Port 587 (SMTP Submission): What It Is & Security Guide
What is Port 587 (SMTP Submission)?
In the vast and intricate world of network communication, ports serve as crucial endpoints for different services. Among these, Port 587 holds a significant role in the realm of email communication. Specifically designated for SMTP Submission, this TCP port is the standard for sending outgoing emails from a client to an email server. Unlike its older sibling, Port 25 (SMTP Relay), Port 587 was established to provide a more secure and authenticated method for email submission, primarily for end-users and applications.
Understanding Port 587 is vital for anyone managing email servers, developing applications that send email, or simply troubleshooting email delivery issues. From a security perspective, while Port 587 is inherently designed with security in mind (requiring authentication and often encryption), its exposure still presents potential risks if not properly configured and secured. This guide will delve into the technical specifics of Port 587, explore its security implications, detail common attack vectors, and provide actionable steps to ensure your email submission process remains robust and protected against cyber threats.
The shift to Port 587 for client-to-server email submission was a deliberate move to separate the roles of email relay (server-to-server, often Port 25) from email submission (client-to-server). This distinction helps in combating spam and ensuring that only legitimate, authenticated users can send emails through a given server, thereby enhancing the overall integrity and security of email systems worldwide.
Port 587 Technical Details
Port 587 is a dedicated port for the SMTP Submission service, operating exclusively over the Transmission Control Protocol (TCP). This means it establishes a reliable, connection-oriented communication channel, ensuring that email data is transmitted accurately and in order.
| Attribute | Detail |
|---|---|
| Port Number | 587 |
| Protocol | TCP |
| Service | SMTP Submission |
| Risk Level | Low (when properly configured) |
| Common Use | Client-to-server email sending |
| Standard | RFC 6409 (formerly RFC 2476) |
The primary distinguishing feature of Port 587 is its requirement for authentication and the widespread use of encryption. When an email client (like Outlook, Thunderbird, or a web application) connects to an SMTP server on Port 587, the communication typically begins in plain text. However, almost immediately, the client issues a STARTTLS command. This command upgrades the connection to an encrypted one using Transport Layer Security (TLS), protecting the subsequent transmission of credentials and email content from eavesdropping.
After the secure tunnel is established, the client must authenticate itself to the server, usually with a username and password. This authentication step is crucial for preventing unauthorized users from relaying spam or phishing emails through the server. Only after successful authentication can the client proceed to send email messages using standard SMTP commands like MAIL FROM, RCPT TO, and DATA.
This design makes Port 587 the preferred choice for legitimate email submission, as it helps email service providers enforce policies, track usage, and mitigate abuse. While the underlying SMTP protocol is the same as that used on Port 25, the context and security requirements for Port 587 are significantly different, emphasizing authenticated and encrypted communication for end-user email sending.
Security Risks of Open Port 587
While Port 587 is considered to have a 'Low' inherent security risk due to its design for authenticated and encrypted communication, an open port always presents an attack surface. The risks primarily stem from misconfigurations, weak security practices, or vulnerabilities in the underlying SMTP server software. If not properly secured, an open Port 587 can be exploited in several ways, leading to significant consequences for individuals and organizations.
Common Attacks on Port 587
Understanding the specific attack vectors targeting Port 587 is crucial for developing effective defense strategies. While the port itself isn't inherently 'dangerous,' the service it hosts can be abused in various ways if not properly secured.
How to Check if Port 587 is Open
Before you can secure Port 587, you need to know if it's open and accessible. There are several methods to check the status of this port, ranging from command-line tools to online scanners. It's important to check from both inside your network and from an external perspective to understand its true exposure.
Using Command-Line Tools (Linux/macOS)
The nmap utility is a powerful network scanner that can quickly determine the status of ports on a target host. Replace target.com with the IP address or domain name of your email server.
nmap -p 587 target.com
Example Output (Open):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:30 EDT\nNmap scan report for target.com (192.168.1.100)\nHost is up (0.0020s latency).\n\nPORT STATE SERVICE\n587/tcp open submission\n\nNmap done: 1 IP address (1 host up) scanned in 0.08 seconds
Example Output (Closed/Filtered):
Starting Nmap 7.80 ( https://nmap.org ) at 2023-10-27 10:30 EDT\nNmap scan report for target.com (192.168.1.100)\nHost is up (0.0020s latency).\n\nPORT STATE SERVICE\n587/tcp filtered submission\n\nNmap done: 1 IP address (1 host up) scanned in 0.08 seconds
A 'filtered' state usually means a firewall is blocking access, while 'closed' means no service is listening on that port.
You can also use telnet or netcat for a basic check:
telnet target.com 587
If successful, you'll see a banner like 220 mail.target.com ESMTP Postfix. If it hangs or gives a connection refused error, the port is likely closed or blocked.
nc -vz target.com 587
Using Online Port Scanners
For an external perspective, online port scanners are invaluable. They check your public IP address from various locations on the internet. You can easily Scan port 587 with our free tool at Secably Port Scanner. Simply enter your public IP address or domain name, specify port 587, and initiate the scan. This provides a quick and reliable way to see if your firewall or router is exposing the port to the internet.
Checking on Windows
On Windows, you can use PowerShell's Test-NetConnection command:
Test-NetConnection -ComputerName target.com -Port 587
Look for TcpTestSucceeded : True to confirm the port is open.
Free Security Tools
Scan your website, check open ports, find subdomains — no signup required.
- Website Vulnerability Scanner — find XSS, SQLi, misconfigurations
- Port Scanner — Nmap-powered, all 65535 ports
- Subdomain Finder — discover hidden attack surface
How to Secure Port 587
Securing Port 587 is paramount for maintaining the integrity and reputation of your email services. While the port itself is not inherently high-risk, the SMTP service running on it demands robust security measures. Implementing the following steps will significantly reduce your exposure to common attacks and vulnerabilities.
When Should Port 587 Be Open?
Port 587 is designed for a very specific and legitimate purpose: email submission from clients to a mail server. Therefore, it should be open whenever you need to send outgoing emails through your own mail server or an email service provider.
- Email Clients: If you use desktop email clients (like Microsoft Outlook, Mozilla Thunderbird, Apple Mail) or mobile email apps to send emails, these clients will typically connect to your mail server on Port 587.
- Web Applications: Many web applications (e.g., e-commerce platforms, content management systems, custom web apps) need to send transactional emails like order confirmations, password resets, or notifications. These applications are configured to use Port 587 to submit emails to a local or remote SMTP server.
- Internal Servers/Services: Servers within your network that need to send system alerts, reports, or other automated emails will often use Port 587 to connect to an internal or external mail relay.
- Email Service Providers (ESPs): When you configure an application or device to send email through a third-party ESP (like SendGrid, Mailgun, Amazon SES, Google Workspace, Microsoft 365), you will almost always use Port 587 with authentication and TLS encryption.
In essence, Port 587 should be open whenever a legitimate client or application needs to send an email through an authenticated and encrypted channel. It should not be open for general, unauthenticated email relay from arbitrary internet hosts, which is the role (and common abuse) of Port 25.
The key is to ensure that while Port 587 is open for its intended purpose, it is always protected by the hardening measures discussed, especially mandatory authentication and encryption, to prevent abuse.
Is port 587 dangerous?
Port 587 itself is not inherently dangerous. It is the standard, secure port for email submission, designed to require authentication and encryption (STARTTLS). The danger arises from misconfigurations of the SMTP server running on it (e.g., allowing unauthenticated relay, using weak passwords, or running outdated software with known vulnerabilities). When properly secured, Port 587 is a safe and essential component of modern email communication.
Should I close port 587?
You should only close Port 587 if you do not host an SMTP server that needs to receive outgoing email submissions from clients or applications. If you run your own mail server and users/applications need to send emails through it, Port 587 must remain open. However, it should always be protected by strong authentication, encryption, and firewall rules to limit access to legitimate sources and prevent abuse.
How do I block port 587?
Blocking Port 587 is typically done using firewall rules. Here are examples for common Linux firewalls:
Using UFW (Uncomplicated Firewall) on Ubuntu/Debian:
To block all incoming connections to Port 587:
sudo ufw deny 587/tcp
To allow specific IP addresses or networks to connect to Port 587 (e.g., your office IP 192.168.1.100):
sudo ufw allow from 192.168.1.100 to any port 587 proto tcp
Remember to enable UFW after making changes:
sudo ufw enable
Using iptables on CentOS/RHEL/Other Linux:
To block all incoming connections to Port 587:
sudo iptables -A INPUT -p tcp --dport 587 -j DROP
To allow specific IP addresses or networks to connect to Port 587:
sudo iptables -A INPUT -p tcp -s 192.168.1.100 --dport 587 -j ACCEPT\nsudo iptables -A INPUT -p tcp --dport 587 -j DROP
After making iptables changes, you'll need to save them so they persist across reboots (commands vary by distribution, e.g., sudo service iptables save or sudo netfilter-persistent save).
For hardware firewalls or cloud security groups, you'll configure similar rules through their respective management interfaces.
What runs on port 587 by default?
By default, the SMTP Submission service runs on Port 587. This service is part of an email server (Mail Transfer Agent or MTA) like Postfix, Exim, Sendmail, or Microsoft Exchange Server. It is specifically configured to handle outgoing email from email clients and applications, requiring authentication and typically using STARTTLS for encryption. It's distinct from the SMTP Relay service that traditionally runs on Port 25, which is primarily for server-to-server email transfer.
What is the difference between Port 25 and Port 587?
The main difference lies in their intended purpose and security requirements. Port 25 (SMTP Relay) is primarily used for server-to-server email communication, where one mail server sends an email to another. It historically did not require authentication, making it a common target for spam. While it can use STARTTLS, it's often less strictly enforced. Port 587 (SMTP Submission), on the other hand, is dedicated to client-to-server email submission. It mandates authentication and strongly encourages (and often enforces) STARTTLS encryption, making it the secure and preferred port for end-users and applications to send emails.