Most developers know that port 443 means “secure web” and port 587 means “secure email submission” โ€” but the layers underneath trip people up all the time. The terms SSL, TLS, STARTTLS, HTTPS, and implicit versus explicit encryption get mixed together in ways that cause misconfigured servers and weak security choices. This article sorts through those distinctions using authoritative sources and concrete port-by-port recommendations.

4 related posts

HTTPS Standard Port: 443 ยท SMTP TLS Submission Port: 587 ยท Legacy SMTP SSL Port: 465 ยท TLS Successor To: SSL ยท Common Alt HTTPS Port: 8443

Quick snapshot

1Confirmed facts
  • TLS replaced SSL as the secure standard (Comodo Blog)
  • Port 587 uses STARTTLS for opportunistic encryption (MailerSend)
  • Port 465 uses implicit TLS for immediate encryption (Cloudflare)
2What’s unclear
  • Regional ISP policies on port blocking vary widely with no single authoritative registry
  • Exact adoption rates for TLS 1.3 across enterprise versus consumer environments lack public consensus
3Timeline signal
  • SSL 2.0 reached public internet in 1995; TLS 1.3 finalized as RFC 8446 in 2018 (Comodo Blog)
  • SSL 3.0 formally deprecated in 2014 after POODLE vulnerability (Comodo Blog)
4What’s next
  • TLS 1.3 adoption accelerates across browsers and email services
  • Port 465 implicit TLS gaining preference over STARTTLS on 587 for new deployments
Four ports, two protocols, one encryption concept
Label Value
Primary Web Port 443 (TLS/HTTPS)
Email Secure Port 587 (STARTTLS)
Legacy Email Port 465 (SMTPS, deprecated)
Alt Secure Port 8443 (custom HTTPS)

Is 587 TLS or SSL?

Port 587 is a TLS port, not an SSL port. Email clients connecting to this port begin with a plain SMTP handshake and then upgrade the connection to TLS encryption using the STARTTLS command. This is called explicit TLS โ€” the upgrade is negotiated rather than assumed from the start of the connection.

Port 587 for SMTP Submission

Port 587 became the standard for authenticated email submission in the early 2000s. Unlike port 25, which is restricted to server-to-server relay across most networks, port 587 requires authentication from the sending client and supports TLS encryption. MailerSend’s analysis confirms that port 587 remains the recommended submission port for most email sending configurations today.

TLS Wrapper on Port 587

The STARTTLS command on port 587 tells the receiving server “I want to upgrade this connection to TLS.” If the server supports it, both sides agree on a cipher suite and the traffic is encrypted. If the server does not support STARTTLS, the connection falls back to plaintext โ€” which is why some environments prefer implicit TLS on port 465 instead. Cloudflare’s SMTP security guide notes that this opportunistic encryption model makes port 587 widely supported but not as robust against downgrade attacks as implicit TLS.

Bottom line: Port 587 uses TLS via STARTTLS, not SSL. Treat it as the standard for authenticated email submission where implicit TLS is not available.

What SMTP port should be used? Port 25, 587, or 465?

Choosing the right SMTP port depends on whether you are sending server-to-server, submitting mail on behalf of a user, or setting up a dedicated encrypted channel. Each port implies a different level of security, authentication, and ISP cooperation.

Port 25: Relay Basics

Port 25 handles raw SMTP relay between mail servers. It was the original SMTP port and remains the backbone of email transport across the internet. However, most residential ISPs and cloud providers block port 25 to reduce spam. The connection on port 25 is typically unencrypted by default unless both servers explicitly negotiate TLS. Mailtrap’s port breakdown confirms that port 25 is reserved for server-to-server relay and should not be used for client email submission.

Port 587: Secure Submission

Port 587 is the standard for email submission by end-user clients. It requires authentication credentials and supports STARTTLS encryption. The vast majority of email service providers and mail client applications default to port 587 for outgoing mail. Cloudflare confirms that port 587 is widely supported across email platforms and remains the baseline for secure submission.

Port 465: Legacy SMTPS

Port 465 was originally assigned for SMTPS โ€” implicit TLS from connection start. IETF deprecated this usage in 1998, then reconsidered and approved it again in recent years. Today port 465 is the preferred choice for new SMTPS deployments because it encrypts immediately without any plaintext handshake window. Cloudflare’s security team states that port 465 offers better protection against certain attack vectors compared to STARTTLS on port 587.

Why this matters

For application developers sending transactional email: use port 587 with STARTTLS for broad compatibility, or port 465 with implicit TLS for stronger security guarantees. Avoid port 25 for application-level sending.

Is 443 TLS or SSL?

Port 443 is exclusively a TLS port in any modern context. SSL 2.0 and earlier versions were never deployed on port 443 at scale, and SSL was formally deprecated for web traffic long before browsers started enforcing encrypted connections. When you visit a site over HTTPS, you are using TLS on port 443 โ€” almost certainly TLS 1.2 or TLS 1.3.

Port 443 for HTTPS

HTTPS means HTTP over TLS, and port 443 is the default assigned port for this combination. The encryption begins immediately upon TCP connection establishment โ€” there is no plaintext phase, no STARTTLS negotiation. Flarexes’ protocol history confirms that HTTPS uses TLS implicitly on port 443, meaning the encryption wrapper is built into the connection from the first packet.

Modern TLS Implementation

TLS 1.3 (RFC 8446) streamlined the handshake to just two round trips โ€” half the latency of TLS 1.2. Major browsers enabled TLS 1.3 by default starting in 2020, and it is now the dominant cipher suite for encrypted web traffic. AWS’s technical comparison confirms that TLS handshake performance is significantly faster than the older SSL process, which required multiple round trips and complex negotiation steps.

Bottom line: Port 443 is TLS-only in practice. If your server still negotiates SSL on this port, it is misconfigured and vulnerable.

Is SSL/TLS the same as HTTPS?

SSL and TLS are transport-layer encryption protocols. HTTPS is an application-layer protocol that uses TLS as its encryption layer. The distinction matters because SSL and TLS can encrypt many protocols beyond HTTP โ€” SMTP, IMAP, POP3, FTP, and others โ€” while HTTPS specifically refers to HTTP running over TLS.

HTTPS Layer on TLS

HTTPS = HTTP + TLS. The HTTP specification defines how browsers and servers exchange requests and responses. The TLS specification defines how those bytes are encrypted in transit, authenticated via certificates, and protected against tampering. Cloudflare notes that SMTPS follows the same pattern as HTTPS โ€” the application protocol (SMTP) runs over an encryption layer (TLS) rather than over a raw TCP socket.

Key Differences

The critical difference between SSL and TLS lies in their cryptographic foundations. SSL uses MACs (Message Authentication Codes) for integrity checking and sends alerts in plaintext. TLS uses HMACs, encrypts alerts, and supports a wider range of cipher suites including AES-256. AWS confirms that TLS’s encrypted alerts and HMAC-based integrity checks provide substantially stronger protection than SSL’s original design.

Two protocols, one goal โ€” but very different execution
Property SSL TLS
Integrity check MAC HMAC
Alert encryption Plaintext Encrypted
Handshake rounds Multiple (slower) Streamlined (faster)
AES-256 support No Yes
Current status Deprecated Standard
Bottom line: HTTPS is HTTP over TLS. SSL/TLS are the encryption protocols; HTTPS is the application that consumes them.

Why is SSL no longer used?

SSL is no longer used because it has structural vulnerabilities that cannot be patched. The protocol itself โ€” not just individual cipher suites โ€” is fundamentally weaker than TLS. Organizations still running SSL are leaving themselves open to known attacks that have been obsolete in TLS for over two decades.

SSL Vulnerabilities

SSL 2.0 was released in 1995 by Netscape and contained flaws that allowed man-in-the-middle attacks. SSL 3.0 followed in November 1996, addressing some of these issues, but the protocol remained vulnerable to cryptographic downgrade attacks. The POODLE attack (discovered in 2014) specifically exploited SSL 3.0’s block cipher padding, forcing browsers and servers to drop SSL 3.0 support entirely. Acunetix’s protocol timeline documents that SSL 3.0 was formally deprecated the same year POODLE was disclosed.

TLS as Secure Successor

TLS 1.0 arrived in 1999 as RFC 2246, essentially standardizing SSL 3.0 under IETF governance. Each subsequent TLS version โ€” 1.1, 1.2, and 1.3 โ€” closed specific vulnerabilities: explicit IVs, cipher suite preferences, and zero-round-trip resumption. TLS 1.3, published as RFC 8446 in 2018, eliminated obsolete features entirely and reduced handshake latency. Feisty Duck’s standards history notes that TLS 1.3 required a decade of development after TLS 1.2 to achieve its simplified design.

The upshot

For any system still configured to accept SSL: disable it immediately. Configure TLS 1.2 as a minimum floor, and enable TLS 1.3 where clients support it.

Upsides

  • TLS 1.3 reduces handshake latency to 1-2 round trips
  • Implicit TLS on dedicated ports eliminates downgrade attack window
  • TLS supports AES-256 and other modern ciphers SSL cannot use
  • Port 465 adoption growing for new SMTPS deployments
  • Certificate validation and server identity authentication built into TLS
  • HTTPS on port 443 enforced by all major browsers

Downsides

  • STARTTLS on port 587 has a plaintext window before upgrade โ€” vulnerable to downgrade
  • Port 25 relay remains unencrypted by default across many server configurations
  • Legacy systems still accepting SSL create attack surface in mixed environments
  • TLS 1.3 not yet supported by some enterprise email appliances and legacy clients
  • Certificate management and renewal adds operational overhead
  • Port 2525 ISP fallback is non-standard โ€” may behave inconsistently

Protocol and Port Reference

Three protocols, six ports, and two encryption models โ€” the full picture in one view.

Email and web encryption ports mapped to their protocols and encryption types
Port Protocol Encryption Model Primary Use
25 SMTP Opportunistic (server-to-server) Server relay only
587 SMTP Submission STARTTLS (explicit TLS) End-user email sending
465 SMTPS Implicit TLS Secure email submission
993 IMAP Implicit TLS Secure mailbox access
995 POP3 Implicit TLS Secure email retrieval
443 HTTPS Implicit TLS Encrypted web traffic

“The only difference between the two is that TLS evolved out of SSL technology and is a more secure version of SSL.”

โ€” Comodo Blog (SSL/TLS security analysis)

“Port 465 is today the recommended choice for SMTPS, as it uses Implicit TLS and offers better protection against certain attacks.”

โ€” Cloudflare (Cloud security provider)

“SSL 2.0 was the first version of SSL deployed on the public internet.”

โ€” Flarexes (Security protocol analysis)

For developers configuring email infrastructure today, the choice is clearer than it was five years ago: use port 465 with implicit TLS for new deployments, fall back to port 587 with STARTTLS for maximum compatibility, and disable SSL on every service that supports it. The TLS ecosystem has settled on strong defaults โ€” the remaining risk comes from configurations that have not been updated since the POODLE era. Staying current means auditing your cipher suites, enforcing TLS 1.2 minimum, and watching for TLS 1.3 adoption in your client base. Cloudflare and AWS both confirm that the TLS handshake improvements and cipher suite hardening in TLS 1.3 make the upgrade worthwhile for most environments.

Additional sources

emailsecurity.fortra.com, thesslstore.com, 1grid.co.za, sectigo.com

Secure configurations for SSL/TLS often hinge on grasping protocol differences and ports like 443, as outlined in detailed ports and HTTPS guide for HTTPS implementations.

Don't miss these

Frequently asked questions

What are the differences between HTTPS, SSL, and TLS?

HTTPS is HTTP running over TLS encryption on port 443. SSL is the original protocol family (deprecated), and TLS is its secure successor. SSL used MACs for integrity checks and plaintext alerts; TLS uses HMACs, encrypted alerts, and modern ciphers like AES-256. All three terms are related but describe different layers: TLS is the encryption, HTTPS is the application.

Why use port 8443 instead of 443?

Port 8443 is commonly used as an alternative HTTPS port when port 443 is unavailable or blocked โ€” for example, in development environments, certain cloud platforms, or internal networks that restrict port 443 outbound. It functions identically to port 443 but avoids conflicts with port restrictions. Production systems should default to 443.

Should I use TLS or HTTPS?

The question reflects a category mix-up: TLS is the encryption protocol; HTTPS is the application that uses it. You configure TLS in your server software, and the result of using TLS with HTTP is HTTPS. For web traffic: enable TLS and you get HTTPS automatically on port 443.

What is the SSL/TLS handshake?

The SSL/TLS handshake is the negotiation process where client and server agree on cipher suites, verify certificates, and establish encryption keys before transmitting application data. TLS 1.3 reduced this process to 1-2 round trips compared to older SSL handshakes that required multiple exchanges. The handshake determines which encryption algorithm and key length will protect the session.

What is a TLS/SSL certificate?

A TLS/SSL certificate is a digital document issued by a Certificate Authority (CA) that binds a public key to a server’s identity. Browsers and email clients verify the certificate against trusted root CAs to confirm they are connecting to the legitimate server, not an imposter. Certificates are essential for TLS authentication โ€” encryption without identity verification leaves connections vulnerable to man-in-the-middle attacks.

What are SSL protocols?

SSL protocols refer to the now-deprecated SSL 2.0 and SSL 3.0 versions released by Netscape in 1995 and 1996. These protocols contained design flaws that led to their deprecation. The current standard uses TLS versions 1.0 through 1.3. When people say “SSL protocols” in modern contexts, they almost always mean TLS โ€” the SSL brand persists colloquially even though the underlying technology has been replaced.

What is the relationship between TLS and AES 256 encryption?

AES-256 is the Advanced Encryption Standard with a 256-bit key length โ€” one of the strongest symmetric ciphers in common use. TLS supports AES-256 as a cipher suite option; SSL does not. When a TLS connection negotiates AES-256, all application data is encrypted using that algorithm with a 256-bit key, providing military-grade symmetric encryption strength for the session.

Related reading