Port 587/tcp is the standards-defined port for authenticated client mail submission (MUA→MSA). RFC 6409 (STD 72) reserves it specifically so that mail *submission* from end-user clients is separated from server-to-server *relay* on port 25, letting operators apply different authentication, filtering, and policy to each. A typical 587 session opens in cleartext, the client sends EHLO and then STARTTLS (RFC 3207) to upgrade the connection to TLS, and only then authenticates via SMTP AUTH (RFC 4954); a submission server is required to implement AUTH. The main security exposure is credential brute-forcing and password-spray against the submission endpoint — Microsoft's Exchange team identifies SMTP and IMAP as the two most-targeted protocols for password spray — and the brief pre-STARTTLS window is the subject of a documented command-injection/stripping class (e.g., CVE-2021-33515 in Dovecot's submission service), which is the reason RFC 8314 prefers implicit TLS on 465. Basic-auth submission is being retired by major providers in favor of OAuth; Microsoft has announced that Basic Auth for these protocols is being removed from Exchange Online (rollout into 2026–2027). For an analyst, an open 587/tcp indicates a submission agent expecting authenticated clients; verify that STARTTLS is advertised and required before AUTH, check for cleartext-AUTH exposure, and watch authentication logs for distributed login failures indicative of password spray.
submission — "Message Submission"; reference [RFC6409]; modified 2011-11-17 [IANA-assigned] — IANA Service Name and Transport Protocol Port Number Registry