TCP Mail

Port 995 (POP3S)

Learn about port 995 (POP3S) - security risks, vulnerabilities, and common uses. Find devices with port 995 open.

Quick Info

Port Number

995

Protocol

TCP

Service

POP3S

IANA Name

POP3S

Service Description

Port 995 (TCP) is the standard port for POP3S, which stands for Post Office Protocol version 3 over SSL/TLS. It provides a secure method for retrieving email from a mail server. Unlike the standard POP3 protocol (port 110), POP3S encrypts the entire session using SSL/TLS, protecting usernames, passwords, and email content from eavesdropping and man-in-the-middle attacks. This encryption is crucial for maintaining the confidentiality and integrity of email communications, especially when accessing email from untrusted networks. The protocol itself is relatively simple. A client connects to the server, authenticates using a username and password, and then issues commands to list, retrieve, or delete email messages. The server responds with the requested data or error messages, all within the encrypted SSL/TLS tunnel. The connection is typically closed after all desired operations are completed.

At a technical level, the POP3S process begins with a TLS handshake. The client initiates a TLS connection with the server. The server presents its SSL/TLS certificate, which the client validates to ensure it is communicating with the legitimate mail server. The client and server negotiate encryption algorithms (cipher suites) and establish a secure, encrypted channel. After the TLS handshake is complete, the POP3 protocol begins within the secure tunnel. The client sends POP3 commands such as `USER`, `PASS`, `LIST`, `RETR`, and `DELE` to authenticate and manage emails. The server processes these commands and sends responses back to the client, all protected by the encryption provided by TLS. This ensures that the entire POP3 session, including authentication credentials and email content, is protected from interception.

## Firewall Recommendations

If you are running a POP3S server, it's crucial to only allow connections to port 995 from trusted networks or IP addresses. If POP3S is not required, the port should be blocked entirely. Implement strong SSL/TLS configurations, including the use of strong cipher suites and up-to-date certificates. Regularly update the POP3 server software to patch any known vulnerabilities. Consider implementing intrusion detection/prevention systems (IDS/IPS) to monitor for suspicious activity. Implement rate limiting to prevent brute-force attacks. Educate users about phishing attacks and the importance of verifying the server's SSL/TLS certificate. Use modern authentication methods where possible.

Security Information

While POP3S provides encryption, it's not immune to security risks. Weak SSL/TLS configurations can be exploited, such as the use of outdated or weak cipher suites. Implementation flaws in the POP3 server software can also introduce vulnerabilities. Phishing attacks can trick users into entering their POP3S credentials on fake websites, compromising their email accounts. Brute-force attacks, although somewhat mitigated by the encryption, can still be attempted against the authentication process. Man-in-the-middle attacks are less likely than with plain POP3, but can still occur if the client doesn't properly validate the server's SSL/TLS certificate or if the attacker can compromise the client's trust store. Because email accounts often contain sensitive information, POP3S servers are attractive targets for attackers seeking to gain access to personal or corporate data.

Known Vulnerabilities

CVE	Name	Severity	Description
CVE-2016-9939	Dovecot Authentication Bypass Vulnerability	High	Dovecot before 2.2.28, when auth_mechanisms contains plain, allows remote attackers to bypass authentication by using an empty password.
CVE-2017-14491	Exim Buffer Overflow Vulnerability	Critical	Exim before 4.90.1 has a heap-based buffer overflow in the string_format function in string.c, which is reachable by crafting an SMTP command with a long argument, because expansion of $name is not properly handled.
CVE-2018-1000005	Alpine Email Client Information Disclosure Vulnerability	Medium	Alpine versions prior to 2.21 had an information disclosure vulnerability which can potentially result in a user's password being leaked in plain text via a crafted email from a malicious server.
CVE-2019-1010007	Courier-imap integer overflow	High	Courier-imap version prior to commit ID 2c581256243b74fd8a6e5c1f368098057f3c3f31 contains an Integer Overflow vulnerability in pop3d_fetchmessage() that can result in remote code execution.
CVE-2023-51765	Thunderbird Remote Code Execution Vulnerability	High	A buffer overflow vulnerability in Thunderbird could potentially allow a remote attacker to execute arbitrary code on the target system.