What Is POP3S

Email Tutorials - Herong's Tutorial Examples

∟What Is POP3S

This section provides a quick introduction on POP3S (Post Office Protocol 3 Secure) for message retrieval. A POP3S sample session of retrieving an email message using the 'openssl s_client' command is included.

What Is POP3S? - POP3S (Internet Message Access Protocol Secure) is a method to secure a POP3S communication by wrapping it under a SSL (Secure Socket Layer) or TLS (Transport Layer Security) connection.

Running a POP3S communication requires the email message agents on both sides of the communication to meet server authentication requirements defined by the PKI (Public Key Infrastructure) standard:

A PKI server certificate and its private key must be installed on the server agent.
The signing authority of the server certificate must be specified as a trusted authority by the client agent .

By default, an POP3S server listens on port 995 for POP3S connection requests. Here is a sample session of retrieving an email message with POP3S using "openssl s_client" as the MUA. The POP3S server is a Dovecot server.

herong$ openssl s_client -connect 127.0.0.1:995

CONNECTED(00000003)
depth=0 OU = IMAP server, CN = mail.herongyang.com, emailAddress = post...
verify error:num=18:self signed certificate
verify return:1
Server certificate
-----BEGIN CERTIFICATE-----
MIIEUzCCArugAwIBAgIUemnAqnnY7dfjsdPa2HVHDkVKu20wDQYJKoZIhvcNAQEL
..
-----END CERTIFICATE-----
---
No client certificate CA names sent
Server Temp Key: ECDH, secp521r1, 521 bits
---
SSL handshake has read 2013 bytes and written 447 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 3072 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 862F03C3D9B1F36ED97DDC0E2622482EA723885B647695E1A119...
    Session-ID-ctx:
    Master-Key: 54024E6377B6A77683F58EEAD28278EEE72ED04F916C659F7B84...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 7200 (seconds)
    ...
    Start Time: 1605851257
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
+OK Dovecot ready.

user herong
  +OK
pass TopSecret
  +OK Logged in.
list
  +OK 15 messages:
  1 692
  2 302
  3 296
  ...
  .
retr 3
  +OK 296 octets
  Return-Path: <herong@herongyang.com>
  X-Original-To: herong
  Delivered-To: herong@herongyang.com
  Received: from localhost (localhost [IPv6:::1])
    by mail.herongyang.com (Postfix) with ESMTPS id CCEF0266002F
    for <herong>; 15 Nov 2023 03:23:36 -0500 (EST)

  Hello encrypted world!
  .
quit
  +OK Logging out.
  closed

Note that "openssl s_client" actually failed to validate the server certificate. It returned the "verify return:1" message, because I did not tell "openssl" to trust the self-signed server certificate.