IMAP / POP3
aka Dovecot, Courier
Mail retrieval protocols on 110/143 (993/995 over TLS). Valid mailbox creds let you read mail, and mailboxes routinely hold passwords, reset links and internal secrets.
Ports
| Port | Proto | Notes |
|---|---|---|
110 | tcp | POP3 |
143 | tcp | IMAP |
993 | tcp | IMAPS (TLS) |
995 | tcp | POP3S (TLS) |
Fingerprint
- Banners on connect name Dovecot/Courier and the capabilities
- nmap imap-capabilities / pop3-capabilities
Key files
| Path | Holds | Sensitive |
|---|---|---|
/etc/dovecot/ | Dovecot config (auth backends, mail location) | |
/var/mail/<user> or ~/Maildir | the actual mail, often full of credentials | sensitive |
Default / weak creds
user mailbox credentials, frequently reused from other services
Service users
dovecotmail
Exploitation primitives
- Log in with found creds and read mail: password resets, onboarding emails and shared secrets live here
- Password brute force / spray against the login
- Use openssl s_client for the TLS ports; check STARTTLS on 110/143
Overview
POP3 and IMAP let clients fetch mail. They rarely have a flashy exploit; the value is that once you have (or guess) a mailbox password, the inbox itself is a credential store.
Enumeration
nc <TARGET> 110 # POP3 banner
openssl s_client -connect <TARGET>:993 -quiet # IMAPS
nmap -p110,143,993,995 --script imap-capabilities,pop3-capabilities <TARGET>Reading mail
# POP3
USER bob
PASS <password>
LIST
RETR 1
# IMAP
A LOGIN bob <password>
A LIST "" *
A SELECT INBOX
A FETCH 1 BODY[]Hardening
Require TLS, enforce strong mailbox passwords, and do not store secrets in email.