Skip to content

Ports 110, 143, 993, 995 IMAP POP3

mail server (sometimes also referred to as an email server) is a server that handles and delivers email over a network, usually over the Internet. When we download emails to our email application, it will connect to a POP3 or IMAP4 server on the Internet, which allows the user to save messages in a server mailbox and download them periodically.

  • By default, POP3 clients remove downloaded messages from the email server.
  • On the other hand, by default, IMAP4 clients do not remove downloaded messages from the email server.

IMAP allows online management of emails directly on the server and supports folder structures. Therefore, protocols such as IMAP must be used for additional functionalities such as hierarchical mailboxes directly at the mail server, access to multiple mailboxes during a session, and preselection of emails. IMAP is text-based and has extended functions, such as browsing emails directly on the server. It is also possible for several users to access the email server simultaneously. IMAP works unencrypted and transmits commands, emails, or usernames and passwords in plain text. Depending on the method and implementation used, the encrypted connection uses the standard port 143 or an alternative port such as 993.

POP3 only provides listing, retrieving, and deleting emails as functions at the email server. Depending on the method and implementation used, the encrypted connection uses the standard port 110 or an alternative port such as 995.

Footprinting IMAP / POP3

1
sudo nmap $ip -sV -p110,143,993,995 -sC
Port Service
TCP/25 SMTP Unencrypted
TCP/143 IMAP4 Unencrypted
TCP/110 POP3 Unencrypted
TCP/465 SMTP Encrypted
TCP/587 SMTP Encrypted/STARTTLS
TCP/993 IMAP4 Encrypted
TCP/995 POP3 Encrypted

We can use the Mail eXchanger (MX) DNS record to identify a mail server. The MX record specifies the mail server responsible for accepting email messages on behalf of a domain name. I

1
2
 host -t MX example.com
 host -t A mail.example.com

1
2
 dig mx example.do | grep "MX" | grep -v ";"
 dig mx example.com | grep "MX" | grep -v ";"

Connect to an IMAP /POP3 server

1
curl -k 'imaps://$ip' --user user:p4ssw0rd -v

To interact with the IMAP or POP3 server over SSL, we can use openssl, as well as ncat. The commands for this would look like this:

1
openssl s_client -connect $ip:pop3s

1
openssl s_client -connect $ip:imaps

1
2
# Connect to POP server with telnet
telnet @ip 110

Basic IMAP commands

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# User's login
a LOGIN username password

# Lists all directories
a LIST "" *

# Creates a mailbox with a specified name
a CREATE "INBOX" 

# Deletes a mailbox
a DELETE "INBOX" 

# Renames a mailbox
a RENAME "ToRead" "Important"

# Returns a subset of names from the set of names that the User has declared as being active or subscribed
a LSUB "" *

# Selects a mailbox so that messages in the mailbox can be accessed
a SELECT INBOX

# Exits the selected mailbox
a UNSELECT INBOX

# Retrieves data (parts of the message) associated with a message in the mailbox
a FETCH <ID> all
# If you want to retrieve the body:
a FETCH <ID> BODY.PEEK[TEXT]

# Removes all messages with the `Deleted` flag set
a CLOSE

# Closes the connection with the IMAP server
a LOGOUT

Basic POP3 commands

1
2
# Connect to POP server with telnet
telnet @ip 110

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# Identifies the user
USER username

# Authentication of the user using its password
PASS password

# Requests the number of saved emails from the server
STAT

# Requests from the server the number and size of all emails
LIST 

# Requests the server to deliver the requested email by ID
RETR id

# Requests the server to delete the requested email by ID
DELE id

# Requests the server to display the server capabilities
CAPA

# Requests the server to reset the transmitted information
RSET

# Closes the connection with the POP3 server
QUIT

Misconfigurations in an email server

Setting Description
auth_debug Enables all authentication debug logging.
auth_debug_passwords This setting adjusts log verbosity, the submitted passwords, and the scheme gets logged.
auth_verbose Logs unsuccessful authentication attempts and their reasons.
auth_verbose_passwords Passwords used for authentication are logged and can also be truncated.
auth_anonymous_username This specifies the username to be used when logging in with the ANONYMOUS SASL mechanism.

Installing a mail server: Evolution

1
sudo apt-get install evolution
Last update: 2024-11-03
Created: June 28, 2023 19:14:21