How does the open-source implementation prioritize different detection methods, and why is IMAP preferred over IMAP over SSL?

The implementation first attempts the URL method, then IMAP (port 143), and finally IMAP over SSL (port 993). IMAP is preferred over SSL because SSL requires resolving the IP to a hostname via reverse DNS, which may fail in some environments (e.g., `[Errno 11004] host not found`). IMAP works without hostname resolution and still provides accurate version info. For full code, refer to the GitHub repository linked in the article Penetration Basics - Zimbra Version Detection.