Email ports and SSL/TLS

23 March 2021

Servers use ports to listen for specific types of connections. This article looks at the most common email ports for POP3, IMAP and SMTP. I’ll also briefly cover the odd history of port 465 and introduce some common SSL/TLS errors.

POP3 and IMAP ports

The POP3 protocol is the oldest protocol for receiving email still in use today. The original POP3 protocol uses port 110 and doesn’t support SSL/TLS. That’s a problem, as it means that your username and password are sent to the server in plain text.

The POP3S protocol uses port 995 and encrypts the connection between the email client and mail server. Email clients usually don’t use the name POP3S, but if you use port 995 then your login credentials are transmitted securely.

Similarly, IMAP uses port 143 and doesn’t support SSL/TLS. The IMAPS protocol uses port 995 and does securely connect to mail server.

SMTP ports

There are even more SMTP ports. The oldest is 25. Like ports 110 for POP3 and 143 for IMAP, user logins are send in plain text. Port 25 is widely used to relay emails between mail servers, but you should not use it when sending emails. In fact, chances are your ISP blocks port 25.

There are two SMTP ports that can be used to securely send emails: 587 and 465. Port 587 uses the STARTTLS command to upgrade a plain text connection to an encrypted one. The client and server first negotiate a secure connection, and only once the communication channel is secured are the logins sent to the server.

The login fails if no secure channel can be set up. On cPanel servers clients are required to either connect with SSL or issue the STARTTLS command before they authenticate. In other words, the server doesn’t allow clear text logins. This setting can be changed in WHM via Service Configuration » Exim Configuration Manager, but doing so is strongly discouraged.

The port that didn’t exist

Port 465 uses implicit TLS. This means that the client immediately negotiates a TLS connection – it doesn’t first send the STARTTLS command. The port is a bit of an oddity. It was registered with IANA in 1997 but deprecated in favour of STARTTLS the following year. The port was then assigned to a completely unrelated protocol (URL Rendezvous Directory for SSM). However, email providers continued to use port 465 for SMTP. In 2018, IANA added the port to its list again. As a result, port 465 is used for two completely different protocols.

All our servers listen for SMTP connections on port 465. However, because the port was considered dead and buried for many years you may find that third party email services don’t. If you use a third party service to relay emails from your website then you may need to use port 587 instead.

TLS issues

As said, mail servers are nowadays configured to only accept secure SMTP connections. You need to either use implicit or explicit SSL/TLS the connect to an SMTP server. If you can receive but not send emails then it’s very likely that you need to enable SSL/TLS in your email client.

The server may still refuse a connection if the client doesn’t have support for current TLS standards. The ancient SSL protocol and TLS versions 1.0 and 1.1 have been deprecated. They have known security vulnerabilities and are no longer secure. That means that email clients on operating systems that are no longer maintained may not be able to send emails. You can find a list with operating systems and email clients that have support for TLS 1.2 on our Email FAQs page.