Port 993: IMAPS — The Encrypted Mailroom

Port 993 carries IMAPS traffic: the Internet Message Access Protocol wrapped in TLS encryption from the moment the connection begins. Every email client that synchronizes your inbox across devices, every webmail service that shows the same messages on your phone and your laptop, speaks through this port.

When you open your email and see that the message you read on your phone is already marked as read on your computer, that synchronization happened through IMAP. When your email lives on the server rather than being downloaded and deleted, that is IMAP. Port 993 is IMAP with encryption mandatory from the first packet.

How IMAPS Works

The moment a client connects to port 993, a TLS handshake begins.¹ There is no "hello, would you like to encrypt?" negotiation. There is no window of vulnerability where credentials could fly in plaintext. The encryption is implicit: if you cannot speak TLS, you cannot speak at all.

Once the encrypted tunnel is established, the IMAP protocol takes over. The client sends commands. The server responds. Every command is tagged with an identifier so responses can be matched to requests even when multiple commands are in flight:

A001 LOGIN user@example.com password
A001 OK LOGIN completed
A002 SELECT INBOX
* 47 EXISTS
* 2 RECENT
* OK [UIDVALIDITY 1234567890] UIDs valid
A002 OK [READ-WRITE] SELECT completed
A003 FETCH 1:* (FLAGS)
...

The key insight of IMAP is that the server holds the truth. The client is just a view. When you mark a message as read, you are not changing a local file. You are telling the server to set the \Seen flag on that message. When another client connects, it sees that flag. This is why your email can follow you across every device you own.

The Story of IMAP

Mark Crispin created IMAP at Stanford University in 1986.² He was working as the Systems Programmer for the Computer Science Department, running TOPS-20 systems, and he had become fascinated by electronic mail.

The problem was simple: people were starting to use more than one computer. POP, the Post Office Protocol, had arrived in 1984, and it worked fine if you only ever read email from one machine. But POP was designed for download-and-delete. Your mail lived on the server until you retrieved it, then it was yours, on your local disk, gone from the server. If you read your mail on your office computer, it was not on your home computer. If you tried to leave copies on the server, you downloaded the same messages over and over on every machine.

Crispin asked a different question: what if the server was not a holding pen, but a permanent home? What if clients synchronized with the server instead of emptying it?

The original IMAP, called the Interim Mail Access Protocol, was implemented on a Xerox Lisp Machine talking to a TOPS-20 server. No copies survive. The interim protocol was quickly replaced by IMAP2 in 1990, documented in RFC 1176. IMAP2 introduced command tagging, the mechanism that lets clients send multiple commands without waiting for each response. IMAP3 appeared briefly in 1991 and was rejected by the market. The IETF working group went back to IMAP2 and evolved it into IMAP4, adding MIME support and mailbox management.

RFC 3501, published in March 2003, defined IMAP4rev1.³ Mark Crispin was the author. He had spent seventeen years refining the protocol he created, first at Stanford, then at the University of Washington where he also co-created Pine, the email client that introduced millions of people to Unix email.

Crispin maintained UW IMAP, one of the reference implementations, until 2008. He forked it into Panda IMAP that year and continued working on email protocols until his death in December 2012.⁴

Why Port 993 Exists

IMAP originally ran on port 143, unencrypted. When SSL emerged from Netscape in the mid-1990s, the Internet community faced a choice: upgrade existing ports with optional encryption (STARTTLS), or create new ports where encryption was mandatory from the start.

Both approaches were tried. Port 143 gained STARTTLS support, where a client connects in plaintext, issues a STARTTLS command, and upgrades to encryption. Port 993 took the other path: implicit TLS, where the connection is encrypted from byte one.

For years, the community debated which approach was better. STARTTLS had the advantage of backward compatibility. Implicit TLS had the advantage of simplicity and security: no negotiation, no downgrade attacks, no window where a man-in-the-middle could strip the STARTTLS command from the conversation.

In January 2018, RFC 8314 settled the debate.⁵ The title says it all: "Cleartext Considered Obsolete." The RFC recommends implicit TLS on dedicated ports, including port 993 for IMAP, as the preferred approach. STARTTLS on port 143 remains supported for transition, but implicit TLS is the future.

IANA updated the port 993 registration to reflect this recommendation. The official service name is "imaps" and the description reads "IMAP over TLS protocol."

Security Considerations

Port 993 provides encryption, not invulnerability.

Brute force attacks remain possible. Encryption protects the contents of the conversation, not the existence of the conversation. Attackers can still attempt to guess passwords. Email servers exposed to the Internet see continuous brute force activity against port 993.

Certificate validation matters. The security of TLS depends on the client verifying the server's certificate. If users click through certificate warnings, or if clients do not validate certificates properly, man-in-the-middle attacks become possible even with encryption.

IMAP lacks native support for multi-factor authentication. This has made IMAP services a target for password spraying attacks. Microsoft Office 365 has been particularly affected, with attackers using third-party email clients to bypass MFA by targeting IMAP directly.⁶

STARTTLS downgrade vulnerabilities have affected IMAP. CVE-2022-23008 documented a vulnerability where attackers could intercept plaintext credentials by manipulating the STARTTLS negotiation.⁷ Port 993 is immune to this specific attack because it never negotiates encryption; encryption is required from the start.

The defense is defense in depth: strong passwords, rate limiting, MFA where possible, and monitoring for suspicious access patterns.

Related Ports

Port 993 is part of the email port family:

Port 143 is IMAP's unencrypted sibling. Port 995 is POP3's encrypted variant. The pattern is consistent: the original unencrypted port, then a separate port for implicit TLS.