SMTP assistance

Wappler General
21

I saw someone mentioning the term "submission ports", so I asked ChatGPT about it, I also let him know I was using Postmark.

Why Avoid Port 25?

  • Port 25 is the traditional port used for SMTP (Simple Mail Transfer Protocol), primarily for server-to-server email relay, not for client submissions.
  • Most ISPs block port 25 on residential or cloud connections to prevent spam.
  • Using it for sending emails directly from your app or server often results in delivery failures or blacklisting.

What Are Submission Ports?

Submission ports are alternatives to port 25, specifically meant for authenticated email submission from clients (like apps, scripts, or mail clients) to servers.

The common ones are:

Port Encryption Purpose
587 STARTTLS Recommended for email submission (modern standard)
465 SSL/TLS Legacy secure submission (still supported by many providers)

Why Use Port 587 (or 465) with Postmark?

  • Postmark expects you to authenticate and securely send emails.
  • Ports 587 and 465 are designed for authenticated, secure SMTP connections.
  • They avoid spam filtering and deliverability issues that plague port 25.

Summary

Use port 587 (preferred) or 465 to send emails through Postmark or any modern SMTP provider. Avoid port 25 unless you're operating a mail server relaying mail to another server, which is uncommon and often discouraged today.

Is it common for hosting providers to block submission ports?

It's less common, but some hosting providers do block submission ports (587 and 465)—especially on lower-tier plans or VPS setups—to prevent spam or abuse.

Here's the typical breakdown:

:white_check_mark: Usually Open on:

  • Dedicated servers
  • Reputable VPS providers (like DigitalOcean, Hetzner, Linode) – though some may block by default until you request unblocking
  • Managed application platforms (like Heroku, Vercel, etc.)

:no_entry_sign: Often Blocked or Restricted on:

  • Low-cost shared hosting
  • Cloud providers (like AWS, Google Cloud, Azure) – often block outbound mail ports (even 587/465) by default; you must request access
  • ISPs for home internet – mostly block port 25, but occasionally others too

What to Do If They’re Blocked:

  • Check your hosting provider’s documentation or support to confirm.
  • If blocked, ask them to open port 587 (or 465) for authenticated email submission.
  • As an alternative, some services (like Postmark) support sending via HTTP APIs, which bypass port issues altogether and are often more reliable.

Personally, I use port 2525 (if available) which is unlikely to be blocked

It seems according to this topic DigitalOcean now blocks those common submission ports, what was the solution in the end?

After more discussion with ChatGPT, I believe it's harder for DigitalOcean to monitor SMTP connections, hence it's likely they now prefer people send e-mail over an HTTP API, which is easier to monitor. This is speculation though.

ChatGPT

SMTP traffic looks the same no matter where it’s going: to Postmark, Gmail, or a spam botnet.

So it's not possible to distinguish you're sending to a transactional email service or an actual e-mail inbox?

Exactly — that’s the core of the issue.

When a server (like your droplet on DigitalOcean) opens an SMTP connection, say on port 587 or 465, from the network provider’s point of view, it's just:

  • "Outbound connection to an IP on port 587/465"
  • With encrypted traffic inside (thanks to STARTTLS or SSL/TLS)

:hole: Why This Is a Problem:

  • The cloud provider can’t see inside the TLS tunnel (unless doing deep packet inspection, which they generally don't).

  • They can’t easily tell if you’re connecting to:

    • :green_circle: A legit transactional email provider (Postmark, SendGrid, etc.)
    • :red_circle: A consumer inbox SMTP server (like smtp.gmail.com)
    • :red_circle: A spam-friendly relay or botnet node
    • :yellow_circle: An internal corporate mail server

So to protect their IP ranges and reputation, they block SMTP traffic entirely unless you opt in or go through a review process.

:package: By Contrast: HTTP API Calls

  • Go to a specific domain, like api.postmarkapp.com
  • Use port 443, which is ubiquitous and trusted
  • Are easy to block or allow based on DNS/IP filtering
  • Typically use API tokens, which providers like Postmark monitor tightly

In Short:

You're absolutely right: there’s no reliable way for the provider to tell if SMTP traffic is going to a legit service or a spam target, so they err on the side of caution and block it.

22

I always think of using port 25 for email as similar to using http:// on a website. Insecure, unnecessary and outdated.