SMTP

SMTP error: connection to server failed

No TCP socket ever opened to your SMTP host. Verify the host and port, test with telnet or openssl, and match STARTTLS on 587 or implicit TLS on 465.

Updated Jul 1, 2026

The short answer

"SMTP error: connection to server failed" is a transport-level failure: your mail client could not open a TCP socket to the SMTP host, so no SMTP conversation ever began. It is not an RFC 5321 reply code. The usual causes are a wrong host/port, an ISP, firewall, or cloud security group blocking outbound SMTP, or a TLS mode mismatch. Fix it by verifying the host and port, testing connectivity with telnet/openssl, and matching STARTTLS (587) or implicit TLS (465).

This error appears in client libraries like PHPMailer ("SMTP connect() failed" / "Failed to connect to server"), Nodemailer (ECONNREFUSED, ETIMEDOUT), and Python smtplib. It means your application tried to open a TCP socket to the SMTP host and failed before any email protocol exchange happened — the server never returned the 220 greeting that RFC 5321 §3.1 requires to start a session. Because the failure is at the network/transport layer, the message is not a standard 3-digit SMTP reply code; treat it as a connectivity problem, not a mail-content or authentication rejection.

What causes "connection to server failed"?

  • Wrong host or port. The hostname doesn't resolve, or you're pointing at a port the server doesn't listen on. Valid submission ports are 587 (STARTTLS) and 465 (implicit TLS / SMTPS) — both are current and standardized (RFC 8314); 465 is not deprecated. Port 25 is for server-to-server relay and is widely blocked for client submission.
  • Outbound SMTP blocked. Residential ISPs, shared hosts (GoDaddy blocks 25/465/587 to external hosts), and cloud providers commonly block outbound SMTP. On AWS, EC2 throttles outbound port 25 by default — Amazon SES recommends using 587 or 465, or requesting the restriction be lifted.
  • Firewall / security group / network ACL. On a server or container, the outbound rule for the SMTP port is missing. For EC2 + SES, the security group and network ACL must allow outbound TCP to 25/587/465 and the ACL must allow inbound ephemeral ports 1024–65535.
  • TLS mode mismatch. Using implicit TLS settings on a STARTTLS port (or vice-versa) causes the handshake to fail. STARTTLS pairs with 587; implicit TLS (SMTPS) pairs with 465. In PHPMailer use ENCRYPTION_STARTTLS+587 or ENCRYPTION_SMTPS+465 — don't mix them.
  • Missing OpenSSL / DNS / IPv6 issues. The client's OpenSSL extension isn't enabled, DNS doesn't resolve the host, or the provider blocks SMTP over IPv6 while allowing IPv4 (seen on DigitalOcean) — forcing the IPv4 address resolves it.

How do I fix "connection to server failed"?

  1. Confirm the host and port against your provider's docs. Use a submission port: 587 (STARTTLS) or 465 (implicit TLS), not 25 for app submission.
  2. Test raw connectivity from the sending machine — this isolates a network block from a code bug:
# STARTTLS port
telnet smtp.example.com 587
# implicit TLS port — should print the 220 greeting and a cert
openssl s_client -connect smtp.example.com:465

If telnet/openssl hang or are refused, the problem is a firewall, ISP, security group, or host block — fix the network path, not your code.

  1. Open the outbound port. On a cloud host, allow outbound TCP to your SMTP port in the security group/firewall (and ephemeral inbound on a network ACL). On AWS EC2 with port 25, switch to 587/465 or request removal of the port-25 throttle.
  2. Match the TLS mode to the port (587→STARTTLS, 465→implicit TLS) and confirm the OpenSSL/TLS library is enabled in your runtime.
  3. Get a protocol transcript. Enable client debug — PHPMailer $mail->SMTPDebug = SMTP::DEBUG_SERVER;, Nodemailer { logger: true, debug: true } — to see exactly where the socket fails.
  4. Authenticate correctly afterward. A successful connection can still fail at login. For Gmail/Google Workspace, "Less Secure Apps" was removed in 2022 — use an App Password (with 2-Step Verification) or OAuth2, not your normal password.

If you're sending through Courier, you don't manage SMTP sockets directly — configure your email provider in the Courier dashboard and Courier handles the connection, retries, and TLS to the provider's API/SMTP endpoint.

FAQ

Common questions

No. It's a transport-level (TCP socket) failure raised by your mail client before any SMTP dialogue starts, so the server never sends the 220 greeting. It is not one of the 3-digit reply codes defined in RFC 5321 — treat it as a network/connectivity problem, not a mail rejection.

One API, every provider

Stop debugging raw provider errors

Courier connects to your email, SMS, and push providers, handles retries and failover, and surfaces delivery errors in plain language.

Reply-code definitions per RFC 5321 §3.1. Last reviewed Jul 1, 2026. Courier is not affiliated with third-party providers; error behavior may vary by implementation.