logo

Port 143 – IMAP (Internet Message Access Protocol)

Service:

imap

Protocol:

TCP

Port:

143

Used for:

Remote mailbox access over IMAP (usually upgraded to TLS via STARTTLS)

Why It’s Open

Port 143 is the default for IMAP — the protocol mail clients use to read and manage mailboxes on a server (unlike POP3, which downloads and deletes). Modern servers prefer IMAPS on port 993 with implicit TLS, but 143 is still commonly left open for clients that use STARTTLS to upgrade the connection. Dovecot and Cyrus are the two implementations you’ll see most often in the wild.

Common Risks

  • Cleartext auth without STARTTLS. If the server allows LOGIN before the TLS handshake, credentials are sniffable.
  • Brute-force and password spraying. IMAP is a prime target because mail accounts often reuse SSO credentials and there’s rarely rate limiting by default.
  • Banner information disclosure. Banners routinely leak the software name, version, and sometimes OS — directly feeding CVE lookups.
  • Authentication mechanism downgrade. Servers that still advertise AUTH=PLAIN over a cleartext session enable passive credential capture.
  • Mailbox exfiltration post-auth. Once credentials are obtained, an attacker can silently read and exfiltrate the entire mailbox via standard IMAP commands.

Want to save time on reporting?

Let PentestPad generate, track, and export your reports - automatically.

logo-cta

Enumeration & Testing

Nmap fingerprinting

Terminal window
nmap -sV -p 143 --script=imap-capabilities,imap-ntlm-info,banner <target>

Raw banner and capability probe

Terminal window
nc -nv <target> 143
# once connected:
a1 CAPABILITY
a2 LOGOUT

STARTTLS upgrade test

Terminal window
openssl s_client -connect <target>:143 -starttls imap -crlf
# then:
a1 CAPABILITY
a2 LOGIN user@example.com password
a3 LIST "" "*"
a4 LOGOUT

Brute-force with Hydra

Terminal window
hydra -L users.txt -P passwords.txt imap://<target> -t 4 -f


# IMAPS
hydra -L users.txt -P passwords.txt imaps://<target> -t 4 -f

Brute-force with Ncrack

Terminal window
ncrack -p 143 -U users.txt -P /usr/share/wordlists/rockyou.txt <target>

Metasploit modules

Terminal window
msfconsole -q
use auxiliary/scanner/imap/imap_version
set RHOSTS <target>
run


use auxiliary/scanner/imap/imap_enum
set RHOSTS <target>
set USERNAME <user>
set PASSWORD <pass>
run

Authenticated mailbox enumeration

Terminal window
# After obtaining credentials, enumerate folders and download messages
curl --url "imap://<target>:143/INBOX" --user '<user>:<pass>' --ssl --request "LIST \"\" \"*\""
curl --url "imaps://<target>/INBOX;UID=1" --user '<user>:<pass>'

What to Look For

CheckpointWhat it means
LOGINDISABLED absent from pre-TLS capabilitiesCleartext login allowed, high severity
AUTH=PLAIN or AUTH=LOGIN without TLSPassive credential capture possible
Banner reveals version (Dovecot, Cyrus, UW IMAP)Check for version-specific CVEs
Successful brute-forceNo rate limiting, account takeover
No STARTTLS supportUpgrade forced to IMAPS on 993 or plaintext only

Known CVEs

  • CVE-2019-19722 — Cyrus IMAP allowall misconfiguration enables anonymous access.
  • CVE-2018-19518Net::IMAP::Simple Perl module argument injection leading to command execution.
  • CVE-2017-14461 — Dovecot out-of-bounds read triggered by crafted messages.
  • CVE-2021-29157 — Dovecot open redirection via crafted authentication data.
  • CVE-2024-23184 — Dovecot header parsing resource exhaustion, denial of service.

Mitigation

  • Require STARTTLS before authentication. In Dovecot: disable_plaintext_auth = yes and ssl = required.
  • Prefer IMAPS on 993 and retire plaintext 143 where client compatibility permits.
  • Enforce MFA at the mail gateway. Most modern platforms support app passwords or OAuth2 instead of legacy IMAP credentials.
  • Rate-limit authentication attempts per source IP. Dovecot supports this via auth_penalty and auth_failure_delay.
  • Monitor for geographic anomalies in successful IMAP logins — a compromise usually reveals itself via new login locations within hours.
  • Restrict banner verbosity to avoid version disclosure.

Real-World Example

Microsoft and Google have both restricted or retired legacy IMAP credential auth for their consumer mail services specifically because brute-force and password spraying against IMAP was the dominant initial access vector for account takeover campaigns. For self-hosted mail infrastructure (Dovecot, Cyrus, Zimbra), IMAP brute-force remains one of the most common initial access methods observed in incident response engagements.

TL;DR

  • Service: IMAP (mailbox access)
  • Default port: 143/TCP (use 993 for IMAPS)
  • Biggest risk: credential brute-force + cleartext LOGIN without STARTTLS
  • Mitigation: require STARTTLS before auth, prefer IMAPS, enforce MFA, rate-limit