Skip to content
PortsDB

Port reference

Port 465 (TCP) – SMTPS

SMTPS — authenticated mail submission wrapped in implicit TLS from connect.

tcpWell-known

Default state

Open on mail servers offering implicit-TLS submission. Usually exposed to the internet for authenticated clients to send mail.

Common attacks

  • Credential brute force and password spraying against SMTP AUTH
  • Open-relay abuse when authentication or relay rules are misconfigured
  • Weak/deprecated TLS exploitation
  • Spam and phishing relay through compromised accounts

Hardening

  • Require SMTP AUTH over TLS for all submission; never relay unauthenticated
  • Enforce TLS 1.2/1.3 and disable weak ciphers and old protocols
  • Rate-limit, lock out brute force, and alert on credential abuse
  • Verify the server is not an open relay and enforce SPF/DKIM/DMARC
  • Use strong, unique account passwords and consider MFA on webmail

nmap snippet

nmap -p465 --script smtp-commands,smtp-open-relay,ssl-enum-ciphers,ssl-cert <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 465?

Port 465 is SMTPS — SMTP message submission wrapped in implicit TLS. Unlike STARTTLS, the connection is encrypted from the moment it opens, with no cleartext phase. Mail clients use it to submit outgoing mail to their provider's server over an authenticated, encrypted channel. RFC 8314 endorses 465 as a preferred submission port alongside 587.

Why it matters for security

Submission ports hand outbound mail to a server, so they must always require authentication and TLS. If they don't, the server becomes an open relay that spammers and phishers use to send mail in your name, ruining your domain's reputation. Because credentials guard the ability to send, compromised accounts on 465 are quickly weaponised for bulk spam and phishing.

How it's attacked

The main threats are credential brute force and password spraying against SMTP AUTH, and open-relay abuse when relay rules or authentication are misconfigured. Attackers also probe for weak or deprecated TLS to read or downgrade the connection, and use compromised accounts to relay spam and phishing while bypassing reputation checks.

Hardening checklist

Require SMTP AUTH over TLS for every submission and never relay unauthenticated mail. Enforce TLS 1.2/1.3 and disable weak ciphers and old protocols. Rate-limit and lock out brute force, and alert on unusual send volumes. Confirm the server is not an open relay, publish and enforce SPF/DKIM/DMARC, and use strong, unique passwords with MFA on associated webmail. The nmap snippet checks supported SMTP commands, relay status, and TLS on systems you are authorized to test.

Related ports

Port 587Port 25Port 993Port 995

Frequently asked questions

What is the difference between port 465 and 587?
Port 465 uses implicit TLS — the session is encrypted from connect. Port 587 starts in cleartext and upgrades via STARTTLS. Both require authentication and should enforce TLS.
Is port 465 still recommended?
Yes. RFC 8314 reinstated 465 as the preferred port for implicit-TLS message submission. Use it (or 587 with mandatory STARTTLS) and require authentication.