Over three million POP3 and IMAP mail servers without TLS encryption are currently vulnerable on the internet. These servers, which handle email access for users, expose usernames and passwords in clear text when transmitted over the internet, making them susceptible to network sniffing attacks.
TLS (Transport Layer Security) encryption is used to secure user information while exchanging emails over the internet. However, many hosting companies configure POP3 or IMAP services by default without TLS enabled, leaving users’ messages and credentials exposed to eavesdropping attacks.
According to a report from Shadowserver, around 3.3 million hosts are running POP3/IMAP services with no TLS encryption, putting users at risk of password interception and guessing attacks. The Internet Engineering Task Force (IETF) approved the next major version of the TLS protocol, TLS 1.3, in March 2018, but many systems still use outdated versions.
Major companies like Microsoft, Google, Apple, and Mozilla have announced plans to retire insecure TLS protocols by the end of 2020. The US National Security Agency (NSA) has also provided guidance on replacing outdated TLS configurations with modern alternatives.
To protect users’ information, mail server operators are advised to enable TLS support for IMAP services immediately and consider moving these servers behind a VPN (Virtual Private Network).
Source: https://www.bleepingcomputer.com/news/security/over-3-million-mail-servers-without-encryption-exposed-to-sniffing-attacks