Port 487: SAFT — The File Transfer That Waited

Port 487 sits in the well-known ports range (0-1023), officially assigned by IANA to a protocol called SAFT: Simple Asynchronous File Transfer.¹

SAFT was created in 1995 to solve a problem that feels quaint now but was real then: how do you send someone a file when they're not logged in?²

The Problem SAFT Solved

FTP was the standard for file transfer. But FTP is synchronous—both sender and receiver need to be there, logged in, coordinating. You couldn't just send a file to someone and walk away. If they weren't online, nothing happened.³

SAFT changed that. Any user could send a file to any other user without the recipient doing anything. The SAFT server received the file and either delivered it locally or stored it in a spool area where the recipient could retrieve it later.⁴

It was asynchronous handoff. Leave it at the door. They'll get it when they get it.

How SAFT Works

SAFT uses TCP on port 487. The protocol is built on a limited set of ASCII-based commands—simple enough to debug by hand.⁵

The architecture is classic client-server:

• SAFT client sends files to the SAFT server
• Server receives and routes to local recipient or spool
• Recipient retrieves files using a receive client when ready

Files could be sent compressed, PGP-encrypted, or PGP-signed. SAFT even supported sending messages—single lines of text written directly to the recipient's terminal session.⁶

There's an extension called O-SAFT that allows authenticated clients to retrieve files from remote servers, turning the flow bidirectional.⁷

The Reference Implementation

The sendfile software was created as the reference implementation for UNIX platforms. It's still available in some package repositories, a fossil from an earlier Internet.⁸

SAFT was planned to be submitted as an RFC, but there's no published RFC number in the official repository. It exists in IANA's registry, in old man pages, in the occasional firewall signature database. Documented but not standardized.⁹

Why Port 487 Matters Today

Port 487 is barely used now. Email attachments, cloud storage, file-sharing services—these all solved asynchronous file transfer in ways that scaled better and integrated with the systems people actually use.

But SAFT represents a specific moment in Internet history: the gap between FTP's synchronous demands and the always-on, always-available infrastructure we have now. There was a time when "send this file to someone who isn't here" was a hard problem that needed its own protocol and its own port.

Port 487 was the answer. It worked. Then the Internet moved on.

Security Considerations

Port 487 traffic is rare enough that any activity on it should be investigated. Some security databases flag it because trojans and malware have historically used uncommon well-known ports to hide in plain sight.¹⁰

If you see unexpected traffic on port 487, check what's listening:

# Linux/macOS
sudo lsof -i :487
sudo netstat -tulpn | grep :487

# Windows
netstat -ano | findstr :487

Most systems will show nothing. Port 487 is a door that almost nobody knocks on anymore.

Related Ports

• Port 21 — FTP control, the synchronous file transfer SAFT was designed to complement
• Port 22 — SSH/SCP, which eventually replaced both FTP and protocols like SAFT
• Port 69 — TFTP, another simple file transfer protocol for different use cases