Windsurf email

Nodemailer TLS Handshake Failed in Windsurf App

Your Windsurf-generated app fails to send emails through Nodemailer with TLS handshake errors. Email functionality that worked in development breaks when deployed, or stops working suddenly after the email provider updates their security settings.

TLS (Transport Layer Security) handshake failures mean your app cannot establish a secure connection to the SMTP server. This blocks all email sending — password resets, notifications, verification emails, and any other transactional emails your app depends on.

The error may be intermittent, working sometimes and failing others, or it may fail consistently after a deployment or SMTP provider change. Common scenarios include moving from development to production, switching email providers, or the provider deprecating old TLS versions.

Error Messages You Might See

Error: self-signed certificate Error: unable to verify the first certificate Error: ESOCKET - TLS handshake failed Error: Connection timeout on port 465 Error: SSL routines:ssl3_get_record:wrong version number
Error: self-signed certificateError: unable to verify the first certificateError: ESOCKET - TLS handshake failedError: Connection timeout on port 465Error: SSL routines:ssl3_get_record:wrong version number

Common Causes

  • Wrong port and security combination — Cascade configured port 465 with STARTTLS (should use TLS) or port 587 with direct TLS (should use STARTTLS)
  • Self-signed or expired certificate — The SMTP server's SSL certificate is self-signed, expired, or not trusted by Node.js
  • TLS version mismatch — The SMTP server requires TLS 1.2+ but the Node.js configuration allows old versions, or vice versa
  • rejectUnauthorized set incorrectly — Cascade set rejectUnauthorized: false during development to bypass cert errors, but this is insecure for production
  • Firewall blocking SMTP ports — The hosting platform (Vercel, Railway, etc.) blocks outbound SMTP connections on ports 25, 465, or 587

How to Fix It

  1. Match port to security protocol — Use port 587 with secure: false (STARTTLS upgrades automatically), or port 465 with secure: true (implicit TLS). Never use port 25 for authenticated email
  2. Verify SMTP credentials — Double-check host, port, username, and password. Many providers require app-specific passwords when 2FA is enabled
  3. Set proper TLS options — Add tls: { minVersion: 'TLSv1.2', rejectUnauthorized: true } to your Nodemailer transport configuration
  4. Test SMTP connection independently — Use the nodemailer verify() method to test the connection before sending: transporter.verify().then(console.log).catch(console.error)
  5. Use an email API instead — If your host blocks SMTP ports, switch from Nodemailer SMTP to an HTTP-based email API (SendGrid, Resend, Postmark) that uses port 443
  6. Check your hosting platform — Vercel, Netlify, and some serverless platforms block SMTP. Check their docs for email sending limitations

Real developers can help you.

Nam Tran Nam Tran 10 years as fullstack developer Alvin Voo Alvin Voo I’ve watched the tech landscape evolve over the last decade—from the structured days of Java Server Pages to the current "wild west" of Agentic-driven development. While AI can "vibe" a frontend into existence, I specialize in the architecture that keeps it from collapsing. My expertise lies in the critical backend infrastructure: the parts that must be fast, secure, and scalable. I thrive on high-pressure environments, such as when I had only three weeks to architect and launch an Ethereum redemption system with minimal prior crypto knowledge, turning it into a major revenue stream. What I bring to your project: Forensic Debugging: I don't just "patch" bugs; I use tools like Datadog and Explain Analyzers to map out bottlenecks and resolve root causes—like significantly reducing memory usage by optimizing complex DB joins. Full-Stack Context: Deep experience in Node.js and React, ensuring backends play perfectly with mobile and web teams. Sanity in the Age of AI: I bridge the gap between "best practices" and modern speed, ensuring your project isn't just built fast, but built to last. Costea Adrian Costea Adrian Embedded Engineer specilizing in perception systems. Latest project was a adas camera calibration system. Rudra Bhikadiya Rudra Bhikadiya I build and fix web apps across Next.js, Node.js, and DBs. Comfortable jumping into messy code, broken APIs, and mysterious bugs. If your project works in theory but not in reality, I help close that gap. rayush33 rayush33 JavaScript (React.js, React Native, Node.js) Developer with demonstrated industry experience of 4+ years, actively looking for opportunities to hone my skills as well as help small-scale business owners with solutions to technical problems Prakash Prajapati Prakash Prajapati I’m a Senior Python Developer specializing in building secure, scalable, and highly available systems. I work primarily with Python, Django, FastAPI, Docker, PostgreSQL, and modern AI tooling such as PydanticAI, focusing on clean architecture, strong design principles, and reliable DevOps practices. I enjoy solving complex engineering problems and designing systems that are maintainable, resilient, and built to scale. Richard McSorley Richard McSorley Full-Stack Software Engineer with 8+ years building high-performance applications for enterprise clients. Shipped production systems at Walmart (4,000+ stores), Cigna (20M+ users), and Arkansas Blue Cross. 5 patents in retail/supply chain tech. Currently focused on AI integrations, automation tools, and TypeScript-first architectures. prajwalfullstack prajwalfullstack Hi Im a full stack developer, a vibe coded MVP to Market ready product, I'm here to help BurnHavoc BurnHavoc Been around fixing other peoples code for 20 years. Caio Rodrigues Caio Rodrigues I'm a full-stack developer focused on building practical and scalable web applications. My main experience is with **React, TypeScript, and modern frontend architectures**, where I prioritize clean code, component reusability, and maintainable project structures. I have strong experience working with **dynamic forms, state management (Redux / React Hook Form), and complex data-driven interfaces**. I enjoy solving real-world problems by turning ideas into reliable software that companies can actually use in their daily operations. Beyond coding, I care about **software quality and architecture**, following best practices for componentization, code organization, and performance optimization. I'm also comfortable working across the stack when needed, integrating APIs, handling business logic, and helping transform prototypes into production-ready systems. My goal is always to deliver solutions that are **simple, efficient, and genuinely useful for the people using them.**

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help

Frequently Asked Questions

Should I use port 465 or 587 for sending email?

Use port 587 with STARTTLS for most modern SMTP providers. Port 587 starts unencrypted and upgrades to TLS. Port 465 uses implicit TLS and is the legacy standard. Set secure: false for port 587 (Nodemailer handles STARTTLS automatically) and secure: true for port 465.

Is it safe to set rejectUnauthorized: false?

No. Setting rejectUnauthorized: false disables certificate validation, making your connection vulnerable to man-in-the-middle attacks. Only use it for local development. In production, fix the certificate issue instead.

Related Windsurf Issues

Email Attachments Not Sending in Windsurf App

email

Bulk Email Sending Rate Limited in Windsurf App

email

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help