Port 143 (TCP) – IMAP

What runs on port 143?

Port 143 is the default port for IMAP (Internet Message Access Protocol), the mailbox-access protocol that keeps mail on the server and synchronizes folders, flags, and state across multiple clients. Unlike POP3, which downloads and removes messages, IMAP is built for always-connected, multi-device access. By default the connection on port 143 is unencrypted; the TLS-secured equivalent is IMAPS on port 993.

Why it matters for security

Plain IMAP authenticates with a cleartext username and password, and message contents also cross the network unencrypted. Anyone observing the traffic can capture credentials and read mail. Because IMAP keeps the whole mailbox on the server, a single compromised login exposes the user's entire mail history, not just newly downloaded messages. STARTTLS on port 143 is opportunistic, so an active attacker can strip it and keep the session in cleartext.

How it's attacked

The core attacks are passive sniffing of cleartext logins and message bodies, and brute force / password spraying against the mailbox. STARTTLS stripping downgrades sessions so credentials can be read. Captured or guessed credentials feed credential stuffing against webmail, VPN, and SSO, and legacy IMAP that bypasses MFA is a known vector for account takeover.

Hardening checklist

Use IMAPS on port 993 (implicit TLS) or, on port 143, enforce STARTTLS and disable plaintext logins so authentication never happens in the clear. Add rate limiting / lockout to slow brute force, enforce strong passwords or MFA, and disable legacy auth paths that bypass it. Restrict access by source IP or VPN where feasible and keep the server patched. The nmap snippet above enumerates advertised capabilities and the banner so you can spot cleartext-login support on systems you are authorized to test.