Port 110 (TCP) – POP3

What runs on port 110?

Port 110 is the default port for POP3 (Post Office Protocol version 3), a protocol that downloads email from a mail server to a client, typically removing it from the server afterward. It is one of the two classic mailbox-access protocols alongside IMAP (port 143). By default the connection on port 110 is unencrypted; the TLS-secured equivalent is POP3S on port 995.

Why it matters for security

Plain POP3 authenticates with a cleartext username and password, and the downloaded messages also cross the network unencrypted. Anyone able to observe the traffic can capture both the credentials and the mail. Because people reuse passwords, a POP3 credential captured or guessed here is often valid elsewhere. STARTTLS on port 110 is opportunistic, so an active attacker may strip it and keep the session in cleartext.

How it's attacked

The core attacks are passive sniffing of the cleartext login and messages, and brute force / password spraying against the mailbox login. STARTTLS stripping downgrades a would-be encrypted session back to plaintext so credentials can be read. Harvested credentials are then replayed against other services (webmail, VPN, SSO) in credential-stuffing attacks.

Hardening checklist

Use POP3S on port 995 (implicit TLS) or, on port 110, enforce STARTTLS and disable plaintext logins so authentication never happens in the clear. Add rate limiting / lockout to blunt brute force, enforce strong passwords or MFA, and restrict access by source IP or VPN where feasible. Keep the mail server patched. The nmap snippet above enumerates advertised capabilities and the banner so you can spot cleartext-login support on systems you are authorized to test.