diff --git a/ChangeLog b/ChangeLog
index 0c526dc1f5..78f1666bdd 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -21,6 +21,8 @@ Changes in version 0.1.2.5-xxxx - 200?-??-??
     - Add internal descriptions for a bunch of configuration options:
       accessible via controller interface and in comments in saved
       options files.
+    - Reject *:563 (NTTPS) in the default exit policy. We already reject
+      NNTP by default, so this seems like a sensible addition.
 
   o Security bugfixes:
     - Stop sending the HttpProxyAuthenticator string to directory
diff --git a/doc/tor.1.in b/doc/tor.1.in
index 6c99c0c086..acdf008e60 100644
--- a/doc/tor.1.in
+++ b/doc/tor.1.in
@@ -542,6 +542,7 @@ either a reject *:* or an accept *:*. Otherwise, you're _augmenting_
 .IP "reject *:135-139"
 .IP "reject *:445"
 .IP "reject *:465"
+.IP "reject *:563"
 .IP "reject *:587"
 .IP "reject *:1214"
 .IP "reject *:4661-4666"
diff --git a/src/or/policies.c b/src/or/policies.c
index d318b5c9b8..29e3dd002c 100644
--- a/src/or/policies.c
+++ b/src/or/policies.c
@@ -589,7 +589,8 @@ exit_policy_remove_redundancies(addr_policy_t **dest)
 
 #define DEFAULT_EXIT_POLICY                                         \
   "reject *:25,reject *:119,reject *:135-139,reject *:445,"         \
-  "reject *:465,reject *:587,reject *:1214,reject *:4661-4666,"     \
+  "reject *:465,reject *:563,reject *:587,"                         \
+  "reject *:1214,reject *:4661-4666,"                               \
   "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
 
 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If