Port 563: NNTPS — The deprecated gateway to secure Usenet

What Runs on Port 563

Port 563 is officially assigned to NNTPS (Network News Transfer Protocol Secure)—NNTP wrapped in SSL/TLS encryption.¹ Unlike standard NNTP on port 119, which transmits newsgroup articles and commands in plaintext, NNTPS begins TLS negotiation immediately upon connection and then continues with the NNTP session inside that encrypted tunnel.²

NNTPS exists to protect Usenet traffic—the posts, the authentication credentials, the reading lists—from eavesdropping as data travels between news servers and newsreaders.

The Protocol Nobody Should Use Anymore

Here's the strange thing about port 563: it's explicitly discouraged by the very RFC that defines how to secure NNTP.

RFC 4642, published in October 2006, introduced the STARTTLS command to NNTP.³ STARTTLS lets a client connect to port 119 normally, then upgrade the connection to TLS mid-session. This approach—using one port for both plain and secure connections—became the Internet's preferred method.

RFC 4642 states directly that the dedicated TLS port approach (port 563) is discouraged in favor of STARTTLS.⁴ The separate-port method, sometimes called "wrapper mode," was how early protocols added encryption: HTTPS on 443 instead of 80, SMTPS on 465 instead of 25, NNTPS on 563 instead of 119. But this required doubling the port assignments and created operational complexity.

So port 563 exists in an odd state: officially assigned by IANA, documented in RFCs, but recommended against for nearly two decades.

Some news servers still support it. Some only support it. But the Internet moved on.

What Is Usenet, Anyway?

To understand why port 563 exists, you need to know what it was protecting.

Usenet was created in 1979 as a distributed discussion system—imagine Reddit, but decentralized, with no company in control, running on independent servers that synchronized with each other.⁵ By the mid-1980s, thousands of newsgroups covered everything from computer science to politics to weird hobbies.

NNTP, created in 1986, became the protocol that moved these discussions between servers and to newsreaders.⁶ Every article, every post, every thread traveled through NNTP.

By the time the Internet cared about encrypting this traffic, Usenet had already been eclipsed by web forums and mailing lists. Port 563 arrived late to a fading party.

How NNTPS Works (When It's Used)

When a newsreader connects to port 563:

1. TCP connection established — The three-way handshake completes
2. TLS negotiation begins immediately — No plaintext is ever sent; the client and server negotiate encryption before any NNTP commands are exchanged
3. NNTP session starts inside the encrypted tunnel — The server sends its greeting, the client authenticates if required, and articles are requested or posted
4. Everything is encrypted — Commands, article content, authentication credentials

This is conceptually simpler than STARTTLS (the connection is secure from the first byte), but it requires a separate port and separate configuration. STARTTLS on port 119 handles both secure and insecure clients with one port and one configuration.

Security Considerations

If you run a news server:

• Support STARTTLS on port 119 instead of—or in addition to—port 563
• If you must support legacy clients that only understand port 563, ensure your TLS configuration is modern (TLS 1.2 minimum, strong cipher suites)

If you're a Usenet user:

• Prefer newsreaders that support STARTTLS
• If your provider only offers port 563, it works—but it suggests older infrastructure

Port 563 itself isn't insecure—it's just the old way of doing things. The security depends on the TLS implementation, not the port number.

Checking What's Listening on Port 563

To see if anything is using port 563 on your system:

# On Linux or macOS
sudo lsof -i :563

# On Windows
netstat -ano | findstr :563

You probably won't find anything unless you run a Usenet news server or client.

To test if a remote news server has port 563 open:

openssl s_client -connect news.example.com:563

If the connection succeeds, you'll see TLS negotiation followed by an NNTP greeting like 200 news.example.com NNRP Service Ready.

Related Ports

• Port 119 — Standard NNTP (plaintext); also supports STARTTLS for encryption
• Port 433 — NNSP (Network News Synchronization Protocol), a different Usenet protocol
• Port 80/443 — Where Usenet's spiritual successors live now (web forums, Reddit, etc.)

Why This Port Matters

Port 563 is a fossil in the Internet's sediment—evidence of how we used to think about encryption.

The Internet tried the separate-port approach: one port for plain, another for secure. It made sense at first. But it didn't scale. Every protocol would need two ports, two configurations, two sets of firewall rules.

STARTTLS said: use the same port, start unencrypted if you must, upgrade to encryption if you can. Opportunistic security. One port, one configuration.

Port 563 remains assigned because IANA doesn't casually revoke assignments, and because some infrastructure still depends on it. But it's a monument to a design decision the Internet reconsidered.

Somewhere, a news server still listens on port 563, faithfully encrypting articles about obscure technical topics that three people read. The port works. It's just nobody's building new things around it.