Port 990: The Definitive UK Guide to IMAP over SSL

Port 990 is a topic that sits at the crossroads of network security, email reliability, and system administration. While the majority of mail systems today rely on port 993 for IMAP over TLS, there are scenarios where port 990 remains in active use. This article explains what Port 990 is, how it differs from other secure IMAP ports, and how to configure, test, and troubleshoot it effectively. Whether you are a seasoned IT professional, a system administrator, or an IT student seeking clarity, this guide will help you understand the purpose and practicalities of Port 990 in a way that is both informative and approachable.

What is Port 990 and why does it matter?

Port 990 is traditionally associated with IMAP over SSL, specifically the implicit TLS variant of the IMAP protocol. In this model, the SSL/TLS handshake occurs before any plaintext exchange, and the connection is encrypted from the moment the session is established. The port serves as a dedicated channel for clients that require encrypted IMAP traffic without starting with a plain text handshake. While Port 993 has become the widely adopted standard for IMAP over TLS in contemporary deployments, Port 990 remains relevant in legacy environments or within specific hosting setups.

Understanding Port 990 is important for several reasons. First, it affects firewall rules and access control lists. If your organisation permits IMAP traffic, but only on Port 993, enabling Port 990 without careful planning can expose services to unexpected exposure or misrouting. Second, Port 990 can be part of a migration strategy. If a server or hosting provider still advertises Port 990 in documentation or legacy configurations, knowing how to handle it reduces downtime and confusion. Finally, proper handling of Port 990 reinforces best practices around encryption, certificates, and client compatibility—ensuring users can connect securely whether they are using modern mail clients or legacy software.

Port 990 vs Port 993: Understanding the landscape

Two ports are commonly discussed when dealing with IMAP over TLS: Port 993 and Port 990. The primary distinction is the method by which TLS is applied, and this has practical implications for client compatibility and security posture.

• Port 993 – The de facto standard for IMAP over TLS with implicit TLS. The TLS handshake is completed before any IMAP commands, and the client begins encrypted communication immediately upon connection. This approach aligns with modern security expectations and is widely supported by current mail clients and servers.
• Port 990 – Historically associated with IMAP over SSL (IMAP-SSL) and sometimes used for legacy deployments that expect implicit TLS on this port. Some servers still listen on Port 990, especially in older data centres or custom hosting environments. It is less commonly used today, but not obsolete in every context.

When configuring or auditing an environment, it is important to verify which port is in use and ensure that firewalls, load balancers, and NAT devices are aligned with the chosen port. If you are planning a new deployment, Port 993 is generally the safer and more widely supported choice. If you are maintaining an existing system that already relies on Port 990, you can continue with careful management, provided you enforce up-to-date TLS configurations and solid certificate handling.

How IMAP over SSL works on Port 990

To understand Port 990, it helps to step back and look at the IMAP over SSL model. In the implicit TLS model that Port 990 represents, the client connects to the server and immediately begins an encrypted session. There is no plaintext exchange prior to the TLS handshake. This contrasts with the STARTTLS approach, which starts with unencrypted communication on a standard port (such as 143) and upgrades to encryption during the session. The implicit TLS approach used by Port 990 provides a straightforward, encryption-first connection path, which can simplify certain security policies and client configurations.

From a server perspective, enabling Port 990 requires binding an IMAP service to that port and ensuring the service presents a valid certificate that clients can trust. The certificate should cover the hostname clients use to connect, and the private key must be safeguarded to prevent compromise. On the client side, mail applications must be set to use SSL/TLS and connect to the correct port. When both sides are aligned, Port 990 delivers secure IMAP access with minimal negotiation overhead.

Setting up Port 990 on common mail servers

Below are practical guidelines for enabling Port 990 on two widely used IMAP server implementations. The goal is to provide a clear path for IT teams to verify configuration, security, and interoperability. While many administrators converge on Port 993 today, these notes are valuable for environments with existing Port 990 configurations or specific compliance requirements.

Dovecot: Enabling Port 990 for IMAP over SSL

Dovecot is a popular open-source IMAP/POP3 server known for its performance and simplicity. To enable Port 990 with implicit TLS in Dovecot, you typically adjust the service configuration to bind an SSL-enabled IMAP listener on the desired port and verify that the TLS certificate chain is valid. A streamlined example is shown below (settings may vary by distribution and Dovecot version):

service imap {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 990
    ssl = yes
  }
}
ssl = required
ssl_cert = 

In this configuration, the regular IMAP service remains on port 143 for non-encrypted or STARTTLS usage, while Port 990 is dedicated to SSL/TLS-imposed IMAP traffic. Ensure the certificate matches the server's hostname and that the private key has appropriate permissions. After saving the configuration, restart Dovecot and test connectivity with a client configured for SSL/TLS on port 990.

Cyrus IMAP: Port 990 with implicit TLS

The Cyrus IMAP server also supports implicit TLS on a dedicated port. The exact configuration varies by version, but the principle remains consistent: bind a secure IMAP listener on port 990 and provide a valid certificate. A minimal example might involve entries like these in your Cyrus configuration:

service imap {
  inet_listener imap {
    port = 143
  }
  inet_listener imaps {
    port = 990
    ssl = true
  }
}

As with Dovecot, ensure the certificate chain is complete and that clients are configured to connect securely to port 990. Regular audits of cipher suites and TLS versions are recommended to maintain strong security when Port 990 is active.
Microsoft Exchange and other servers
Microsoft Exchange typically emphasises port 993 for IMAPS in modern deployments. However, some legacy setups or specific edge configurations may expose IMAP over SSL on Port 990. If you encounter Port 990 on an Exchange-based environment, you will generally manage the configuration within the Exchange Transport Stack and the Mailbox Server role bindings. In practice, many administrators migrate from Port 990 to Port 993 to align with mainstream client expectations and security best practices. If you need to preserve Port 990 for compatibility, coordinate with your PKI and client support processes to ensure consistent certificate validation and client configuration.
Security considerations for Port 990
Security is paramount whenever you expose IMAP services to the internet or even to an internal network. When Port 990 is in use, pay particular attention to TLS configurations, certificate management, and access control policies. Here are the key areas to address:

Certificate management – Use a trusted certificate issued by a recognised Certificate Authority (CA). Ensure the subject and SANs (Subject Alternative Names) cover all hostnames clients might use to connect. Regularly renew certificates before expiry, and implement automated renewal where possible.
TLS version and cipher suites – Configure servers to support modern, secure TLS versions (at minimum TLS 1.2, with TLS 1.3 preferred if available). Disable legacy, insecure ciphers and avoid SSL 3.0 or lower. Conduct periodic reviews of enabled ciphers in line with current security guidelines.
Hardened server configuration – Restrict access to Port 990 to legitimate clients and internal networks where feasible. Use strong authentication mechanisms, such as OAuth or certificate-based client authentication where supported, and consider rate limiting to mitigate abuse.
Certificate pinning and hostname validation – Encourage or enforce strict hostname checks on the client side to prevent man-in-the-middle scenarios and ensure the client trusts only intended servers.
Auditing and monitoring – Enable logging for IMAP authentication attempts and TLS handshakes. Monitor for unusual patterns that could indicate brute force attempts or misconfigured clients.

In addition to these measures, ensure your incident response and change management processes cover TLS-related updates. Changing certificates, updating server software, or altering ports should go through a controlled change window with testing in a staging environment before production deployment.
Testing and troubleshooting Port 990
Testing Port 990 involves verifying that the IMAP service is listening on the intended port, that TLS is properly configured, and that clients can connect and authenticate securely. Here are practical steps you can take:

Port listening check – Use netstat or ss to confirm that the IMAP service is listening on port 990 (and optionally on IPv4 and IPv6):

sudo ss -tlnp | grep :990


TLS certificate validation – Connect to Port 990 with a TLS-capable client or with OpenSSL to inspect the certificate chain. The following command initiates a TLS handshake and shows certificate details:

openssl s_client -connect mail.example.com:990 -servername mail.example.com


IMAP connectivity test – With a mail client configured for SSL/TLS on Port 990, test login and basic IMAP commands (SELECT INBOX, LIST, FETCH). If you prefer command-line testing, you can use an IMAP client that supports SSL/TLS or a specialised tool like 'openssl' in combination with an IMAP client wrapper.
Cipher and protocol checks – Review the negotiated TLS version and cipher suite in the output of the OpenSSL test. Ensure the server supports at least TLS 1.2 and ideally TLS 1.3 for modern security standards.

If you encounter issues, a structured troubleshooting approach helps:

Verify DNS resolution and that the hostname used by clients matches the certificate.
Confirm that the IMAP service is configured to listen on Port 990 and that there is no port conflict with other services.
Check firewall rules to ensure Port 990 is not blocked by ISP, datacentre, or local network policies.
Review server logs for authentication failures, TLS handshake errors, or certificate problems.
Test with multiple clients to determine whether the issue is client-specific or server-side.

Common issues and solutions
Even well-configured Port 990 deployments can encounter predictable issues. Here are some frequent scenarios and practical remedies:

Certificate mismatches – The common cause of TLS errors is a certificate that does not match the host used to connect. Ensure the common name (CN) or SANs align with the server hostname. Renewal and replacement should occur before expiry to avoid sudden outages.
Expired TLS versions – If the server only supports older TLS versions, modern clients may reject the connection. Update TLS libraries and enable TLS 1.2/1.3 as a priority.
Blocked ports – Firewalls, NAT, or cloud security groups can block Port 990. Review ingress rules and confirm that any external access is allowed on this port where appropriate.
Certificate chain issues – Ensure the server presents the full certificate chain, including intermediate certificates. Misconfigured chains can cause trust failures on the client side.
Client configuration drift – Clients configured to use Port 993 may not automatically switch to Port 990. Align client profiles and update documentation to reduce confusion.

Performance considerations for Port 990
Performance on Port 990 is influenced by the same factors that affect any IMAP service. Encryption overhead, CPU load from TLS processing, and the efficiency of the IMAP server implementation all play a role in response times and concurrency. If you are supporting a high volume of connections on Port 990, consider these best practices:

Use hardware with adequate CPU resources to handle TLS handshakes, especially during peak usage times.
Enable connection-based or IP-based throttling to prevent abuse while keeping legitimate users responsive.
Regularly monitor latency, queue depths, and authentication failure rates to identify bottlenecks early.
Keep server software up to date to benefit from performance and security improvements related to TLS handling and IMAP processing.

Migration tips: moving from Port 990 to Port 993 (or vice versa)
Many organisations choose to standardise on Port 993 for IMAP over TLS, but there are legitimate scenarios where Port 990 remains part of the infrastructure. If you are planning a migration, here are practical considerations to make the transition smooth and risk-free:

Assess compatibility: Ensure all client applications and devices support the target port and TLS configuration. Some legacy clients may only support older TLS versions, which could complicate a move.
Coordinate with PKI and certificates: Ensure certificates are valid for both hostnames used in the old and new configurations if you intend to maintain dual-port access temporarily.
Phase the change: Start with pilot users, monitor performance and error rates, then progressively roll out to the broader user base.
Update documentation and support materials: Ensure users know which port to use, how to configure SSL/TLS, and what to do if they encounter trust or connection errors.
Plan decommissioning carefully: If Port 990 is to be retired, provide a clear timeline, backup access pathways, and a rollback plan in case of unexpected issues.

Best practices for Port 990 in modern environments
Even though Port 990 is less common today, there are sensible best practices to apply if you maintain services listening on this port:

Combine Port 990 with strict TLS configurations and up-to-date certificates to maintain a strong security posture.
Document the rationale for using Port 990 and ensure that this rationale is reviewed periodically as part of security governance.
Prefer implicit TLS on 990 only if there is a clear operational or compatibility reason, otherwise align with Port 993 for uniformity.
Ensure consistent client guidance across devices and platforms to avoid misconfigured connections that lead to support tickets.

Migration paths and planning
When a project involves planning a transition for IMAP ports, a structured approach yields the best outcomes. Consider the following planning steps:

Inventory: Catalogue all servers, services, and clients that rely on Port 990. Include internal and external access points to gauge exposure levels.
Risk assessment: Identify security, compatibility, and performance risks associated with the proposed migration path.
Stakeholder alignment: Involve security teams, network operations, and helpdesk to ensure cross-functional support.
Testing strategy: Create a staging environment that mirrors production to validate the new configuration under realistic workloads.
Gradual rollout: Phase the migration, monitor impact, and be prepared to pause or rollback if required.
Documentation: Update runbooks, incident response procedures, and user guidance to reflect the new port strategy.

Compliance and governance considerations
Security and governance standards increasingly influence how organisations manage mail services. When working with Port 990, consider governance requirements around encryption, access control, and auditability. Align your approach with industry best practices and regulatory expectations relevant to your sector. This includes maintaining robust certificate management processes, monitoring and logging access, and ensuring that data in transit remains protected in accordance with organisational policies.
Conclusion: Port 990 in a modern UK context
Port 990 represents a variant of IMAP over SSL that continues to serve a niche within certain legacy and specialised environments. While Port 993 dominates contemporary deployments due to its mainstream support and simplified client configuration, Port 990 remains a legitimate choice in particular scenarios. The key to success with Port 990 is disciplined configuration, continued adherence to TLS best practices, meticulous certificate management, and a well-documented migration plan should a transition be necessary. By understanding the role of Port 990, organisations can ensure secure, reliable access to email for users while maintaining flexibility to adapt to evolving security standards and client needs.