Port 26: The Unofficial Next Door — SMTP's Shadow

What Port 26 Does

Port 26 does nothing, officially. IANA has never assigned a service to it. No RFC defines it. No standards body governs it.

And yet, port 26 carries email.

Not because anyone designed it to, but because port 25 became a problem, and port 26 was right there. One door down. Unoccupied.

The Well-Known Range

Port 26 sits within the well-known port range (0 through 1023), the addresses reserved by the Internet Assigned Numbers Authority for established protocols and services.¹ Getting a port in this range is like getting a street address on Main Street. It is supposed to mean something.

Port 26 got the address but never got a tenant. It has been sitting empty in the directory since the port numbering system was formalized.

How Port 26 Became an Email Port

The story of port 26 is really the story of port 25.

Port 25 is SMTP, the Simple Mail Transfer Protocol, the backbone of email since 1982. Every email server on the Internet speaks SMTP on port 25. That's the standard. That's what the RFCs say.²

The problem is that spammers also love port 25. If you can reach port 25 on a mail server, you can try to relay messages through it. By the early 2000s, the spam problem had grown so severe that Internet Service Providers started doing something drastic: they blocked outbound connections on port 25 entirely.³ If you were on a residential or small business connection, your machine simply could not reach port 25 on any external server.

This stopped the spammers. It also stopped legitimate users from sending email through their own mail servers.

Hosting providers, particularly those running cPanel and WHM, needed a workaround. They needed a port that was close to 25 (easy to remember, easy to explain in support tickets), that wasn't blocked by ISPs, and that wasn't already in use.

Port 26 fit perfectly. It was unassigned, unblocked, and one digit away from the port it was substituting for.

The pattern became common enough that major hosting providers like Bluehost and many others documented it in their knowledge bases: "If you can't send email, change your SMTP port from 25 to 26."⁴

Proxmox Mail Gateway

Port 26 found its most formal unofficial adoption in Proxmox Mail Gateway, an open-source email security solution. Proxmox uses port 26 as its default internal port, the port where your internal mail server sends outgoing messages to the gateway for filtering and relay.⁵

The design is elegant in its simplicity: port 25 faces the outside world (receiving incoming email from the Internet), while port 26 faces inward (receiving outgoing email from your own servers). Two ports, one number apart, forming a clear boundary between inside and outside.

The Mirai Connection

In 2019, the SANS Internet Storm Center noticed something unusual: port 26 had climbed to the fifth most scanned port on the Internet.⁶ This was unexpected for an unassigned port.

Investigation revealed the source: Mirai botnet variants were scanning port 26 looking for IoT devices running Telnet or SSH on non-standard ports. The botnet's signature was unmistakable. Mirai uses a technique where the TCP Initial Sequence Number is set to the destination IP address, a fingerprint as distinctive as a calling card left at the scene.⁶

Device manufacturers had moved their management interfaces to port 26 thinking obscurity would provide security. The botnets followed them there.

The Right Way to Send Email Today

Port 26 was always a workaround, not a solution. The Internet Engineering Task Force defined the proper architecture years ago:

• Port 25: Server-to-server SMTP relay²
• Port 587: Authenticated email submission from clients⁷
• Port 465: Implicit TLS submission (reinstated by RFC 8314)⁸

Port 587 with STARTTLS is what your email client should be using. Port 26 is the duct tape that held things together while the industry sorted itself out.

Checking What's Listening on Port 26

To see if anything on your system is using port 26:

# macOS / Linux
sudo lsof -i :26

# Windows
netstat -an | findstr :26

# Using nmap to scan a remote host
nmap -p 26 target_host

If something is listening on port 26 and you didn't put it there, investigate. It could be a mail gateway, a legacy hosting configuration, or something that shouldn't be there at all.

Why Unassigned Ports Matter

There are 1,024 well-known ports. Not all of them have assignments. These gaps aren't wasted space. They're the Internet's reserve capacity, addresses available when the unexpected happens.

Port 26 proves the value of that reserve. When a critical service (email) ran into a real-world problem (ISP blocking), having an unassigned neighbor meant there was room to maneuver without breaking anything. No committee had to meet. No RFC had to be drafted. Sysadmins just moved one door down and kept the mail flowing.

That's the pragmatism of infrastructure. Standards matter. But so does having space to improvise when standards collide with reality.