Port 587 (TCP) – SMTP Submission

What runs on port 587?

Port 587 is the dedicated SMTP submission port defined for mail clients to hand outgoing mail to their provider. It begins as a plaintext SMTP session and upgrades to encryption with the STARTTLS command. It is distinct from port 25 (server-to-server relay): 587 is for authenticated end users sending mail, which is why most providers and ISPs route client submission here.

Why it matters for security

Like all submission ports, 587 must enforce authentication and TLS. Without mandatory STARTTLS, credentials can be sent — or sniffed — in cleartext, and without strict relay rules the server can become an open relay abused by spammers. Because a valid login lets an attacker send mail as your domain, account compromise on 587 directly damages deliverability and reputation.

How it's attacked

Attackers run credential brute force and password spraying against SMTP AUTH, and abuse open relays where authentication is missing. Because 587 starts in cleartext, STARTTLS stripping / downgrade attacks try to keep the session unencrypted to capture credentials. Compromised accounts are then used to relay spam and phishing past reputation filters.

Hardening checklist

Require SMTP AUTH and reject unauthenticated relay. Make STARTTLS mandatory, reject plaintext logins, enforce TLS 1.2/1.3, and disable weak ciphers. Rate-limit and lock out brute force and monitor for abnormal send volumes. Publish and enforce SPF/DKIM/DMARC, and use strong, unique passwords with MFA where possible. The nmap snippet enumerates SMTP commands, relay and user status, and TLS on systems you are authorized to test.