You can scan IMAP email servers by using this tool.
Retrieves IMAP email server capabilities.
IMAP4rev1 capabilities are defined in RFC 3501. The CAPABILITY command allows a client to ask a server what commands it supports and possibly any site-specific policy.
For client requests, the default port for IMAP is port 143, but for IMAP over TLS, port 993 is specified; setting all clients and servers to use port 993 can help avoid plaintext connections. Connections on the unsecured port 143 can potentially be blocked by firewalls and other gateway systems.