Skip to content
PortsDB

Port reference

Port 993 (TCP) – IMAPS

IMAPS — IMAP mailbox access encrypted with implicit TLS from connect.

tcpWell-known

Default state

Open on mail servers offering secure IMAP. Usually exposed to the internet so clients can read mail over TLS.

Common attacks

  • Credential brute force and password spraying against IMAP login
  • Weak/deprecated TLS exploitation and downgrade
  • Account takeover via leaked/reused credentials
  • Legacy/basic-auth abuse bypassing MFA

Hardening

  • Require TLS 1.2/1.3 and disable weak ciphers and old protocols
  • Use strong, unique passwords and enforce MFA / OAuth where possible
  • Rate-limit logins and lock out brute force; alert on impossible travel
  • Disable legacy/basic auth that bypasses MFA
  • Keep the IMAP server patched and use valid certificates

nmap snippet

nmap -p993 --script imap-capabilities,ssl-enum-ciphers,ssl-cert <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 993?

Port 993 is IMAPS — IMAP over implicit TLS. It is the secure version of IMAP (the protocol for reading and managing server-side mailboxes), encrypted from the moment the connection opens. It is the TLS counterpart of plain IMAP on port 143, and mail clients use it to fetch and synchronise mail over an always-encrypted channel.

Why it matters for security

IMAPS protects mailbox contents and credentials in transit, but the login itself is the prize: an IMAP account exposes a user's entire mail history, which attackers mine for password resets, financial data, and lateral access. Because access is gated by a single password, weak TLS or weak credentials on 993 directly translate to account takeover.

How it's attacked

The dominant attacks are credential brute force and password spraying against IMAP login, and account takeover using leaked or reused passwords. Attackers exploit weak or deprecated TLS to read or downgrade the connection, and abuse legacy/basic authentication that bypasses MFA — a common path to compromising even MFA-protected mailboxes.

Hardening checklist

Require TLS 1.2/1.3 with strong ciphers and a valid certificate. Enforce strong, unique passwords and MFA / OAuth, and disable legacy or basic auth that bypasses MFA. Rate-limit logins, lock out brute force, and alert on impossible-travel sign-ins. Keep the IMAP server patched. The nmap snippet enumerates IMAP capabilities and inspects TLS and the certificate on systems you are authorized to test.

Related ports

Port 143Port 995Port 465Port 587

Frequently asked questions

What is the difference between port 993 and 143?
Port 143 is plain IMAP (optionally upgraded with STARTTLS); port 993 is IMAPS, encrypted with implicit TLS from connect. Use 993 to guarantee the session is always encrypted.
Is port 993 secure?
The TLS transport is secure when configured well, but the account itself can still be brute-forced or phished. Enforce strong TLS plus strong passwords and MFA.