Ports

Port 143: IMAP

Mailbox sync protocol. Plaintext by default unless upgraded with TLS or StartTLS.

Where you will see it: You will see this in scans, firewall rules, vulnerability reports, and service configs. Treat open ports as exposure points and verify the service is expected, hardened, and restricted.

What it is

TCP port 143 is used by IMAP, an email synchronization protocol. A port is a transport layer number used together with an IP address and a protocol such as TCP or UDP to direct traffic to the correct service on a host.

A server process binds a socket to a port and listens, while a client typically chooses an ephemeral source port for outbound connections. The combination of source and destination IP addresses, source and destination ports, and the transport protocol uniquely identifies a flow so the operating system can keep many conversations separate.

Firewalls, NAT, and scanners talk about ports because the destination port is the stable rendezvous point that exposes a service to the network. An IMAP server listens on 143 and clients connect from ephemeral source ports.

After the TCP handshake, the client can upgrade the session to TLS using STARTTLS, then authenticate and synchronize folders and message state such as read flags and deletions. Unlike POP3, IMAP keeps the mailbox on the server and is designed for multiple devices, so clients often fetch headers and only download full bodies when needed.

The practical security detail is that port 143 can start in cleartext unless TLS is enforced, which creates risk if clients send credentials before upgrading. That is why many environments prefer IMAPS on port 993 where encryption is established immediately, and why monitoring for brute force on IMAP ports is common.

How it works in broad strokes

  1. Client connects and authenticates, then lists folders and message metadata.
  2. Client fetches message bodies on demand and updates flags such as read or deleted.
  3. If STARTTLS is supported and required, the connection upgrades to TLS before credentials are sent.

Concrete example

A mobile mail app uses IMAP to keep inbox state consistent. Each time you mark a message as read, the client sends an IMAP command and the server updates the flag for all devices.

Why it matters

IMAP is common in enterprises and on legacy deployments. From a security perspective, plaintext IMAP is risky, and misconfigured IMAP can be a target for brute force and credential stuffing.

Security angle

  • Prefer IMAPS on 993 or enforce STARTTLS with strong cipher suites.
  • Enable rate limiting and monitor for auth anomalies.
  • Consider modern OAuth based auth where supported by your provider.

Common pitfalls

  • Allowing plaintext auth without enforcing STARTTLS.
  • Assuming IMAP means all mail is safe on the server. Retention still depends on backup and policy.
  • Leaving old clients that do not support modern auth methods.