Testing a POP3 server via telnet or OpenSSL

Establishing a connection

To start with, the usual process is to telnet to a POP3 server port, usually on TCP port 110. This would be very simple:

telnet mail.example.com 110

Nowadays, though, most POP3 servers are secured via SSL, usually sitting on port 995. If you try to use telnet on an SSL-only POP3 server, you’ll either get an error “Command is not valid in this state”, such as:

Connected to mail.example.com.
+OK The Microsoft Exchange POP3 service is ready.
USER yiming
-ERR Command is not valid in this state.


Connected to mail2.example.com.
Escape character is '^]'.
USER yiming
Connection closed by foreign host.

When this is encountered, OpenSSL’s s_client should be used instead to perform the necessary SSL negotiations.

openssl s_client -connect mail.example.com:995


openssl s_client -crlf -connect mail.example.com:110 -starttls pop3

The second one is typically used for Microsoft Exchange servers. Note the -crlf option, which tells s_client to send \r\n line endings. If the wrong line ending is used for a server, the symptom is that the server will not respond to any commands. It will only sit there and wait for further input, while you are staring at a blank responses or blank lines in your telnet session.


Having established a connection, it is now necessary to authenticate as a POP3 user. In the simplest case, plain text authentication is used. In this case, the command USER [username] is used to establish the username, and PASS [password] is used to establish the password in plaintext. (Since the connection is under SSL encryption, presumably this plaintext won’t matter).

+OK Server ready
USER yiming
PASS foobar
+OK Logged in.
Server interactions

Several commands are useful here.

LIST – lists the messages available in the user’s account, returning a status message and list with each row containing a message number and the size of that message in bytes
STAT – returns a status message, the number of messages in the mailbox, and the size of the mailbox in bytes
RETR [message_num] – returns the message identified by the message number, which is the same as the message number shown in the LIST command output
TOP [message_num] [n] – returns the top n lines of the message denoted by message number.
When finished, the QUIT command will end the session.

Leave a Reply

Your email address will not be published. Required fields are marked *