diff --git a/default.nix b/default.nix
index 2e2be2e..d3de212 100644
--- a/default.nix
+++ b/default.nix
@@ -877,9 +877,11 @@ in
 
     enableSubmission = mkOption {
       type = types.bool;
-      default = true;
+      default = false;
       description = ''
         Whether to enable SMTP with STARTTLS on port 587.
+
+        The use of this port is discouraged per RFC 8314 3.3, see also Appendix A.
       '';
     };
 
diff --git a/docs/release-notes.rst b/docs/release-notes.rst
index cc6fc6b..744d2bc 100644
--- a/docs/release-notes.rst
+++ b/docs/release-notes.rst
@@ -11,15 +11,19 @@ NixOS 25.11
   recommended in `RFC 8301 3.2`_.
   We recommend rotating existing keys, as the RFC advises that signatures from
   1024 bit keys should not be considered valid any longer.
-- DMARC reports are now sent with the ``noreply-dmarc`` localpart from the
-  system domain.
-- IMAP access over port ``143/tcp`` is now default disabled in line with
-  `RFC 8314 4.1`_. Use IMAP over implicit TLS on port ``993/tcp`` instead.
-  If you still require this feature you can reenable it using
+- IMAP access over port ``143/tcp`` is now default disabled in line
+  with `RFC 8314 4.1`_. Use IMAP over implicit TLS on port ``993/tcp``
+  instead. If you still require this feature you can reenable it using
   ``mailserver.enableImap``, but it is scheduled for removal after the 25.11
   release.
+- SMTP access over STARTTLS on port ``587/tcp`` is now default disabled in line
+  with `RFC 8314 3.3`_. If you still require this feature you can renable it using
+  ``mailserver.enableSubmission``.
+- DMARC reports are now sent with the ``noreply-dmarc`` localpart from the
+  system domain.
 
 .. _RFC 8301 3.2: https://www.rfc-editor.org/rfc/rfc8301#section-3.2
+.. _RFC 8314 3.3: https://www.rfc-editor.org/rfc/rfc8314#section-3.3
 .. _RFC 8314 4.1: https://www.rfc-editor.org/rfc/rfc8314#section-4.1
 
 NixOS 25.05
diff --git a/tests/lib/config.nix b/tests/lib/config.nix
index 199e1b8..7a8a0b0 100644
--- a/tests/lib/config.nix
+++ b/tests/lib/config.nix
@@ -7,6 +7,9 @@
   # Testing eval failures that result from stateVersion assertion is out of scope
   mailserver.stateVersion = 999;
 
+  # Keep testing submission with explicit TLS
+  mailserver.enableSubmission = true;
+
   # Enable second CPU core
   virtualisation.cores = lib.mkDefault 2;