NIP-4: Nym exit policy update - opening port 587
| ID | title | created | status | kind | author(s) | champions |
|---|---|---|---|---|---|---|
| NIP-4 | Nym exit policy update - opening port 587 | 2025-12-04 | proposed | standard | serinko, Nym network technical lead & devrel serinko@nymtech.net , Jaya, Chief of strategy jaya@nymtech.net | Harry Halpin, CEO , Sudo, Head of community simon.toth@nymtech.net |
NIP-4 proposes to update Nym exit policy by opening an access via port 587 to allow NymVPN users to secure SMTP to send email from NymVPN.
Motivation
SMTP, or Simple Mail Transfer Protocol, uses specific ports for sending emails. The most common ports are 25, 465, and 587, with port 587 being recommended for secure email submission. Port 587 is currently not allowed by Nym exit policy. This causes usability problems for people using NymVPN, making it very difficult to securely send emails via the Nym network.
This proposed change to the exit policy will happen via operator governance, in the same manner as previous changes to the exit policy:
Since Nym Improvement Proposal number 1 (NIP-1), the governance is done via governator.nym.com.
Proposal to enable port 587 for NymVPN users
We propose to open up these ports for Mixnet and Wireguard exit policies:
*:587
Voting options
Voting takes place at Nym Governator. These are the options to choose from:
- YES - I agree to enable SMTP port
587for Nym exit policy - NO - I don’t want to open SMTP port
587for Nym exit policy
Process
If the vote meets needed quorum and majority of votes will be for the opening, a pull request will be issued to change the exit policy, which will take an immediate effect.
Secondly Network tunnel manager (NTM) will be updated so operators can use the tool to open the port on their nodes for WireGuard exit policy to match the Mixnet one.
Background
In an initial technical setup, Network Requesters acted as proxies, and only made requests that match an allow list. This was an IP-based list of domains allowed by default. It was stored at Nym page in a centralized fashion and possibly re-defined by any Network Requester operator.
To decentralize and enable privacy for a broader range of services, Nym transitioned from an allow list to a deny list, thus creating a Nym exit policy.
This was done in an effort to protect Nym node operators, as Nym nodes in Exit Gateway mode act both as SOCKS5 Network Requesters and exit nodes for IP traffic from the Nym Anonymous (mixnet) mode and VPN clients (with both wrapped in the same app).
This policy remains the same for all the nodes, without any option to modify it by Nym node operators individually, to secure stable and reliable service for end users.