If the server supports NTLM auth (Windows) you can obtain sensitive info (versions):
Manual
telnet example.com 143
* OK The Microsoft Exchange IMAP4 service is ready.
>> a1 AUTHENTICATE NTLM
+
>> TlRMTVNTUAABAAAAB4IIAAAAAAAAAAAAAAAAAAAAAAA=
+ TlRMTVNTUAACAAAACgAKADgAAAAFgooCBqqVKFrKPCMAAAAAAAAAAEgASABCAAAABgOAJQAAAA9JAEkAUwAwADEAAgAKAEkASQBTADAAMQABAAoASQBJAFMAMAAxAAQACgBJAEkAUwAwADEAAwAKAEkASQBTADAAMQAHAAgAHwMI0VPy1QEAAAAA
Automated
nmap --script imap-ntlm-info [target ip]
Navigation with CURL
Listing mailboxes (imap command LIST "" "*")
$ curl -k 'imaps://1.2.3.4/' --user user:pass
Listing messages in a mailbox (imap command SELECT INBOX and then SEARCH ALL)