Port 25/tcp is the original home of the Simple Mail Transfer Protocol and remains the channel for server-to-server mail relay (MTA→MTA) and final delivery across the internet. SMTP is a text-based "push" protocol — a client issues HELO/EHLO, MAIL FROM, RCPT TO, and DATA, and the server accepts or rejects the message — and on port 25 that exchange happens between mail servers reached via DNS MX records, not between an end user's client and their provider. Crucially, since RFC 6409 and RFC 8314, port 25 is *not* intended for authenticated client submission; that role belongs to 587 (STARTTLS) and 465 (implicit TLS). Encryption on 25 is opportunistic via STARTTLS (RFC 3207), optionally enforced with MTA-STS or DANE, and server-to-server trust rests on SPF/DKIM/DMARC rather than credentials. Historically port 25 was the internet's principal spam and malware vector: open-relay misconfigurations let anyone send mail through a server, and large spam botnets delivered directly to MX hosts on 25 — which is why residential ISPs almost universally block outbound 25 (the Spamhaus/M3AAWG "port 25 management" practice). For an analyst, an open 25/tcp usually indicates an inbound MTA or mail gateway; the high-value triage steps are banner-grabbing the server software, testing for an open relay, checking whether STARTTLS is offered, and confirming AUTH is not exposed in cleartext.
smtp — "Simple Mail Transfer"; reference [RFC-ietf-emailcore-rfc5321bis-43] (the in-progress RFC 5321bis revision the registry currently tracks); assignee IESG/IETF Chair; modified 2017-06-05. Governing published standard: RFC 5321 [IANA-assigned] — IANA Service Name and Transport Protocol Port Number Registrysmtp-open-relay), check STARTTLS support, and check whether AUTH is offered in cleartext.