Port 25 remains the standard TCP port for SMTP communication between Mail Transfer Agents (MTAs). By default, this port operates in plaintext mode, meaning email contents and authentication credentials are transmitted without encryption. This design stems from SMTP's original RFC 821 specification (1982) when security wasn't a primary concern.

Modern implementations support opportunistic TLS through the STARTTLS extension (RFC 3207). This creates an encryption layer after the initial plaintext handshake:

# Example SMTP session with STARTTLS
S: 220 mail.example.com ESMTP
C: EHLO client.example.org
S: 250-mail.example.com
S: 250-STARTTLS
S: 250 SIZE 10485760
C: STARTTLS
S: 220 Ready to start TLS
# TLS negotiation occurs here
# Subsequent communication encrypted

When programming email clients or servers, consider these security aspects:

• Port 25 connections begin unencrypted by default
• STARTTLS provides encryption but is vulnerable to MITM attacks during initial handshake
• Many modern MTAs (Postfix, Exim) implement strict TLS policies via MTA-STS (RFC 8461)

For Postfix servers, ensure proper TLS configuration:

# /etc/postfix/main.cf
smtpd_tls_security_level = may
smtpd_tls_cert_file = /etc/ssl/certs/mailserver.pem
smtpd_tls_key_file = /etc/ssl/private/mailserver.key
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes

Developers can verify TLS support using OpenSSL:

openssl s_client -starttls smtp -connect mail.example.com:25 -crlf
# Check for "250-STARTTLS" in server response

While port 25 supports STARTTLS, consider these alternatives for specific use cases:

• Port 465 (SMTPS): Implicit TLS (deprecated but still used)
• Port 587 (Submission): Mandates STARTTLS for client submissions

Modern applications should implement DANE (RFC 6698) or MTA-STS to prevent downgrade attacks and enforce TLS policies.

Port 25 is the traditional port for SMTP (Simple Mail Transfer Protocol) communication between Mail Transfer Agents (MTAs). By default, SMTP communications on port 25 begin as plaintext, following the original RFC specifications.

C: telnet mail.example.com 25
S: 220 mail.example.com ESMTP
C: EHLO client.example.org
S: 250-mail.example.com
S: 250-STARTTLS
S: 250 SIZE 10485760

While the initial connection is unencrypted, modern MTAs implement Opportunistic TLS through the STARTTLS extension (RFC 3207). This allows encryption to be negotiated during the SMTP session:

C: STARTTLS
S: 220 Ready to start TLS
[SSL/TLS negotiation occurs]
[All subsequent communication is encrypted]

Several important points about port 25 security:

• The STARTTLS command must be explicitly requested by the client
• Both client and server must support STARTTLS for encryption to work
• There's no guarantee the other MTA will support encryption
• Some networks may block port 25 entirely due to spam concerns

For guaranteed encryption, many organizations now use:

• Port 465 (SMTPS): Implicit TLS from connection start
• Port 587 (Submission): Often mandated to use STARTTLS

You can verify a server's STARTTLS support using OpenSSL:

openssl s_client -connect mail.example.com:25 -starttls smtp

Here's how to implement STARTTLS in Python using smtplib:

import smtplib

try:
    smtp = smtplib.SMTP('mail.example.com', 25)
    smtp.ehlo()
    if smtp.has_extn('STARTTLS'):
        smtp.starttls()
        smtp.ehlo()  # Re-identify after TLS
    # Continue with mail sending...
except smtplib.SMTPException as e:
    print(f"Error: {e}")
finally:
    smtp.quit()