An encrypted TCP connection to a POP3 server works reliably if you use the SSL client 'openssl', for example. You must use port 995 as the port number for POP3 via SSL.

[1] hans@linux:~$ openssl s_client -quiet -connect mx.freenet.de:995
[2] depth=2 C = DE, O = Deutsche Telekom AG, OU = T-TeleSec Trust Center, CN = Deutsche Telekom Root CA 2
[3] verify error:num=19:self signed certificate in certificate chain verify return:0
[4] +OK <500.1448880155@mx.freenet.de>
[5] USER POP3USERNAME
[6] +OK user ok
[7] PASS POP3PASSWORT
[8] +OK 2 messages (5377 octets).
[9] LIST
[10] +OK
[11] 1 2572
[12] 2 2805
[13] .
[14] RETR 1
[15] +OK 2572 octets
[16] [ KOPFZEILEN – HEADER ]
[17]
[18] This is a MIME multipart/mixed message.
[19]
[20] --|1B031C1B1A9321EF01|
[21] Content-Type: text/plain;charset=UTF-8
[22] Content-Disposition: inline
[23] Content-Transfer-Encoding: quoted-printable
[24] Content-Length: 72
[25]
[26] Hallo!
[27] =
[28]
[29] Im Anhang liegt die Datei acht.png
[30] =
[31]
[32] Mit freundlichem Gru=C3=9F
[33] =
[34]
[35] Hans
[36]
[37] --|1B031C1B1A9321EF01|
[38] Content-Type: image/png; name="acht.png"
[39] Content-Disposition: attachment
[40] Content-Transfer-Encoding: base64
[41] Content-Length: 116
[42]
[43] iVBORw0KGgoAAAANSUhEUgAAAAgAAAAICAYAAADED76LAAAAO0lEQVQYlX2PyQ0AMAjDnKr7
[44] r5x+egvIEyxwZDBFOoASxJoAEWUB0J6Zhedi5QFSh/0lkDnAd/pWK2sORyMOEhaL7BAAAAAA
[45] SUVORK5CYII=
[46]
[47] --|1B031C1B1A9321EF01|--
[48]
[49] .
[50] NOOP
[51] +OK
[52] QUIT
[53] +OK
[54] hans@linux:~$

Comment:

• In line 1, an encrypted connection to the POP3 server 'mx.freenet.de' is established on port 995 and confirmed in line 4.
• Subsequently, the identification and authentication of the user at the POP3 server takes place in lines 5 to 8.
• With 'USER POP3Username', the username (line 5) for the corresponding email account is passed and sent in plain text (!) - but now through an SSL tunnel.
• If the user is known on the POP3 server, +OK in line 6, then you can send the password - again in plain text - with 'PASS POP3Password'.
• With the command LIST in line 9 you ask for a list of the emails stored on the POP3 server and here you get a list with two lines, each line containing a (consecutive) number and the size of the email (byte).
• With 'RETR 1' in line 15, the first email from the POP3 server is loaded and the complete mime message is displayed. The display of the very many headers has been partially omitted. The text of the body of the mime message is in lines 20 to 54.
• The connection between POP3 client and POP3 server is closed with the command 'QUIT'.
• The text section in the body (lines 26 to 35) is encoded according to the 'quoted-printable' method, about which information is given in line 23 in the sub-header field with the field name 'Content-Transfer-Encoding'.
• Good information on this encoding can be found here → https://de.wikipedia.org/wiki/Quoted-printable.
• You won't see anything of the image in the attachment (lines 38 to 41 and 43 to 45) because it is base64 encoded and therefore blank text. You would first have to base64-decode the text in lines 43 to 45 and save it as an image.

This is quickly done to the console:

echo iVBORw0KGgoAAAANSUhEUgAAAAgAAAAICAYAAADED76LAAAAO0lEQVQYlX2PyQ0AMAjDnKr7r5x+egvIEyxwZDBFOoASxJoAE \
WUB0J6Zhedi5QFSh/0lkDnAd/pWK2sORyMOEhaL7BAAAAAASUVORK5CYII= | base64 --decode > acht.png

You will then see the image in your home directory:

Figure 24.5.2.1.1: Tiny 8×8 pixel image

If a POP3 server offers authentication via Authenticated Post Office Protocol (APOP), the POP3 user name is sent in plain text in the SSL tunnel, but the POP3 password is transmitted in encrypted form and this is what matters from a security point of view when authenticating to the POP3 server.

Authentication via APOP is based on the challenge-response method, which, according to a post on https://de.wikipedia.org/wiki/Challenge-Response-Authentifizierung, can be considered “a secure authentication method of a subscriber based on knowledge”.

[1] hans@linux:~$ openssl s_client -quiet -connect mx.freenet.de:995
[2] depth=2 C = DE, O = Deutsche Telekom AG, OU = T-TeleSec Trust Center, CN = Deutsche Telekom Root CA 2
[3] verify error:num=19:self signed certificate in certificate chain
[4] verify return:0
[5] +OK <31534.1448457450@mx.freenet.de>
[6] APOP User-Name Has-Wert
[7] +OK 3 messages (1147469 octets).
[8] LIST
[9] +OK
[10] 1 382310
[11] 2 382307
[12] 3 382852
[13] .
[14] QUIT
[15] +OK
[16] hans@linux:~$

Notes:

If a POP3 server responds with a welcome message (line 5) after the connection is established, following the syntax '+OK <process-id.timestamp@hostname>', then you can be sure that the POP3 server also allows authentication via APOP.The POP3 server also transmits the request 31534.1448457450@mx.freenet.de in the APOP welcome message after the +OK and a space.From this server request, the client must calculate a hash value as part of the response, including the POP3 user password. Later, the response is sent - without transmitting the password itself in it!The calculation of the hash value as part of the response is done, for example, in a (further) console with this instruction:

hans@linux:~$ echo -n "<31534.1448457450@mx.freenet.de>POP3-PASSWORD" | openssl md5

Subsequently, the complete response from 'User-Name<space>Hash-Value' can be sent to the POP3 server (line 6) after the APOP command:

APOP User-Name Hash-Wert

If the authentication was successful, then the POP3 server (line 7) sends the number of emails in the mailbox and their total size in bytes after the +OK.

If the authentication fails, then you receive this reply from the POP3 server:

-ERR premission denied