Ports

Port 110: POP3

Legacy style mailbox download. Plaintext by default unless upgraded to TLS.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

TCP port 110 is used by POP3, a legacy protocol for retrieving email from a mailbox. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host. A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections.

The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate. Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network.

A POP3 server listens on 110, and a mail client connects from an ephemeral source port, completes the TCP handshake, and then authenticates and issues commands to list and retrieve messages. The typical POP model is download and optionally delete, meaning the client often pulls mail onto one device rather than keeping state synchronized across devices as IMAP does.

Without encryption, POP3 sends credentials and message contents in cleartext, which is why secure variants use TLS via STARTTLS or the implicit TLS port 995. From a security angle, exposed POP3 services are frequent targets for password spraying and credential stuffing, since a successful login can directly expose mailbox content.

How it works in broad strokes

  1. Client connects to the server and authenticates with a username and password.
  2. Client lists messages, retrieves selected messages, and optionally deletes them.
  3. Session ends and the server commits deletions, while local mail storage becomes the source of truth.

Concrete example

A printer uses POP3 on 110 to fetch jobs from a mailbox. If the connection is not encrypted, anyone with network visibility can capture the mailbox credentials.

Why it matters

POP3 still exists in older mail setups and some devices. For security, plaintext POP3 is a red flag. In operations, POP style workflows can also hide server side retention issues because the mail quickly leaves the server.

Security angle

  • Prefer POP3S on 995 or IMAPS on 993, or use modern provider APIs.
  • Disable plaintext auth and enforce strong passwords and MFA where possible.
  • Monitor for brute force attempts and unusual login locations.

Common pitfalls

  • Using plaintext POP3 over untrusted networks.
  • Assuming POP3 behaves like IMAP. It is not designed for multi device sync.
  • Leaving old accounts enabled because POP clients often run for years without change.