Port 106 belongs to the well-known range (0 through 1023), the ports that IANA assigns and that most operating systems reserve for privileged processes. These are supposed to be the orderly ones. Port 106 is not orderly.
The Official Tenant
IANA assigned port 106 to 3COM-TSMUX, a Terminal Server Multiplexor protocol registered by Jeremy Siegel of 3Com1. The assignment dates to the late 1980s, when 3Com was integrating terminal server products it inherited from its 1987 merger with Bridge Communications2. Bridge had been building terminal servers since 1983, devices that multiplexed connections from dumb terminals over Ethernet to reach host computers and modem banks.
The CS/1 and CS/200 communication servers were real products that solved a real problem. But the protocol that ran on port 106 never became widely adopted. 3Com moved on. The networking world moved on. The IANA entry remained, a name on a mailbox with no one home.
The Actual Occupant
What actually lives on port 106, on thousands of servers to this day, is poppassd: a small daemon that lets email users change their passwords remotely3.
The problem it solved was simple and frustrating. In the early days of POP3 email, if you wanted to change your password on the mail server, you needed a shell account. You had to Telnet in and run passwd. Most email users, especially at universities, did not have shell access. They had an email client (usually Eudora or NUPOP) and nothing else.
poppassd gave them a way. The protocol is almost comically simple: four commands. USER, PASS, NEWPASS, QUIT. Connect, authenticate, change password, disconnect. The server responds with 200 for success and 500 for failure. The entire conversation takes less than a second.
The program was written by John Norstad (Northwestern University), Roy Smith (NYU), and Daniel L. Leavitt (MITRE)4. Norstad is better known for creating Disinfectant, the free antivirus software that protected Macintosh computers for nearly a decade5. He was described as "one of the great unsung heroes of personal computing," a systems engineer who kept giving his work away for free6. poppassd was another gift: a small, practical tool for a real problem, released to anyone who needed it.
The Usurpation
Here is the genuinely strange part: poppassd was never assigned port 106. It simply started using it. Eudora's "Change Password" feature connected to port 106, and poppassd listened there, and that was that.
The IANA registry acknowledges this with a dry note: "Known Unauthorized Use on 106"1.
In 2001, Randall Gellens of Qualcomm wrote an IETF Internet-Draft proposing a replacement protocol. His description of the situation is precise: poppassd "traditionally usurps port 106, which is actually assigned for a different purpose"7. The draft cataloged the problems: passwords transmitted in cleartext, too many round-trips, no extension mechanism, and the unauthorized port usage. He proposed a cleaner, encrypted replacement.
The draft expired in August 2001. It never became an RFC. poppassd kept running on port 106.
How It Works
To change a password on a server running poppassd, administrators configure it in /etc/services by commenting out the 3COM-TSMUX entry and adding poppassd 106/tcp. On modern Linux systems, systemd handles the socket directly3.
A typical session looks like this:
Authentication and password changes are handled through PAM (Pluggable Authentication Modules), so system-wide password policies still apply. The daemon never runs with elevated privileges itself.
Security
poppassd sends everything in cleartext. Username, old password, new password. All of it readable to anyone sniffing the network.
This is why modern deployments restrict poppassd to localhost connections only. Web-based password change interfaces (in hosting panels like Plesk or cPanel) connect to poppassd on the loopback address, keeping the cleartext conversation contained to the local machine4. Remote access to port 106 should be blocked by firewall rules.
If you see port 106 open on a public-facing server, that is a problem.
How to Check What Is Listening on Port 106
If something is listening and you did not configure poppassd or a password-change service, investigate immediately.
Why This Port Matters
Port 106 is not important because of the traffic it carries. It is important because of what it represents.
The Internet was not built entirely by committee. Standards bodies assigned port numbers and wrote RFCs, but the actual running Internet was shaped by people who had problems to solve and software to ship. John Norstad needed email users to change their passwords. Eudora needed a port to connect to. Port 106 was technically assigned to something else, but it was not being used. So they used it.
Twenty-five years later, the IANA registry still says 3COM-TSMUX. The servers still run poppassd. The Internet-Draft that would have fixed the situation expired without action. And the whole arrangement keeps working, held together not by specification but by convention.
This is how infrastructure actually grows: not always by the book, but always toward solving the problem in front of you.
Frequently Asked Questions
Was this page helpful?