo ufw allow 465/tcp
If you use firewalld on CentOS, then run the following commands to open TCP port 465.
sudo firewall-cmd --permanent --add-service=smtps sudo systemctl reload firewalld
If you are using iptables, then run the following command.
sudo iptables -A INPUT -p tcp --dport 465 -j ACCEPT
Configure Mail Clients to Use Port 465 for Submission
Microsoft Outlook supports submission on port 465 only, so you don’t need to do special configuration. Mozilla Thunderbird defaults to port 587 for submission. It also supports port 465 with SSL/TLS encryption.
Conclusion
I hope this tutorial helped you enable SMTPS port 465 in Postfix SMTP server. As always, if you found this post useful, then subscribe to our free newsletter to get more tips and tricks. Take care 🙂
I haven’t the lines in Iredmail, what should i do?
Add those lines at the end of master.cf file.
I followed this tutorial: https://www.linuxbabe.com/mail-server/ubuntu-18-04-iredmail-email-server
I added those lines at the end of master.cf file.
But if I connect my SMTP with Sendblaster on port 465, it doesn’t work. Do you know what the problem is?
How to enable port 465 if we using Mail in a Box in our vps? The default is startssl 587 it didn’t give any info about using port 465. Thanks!
i have the same problem.
There is a typo in your text regarding RFC, it’s RFC 8314 instead of RFC 8134.
Thanks for pointing it out. The typo is now corrected.
hi i followed your tutorial on How to Quickly Set up a Mail Server on Ubuntu 18.04 with Modoboa.
My question now is, haven’t done all the installation, how do i get the smtp details of the server to send emails on applications like turbo mailer?
If you follow my tutorial, then the SMTP hostname will be like mail.example.com. You can use port 587 with STARTTLS encryption, or use port 465 with SSL/TLS encryption to submit outgoing emails.
ok i tried and it worked but if i want to connect still on gammadyne mailer using port 465 it fails. do i need to still enable port 465 just like the tutorial hers suggests? because have not done that yet. and when i test my email reputation i scored 10/10 but it still hits spam in gmail,aol and outlook but hits inbox in yahoomail.
If you can use port 587 to submit outgoing emails, then use this port. You have to enable port 465 if you or your users are going to use Microsoft Outlook mail client.
As to the spam issue, read this article: How to stop your emails being marked as spam
In your server from scratch tutorial, under “submission inet”, there’s
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
but in this one here, you don’t have it listed there. Why’s that?
Also, I followed the instructions (trying both ways), and I couldn’t get it. Firefox keeps picking up port 587 / STARTTLS / “Normal password”, but I’m trying to get it to be 465 / SSL/TLS / “Encrypted password”.
Is there anything else that may be causing this to fail?
Nevermind, I finally figured it out. Took me days of trying different configurations… 🙁
Hi Steve, could you post your solution?
I am currently hitting the same problem. Outbound Port 587 is working, but not 465.
My master.cf config:
smtps inet n – y – – smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
I think i got the real error now, but i have no solution. I made a telnet on localhost via port 465 and the log says the following:
Result:
Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: initializing the server-side TLS engine
Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: connect from localhost[127.0.0.1]
Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: setting up TLS connection from localhost[127.0.0.1]
Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: localhost[127.0.0.1]: TLS cipher list “aNULL:-aNULL:HIGH:MEDIUM:+RC4:@STRENGTH”
Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: SSL_accept:before SSL initialization
Jul 15 11:34:01 mail postfix/smtps/smtpd[2414]: read from 55BB69523500 [55BB69528AE3] (5 bytes => 0 (0x0))
Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: read from 55BB69523500 [55BB69528AE3] (5 bytes => 5 (0x5))
Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: 0000 65 68 6c 6f ehlo
Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: 0004 –
Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: SSL_accept:error in error
Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: SSL_accept error from localhost[127.0.0.1]: -1
Jul 15 11:34:15 mail postfix/smtps/smtpd[2414]: warning: TLS library problem: error:1408F10B:SSL routines:ssl3_get_record:wrong version number:../ssl/record/ssl3_record.c:332:
Anyone spotted this error before? I used the howto´s https://www.linuxbabe.com/mail-server/setup-basic-postfix-mail-sever-ubuntu and https://www.linuxbabe.com/mail-server/secure-email-server-ubuntu-postfix-dovecot with the nginx option. The letsencrypt set up was successfull too.
Hey Alex, I didn’t post my solution right away, because I’m still breaking and fixing it as I’m working on hardening it, so I didn’t want to end up posting something that other people would find via a google search and then copy & paste, only to break their servers, too. I’ll definitely come back and post it when I’m done.
Keep in mind that “my solution” may not match “your solution” or “the solution”, though. I’m running Plesk, instead of cPanel or Webmin, and Plesk ends up taking over some of the functions (which is why I keep on breaking and fixing). After being up for a couple days, I just spent the whole day sleeping.
Don’t forget to enable fail2ban and cut off access when you’re not working on it, “ufw deny 465 && ufw deny 587 && ufw deny 993”. My logs have shown failed connection attempts using dictionary attack usernames (joe@, joel@, johnson@, joseph@…) and when you go to work on it again, turn everything back on with “ufw allow 465 && ufw allow 587 && ufw allow 993”.
Again, when I figure out my solution, I’ll come back and post it.
In Thunderbird, when you select TLS with Normal Password, then the password will be encrypted with TLS on the wire.
i am using modoboa but receiving lots of spams what should i do ?
You can follow the tutorial below to block spam.
7 Effective Tips for Blocking Email Spam with Postfix SMTP Server
The best by far means of blocking spam is by forcing the use of encryption / STARTTLS by adding the following override to:
-o smtpd_tls_security_level=encrypt
Encryption doesn’t prevent email spam.
PS: Cannot reply to response, but I understand that encryption does not prevent spam on its own, however, the number of spammers’ email servers that cannot handle a tls connection is unbelievable. Try it! I have used this technic in conjunction with (and to a lesser extent) SpamAssassin /amavis to totally rid inboxes of spam.
Hello Xiao Guoan,
I would just like to say a massive thank you for the time you have spent building these tutorials. they have been a breeze to follow.
Would you consider a series of tutorials on Hardenize .com how to button up all the additional checks?
Again thank you so much.
“Submission” requires port 25 unlocked?
It’s almost always that you should use port 587 or 465 to submit emails from an email client to your SMTP server. So you don’t need port 25 open on the email client’s network.
Port 25 should be open on the SMTP server. It’s not a requirement on the email client (Mozilla Thunderbird, Microsoft Outlook, etc).
I followed this tutorial, my server is running fine on port 587 but port 465 is not working. I tired a few solutions but they did not work and i had to restore the settings as per this tutorial. Any advice?
Have you check to see if the port is opened -canyouseeme . org-
Hello all,
I works for me. After editing Postfix master.cf file with this at the end of the file :
smtps inet n – y – – smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_relay_restrictions=permit_sasl_authenticated,reject
-o smtpd_recipient_restrictions=permit_mynetworks,permit_sasl_authenticated,reject
-o smtpd_sasl_type=dovecot
-o smtpd_sasl_path=private/auth
-o content_filter=smtp-amavis:[127.0.0.1]:10026
You should configure the outlook mail client with the parameters described on the image attached.
sudo firwall-cmd –permanent –add-service=smtps
should be:
sudo firewall-cmd –permanent –add-service=smtps
Thanks, typo is fixed.
How to fix? Remove the spaces in “smtps inet n – ” …?
It already tells that in the /etc/postfix/main.cf file on line 367, an equal sign is missing, so you should probably check the main.cf file.
In the following code, there should not be any spaces around the equal sign.