Ports 110, 143, 993, 995 IMAP POP3
A mail server (sometimes also referred to as an email server) is a server that handles and delivers email over a network, usually over the Internet. When we download emails to our email application, it will connect to a POP3 or IMAP4 server on the Internet, which allows the user to save messages in a server mailbox and download them periodically.
- By default,
POP3clients remove downloaded messages from the email server. - On the other hand, by default,
IMAP4clients do not remove downloaded messages from the email server.
IMAP allows online management of emails directly on the server and supports folder structures. Therefore, protocols such as IMAP must be used for additional functionalities such as hierarchical mailboxes directly at the mail server, access to multiple mailboxes during a session, and preselection of emails. IMAP is text-based and has extended functions, such as browsing emails directly on the server. It is also possible for several users to access the email server simultaneously. IMAP works unencrypted and transmits commands, emails, or usernames and passwords in plain text. Depending on the method and implementation used, the encrypted connection uses the standard port 143 or an alternative port such as 993.
POP3 only provides listing, retrieving, and deleting emails as functions at the email server. Depending on the method and implementation used, the encrypted connection uses the standard port 110 or an alternative port such as 995.
Footprinting IMAP / POP3
| Port | Service |
|---|---|
TCP/25 |
SMTP Unencrypted |
TCP/143 |
IMAP4 Unencrypted |
TCP/110 |
POP3 Unencrypted |
TCP/465 |
SMTP Encrypted |
TCP/587 |
SMTP Encrypted/STARTTLS |
TCP/993 |
IMAP4 Encrypted |
TCP/995 |
POP3 Encrypted |
We can use the Mail eXchanger (MX) DNS record to identify a mail server. The MX record specifies the mail server responsible for accepting email messages on behalf of a domain name. I
Connect to an IMAP /POP3 server
To interact with the IMAP or POP3 server over SSL, we can use openssl, as well as ncat. The commands for this would look like this:
Basic IMAP commands
# User's login
a LOGIN username password
# Lists all directories
a LIST "" *
# Creates a mailbox with a specified name
a CREATE "INBOX"
# Deletes a mailbox
a DELETE "INBOX"
# Renames a mailbox
a RENAME "ToRead" "Important"
# Returns a subset of names from the set of names that the User has declared as being active or subscribed
a LSUB "" *
# Selects a mailbox so that messages in the mailbox can be accessed
a SELECT INBOX
# Exits the selected mailbox
a UNSELECT INBOX
# Retrieves data (parts of the message) associated with a message in the mailbox
a FETCH <ID> all
# If you want to retrieve the body:
a FETCH <ID> BODY.PEEK[TEXT]
# Removes all messages with the `Deleted` flag set
a CLOSE
# Closes the connection with the IMAP server
a LOGOUT
Basic POP3 commands
# Identifies the user
USER username
# Authentication of the user using its password
PASS password
# Requests the number of saved emails from the server
STAT
# Requests from the server the number and size of all emails
LIST
# Requests the server to deliver the requested email by ID
RETR id
# Requests the server to delete the requested email by ID
DELE id
# Requests the server to display the server capabilities
CAPA
# Requests the server to reset the transmitted information
RSET
# Closes the connection with the POP3 server
QUIT
Misconfigurations in an email server
| Setting | Description |
|---|---|
auth_debug |
Enables all authentication debug logging. |
auth_debug_passwords |
This setting adjusts log verbosity, the submitted passwords, and the scheme gets logged. |
auth_verbose |
Logs unsuccessful authentication attempts and their reasons. |
auth_verbose_passwords |
Passwords used for authentication are logged and can also be truncated. |
auth_anonymous_username |
This specifies the username to be used when logging in with the ANONYMOUS SASL mechanism. |