Ports

Port 995: POP3S

POP3 over implicit TLS. Secure mailbox download, still simpler than IMAP.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

TCP port 995 is used by POP3S, meaning POP3 with implicit TLS. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host. A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections.

The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate. Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network.

A server listens on 995 and the client establishes a TCP session, then a TLS session, before authenticating. After that, the client lists and retrieves messages, typically downloading them to local storage rather than keeping server side state synchronized like IMAP.

That model is why POP is still used for simple setups and legacy clients, but it also means retention and incident response depend on where mail is stored and backed up. Security wise, POP3S removes cleartext credentials on the wire, but weak passwords, lack of MFA, and exposed services still make port 995 a common target for credential attacks.

How it works in broad strokes

  1. Client connects and negotiates TLS immediately.
  2. Client authenticates, lists messages, retrieves them, and may delete them from the server.
  3. Client stores messages locally and ends the session.

Concrete example

An old mail client supports only POP3S. It connects to 995, authenticates, downloads new mail, and archives it locally, which is why server retention may not reflect what the user still has.

Why it matters

POP3S matters because some devices and older clients still rely on POP. From a defender perspective, secure transport helps, but you still need to protect accounts from brute force and to consider retention and backup implications.

Security angle

  • Prefer IMAPS when you need multi device sync, or provider APIs for apps.
  • Enforce strong passwords and MFA and monitor failed logins.
  • Disable legacy plaintext POP3 on 110.

Common pitfalls

  • Using POP for multi device scenarios and then losing mail state consistency.
  • Weak account security leading to mailbox compromise.
  • Assuming TLS solves everything. Server side policy and monitoring are still required.