Skip to content
PortsDB

Port reference

Port 995 (TCP) – POP3S

POP3S — POP3 mail retrieval encrypted with implicit TLS from connect.

tcpWell-known

Default state

Open on mail servers offering secure POP3. Usually exposed to the internet so clients can download mail over TLS.

Common attacks

  • Credential brute force and password spraying against POP3 login
  • Weak/deprecated TLS exploitation and downgrade
  • Account takeover via leaked/reused credentials
  • Legacy/basic-auth abuse bypassing MFA

Hardening

  • Require TLS 1.2/1.3 and disable weak ciphers and old protocols
  • Use strong, unique passwords and enforce MFA / OAuth where possible
  • Rate-limit logins and lock out brute force; alert on anomalies
  • Disable legacy/basic auth and prefer IMAPS where suitable
  • Keep the POP3 server patched and use valid certificates

nmap snippet

nmap -p995 --script pop3-capabilities,ssl-enum-ciphers,ssl-cert <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 995?

Port 995 is POP3S — POP3 over implicit TLS. It is the secure version of POP3 (the protocol that downloads mail from a server to a client, typically removing it from the server), encrypted from the moment the connection opens. It is the TLS counterpart of plain POP3 on port 110, and clients use it to retrieve mail over an always-encrypted channel.

Why it matters for security

POP3S protects messages and credentials in transit, but as with all mail access the login is the target. A compromised POP3 account exposes downloaded mail and is mined for password resets and sensitive data. Because access depends on a single password, weak TLS or weak credentials on 995 lead directly to account takeover, and basic-auth POP3 is a frequent way to bypass MFA.

How it's attacked

The main attacks are credential brute force and password spraying against POP3 login and account takeover with leaked or reused passwords. Attackers exploit weak or deprecated TLS to read or downgrade the session, and abuse legacy/basic authentication that bypasses modern MFA controls, making POP3 a favoured channel for stealthy mailbox access.

Hardening checklist

Require TLS 1.2/1.3 with strong ciphers and a valid certificate. Enforce strong, unique passwords and MFA / OAuth, and disable legacy or basic auth that bypasses MFA. Rate-limit logins, lock out brute force, and alert on anomalies. Prefer IMAPS (993) for multi-device use, and keep the POP3 server patched. The nmap snippet enumerates POP3 capabilities and inspects TLS and the certificate on systems you are authorized to test.

Related ports

Port 110Port 993Port 465Port 587

Frequently asked questions

What is the difference between port 995 and 110?
Port 110 is plain POP3 (optionally upgraded with STARTTLS); port 995 is POP3S, encrypted with implicit TLS from connect. Use 995 to keep the session always encrypted.
Should I use POP3S (995) or IMAPS (993)?
POP3 downloads and often deletes mail from the server; IMAP keeps it synchronised across devices. For multi-device access prefer IMAPS (993); either way enforce TLS and MFA.