draft-ietf-appsawg-rrvs-header-field-02.txt   draft-ietf-appsawg-rrvs-header-field-03.txt 
Network Working Group W. Mills Network Working Group W. Mills
Internet-Draft Yahoo! Inc. Internet-Draft Yahoo! Inc.
Intended status: Standards Track M. Kucherawy Intended status: Standards Track M. Kucherawy
Expires: May 10, 2014 Facebook, Inc. Expires: May 17, 2014 Facebook, Inc.
November 6, 2013 November 13, 2013
The "Require Recipient Valid Since" SMTP Service Extension The Require-Recipient-Valid-Since Header Field and SMTP Service
draft-ietf-appsawg-rrvs-header-field-02 Extension
draft-ietf-appsawg-rrvs-header-field-03
Abstract Abstract
This document defines an extension for the Simple Mail Transfer This document defines an extension for the Simple Mail Transfer
Protocol, called RRVS (for "Require Recipient Valid Since"), to Protocol called RRVS, and a header field called Require-Recipient-
provide a method for senders to indicate to receivers the time when Valid-Since, to provide a method for senders to indicate to receivers
the sender last confirmed the ownership of the target mailbox. This the time when the sender last confirmed the ownership of the target
can be used to detect changes of mailbox ownership, and thus prevent mailbox. This can be used to detect changes of mailbox ownership,
mail from being delivered to the wrong party. and thus prevent mail from being delivered to the wrong party.
The intended use of this facility is on automatically generated The intended use of these facilities is on automatically generated
messages that might contain sensitive information, though it may also messages that might contain sensitive information, though it may also
be useful in other applications. be useful in other applications.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 10, 2014. This Internet-Draft will expire on May 17, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Description . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . . 4 3.1. The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . 4
4. Handling By Receivers . . . . . . . . . . . . . . . . . . . . . 4 3.2. The 'Require-Recipient-Valid-Since' Header Field . . . . . 4
4.1. SMTP Extension Offered . . . . . . . . . . . . . . . . . . 4 4. Handling By Receivers . . . . . . . . . . . . . . . . . . . . 5
4.2. SMTP Extension Not Offered . . . . . . . . . . . . . . . . 5 4.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 5
5. Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.1.1. Relays . . . . . . . . . . . . . . . . . . . . . . . . 5
6. Use with Mailing Lists . . . . . . . . . . . . . . . . . . . . 5 4.2. Header Field Used . . . . . . . . . . . . . . . . . . . . 6
7. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 6 5. Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . 7
8. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 6. Method Conversion . . . . . . . . . . . . . . . . . . . . . . 7
8.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 6 7. Use with Mailing Lists . . . . . . . . . . . . . . . . . . . . 8
9. Security Considerations . . . . . . . . . . . . . . . . . . . . 6 8. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 8
9.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . . 6 9. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 9
9.2. Suggested Use Restrictions . . . . . . . . . . . . . . . . 7 10. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
10. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 7 10.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 9
10.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . . 7 10.2. Header Field Example . . . . . . . . . . . . . . . . . . . 10
11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 8 11. Security Considerations . . . . . . . . . . . . . . . . . . . 10
11.1. SMTP Extension Registration . . . . . . . . . . . . . . . . 8 11.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . 10
11.2. Enhanced Status Code Registration . . . . . . . . . . . . . 8 11.2. Risks with Use of Header Field . . . . . . . . . . . . . . 11
12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 8 11.3. Suggested Use Restrictions . . . . . . . . . . . . . . . . 11
12.1. Normative References . . . . . . . . . . . . . . . . . . . 8 12. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 11
12.2. Informative References . . . . . . . . . . . . . . . . . . 9 12.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . 11
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 9 12.2. Envelope Recipients . . . . . . . . . . . . . . . . . . . 12
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
13.1. SMTP Extension Registration . . . . . . . . . . . . . . . 12
13.2. Header Field Registration . . . . . . . . . . . . . . . . 12
13.3. Enhanced Status Code Registration . . . . . . . . . . . . 13
14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
14.1. Normative References . . . . . . . . . . . . . . . . . . . 13
14.2. Informative References . . . . . . . . . . . . . . . . . . 14
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
Email addresses sometimes get reassigned to a different person. For Email addresses sometimes get reassigned to a different person. For
example, employment changes at a company can cause an address used example, employment changes at a company can cause an address used
for an ex-employee to be assigned to a new employee, or a mail for an ex-employee to be assigned to a new employee, or a mail
service provider (MSP) might expire an account and then let someone service provider (MSP) might expire an account and then let someone
else register for the local-part that was previously used. Those who else register for the local-part that was previously used. Those who
sent mail to the previous owner of an address might not know that it sent mail to the previous owner of an address might not know that it
has been reassigned. This can lead to the sending of email to the has been reassigned. This can lead to the sending of email to the
correct address, but the wrong recipient. correct address, but the wrong recipient.
What is needed is a way to indicate an attribute of the recipient What is needed is a way to indicate an attribute of the recipient
that will distinguish between the previous owner of an address and that will distinguish between the previous owner of an address and
its current owner, if they are different. Further, this needs to be its current owner, if they are different. Further, this needs to be
done in a way that respects privacy. done in a way that respects privacy.
The mechanism specified here allows the sender of the mail to The mechanisms specified here allow the sender of the mail to
indicate how "old" the address assignment is expected to be. In indicate how "old" the address assignment is expected to be. In
effect, the sender is saying, "The person to whom I am sending to had effect, the sender is saying, "The person to whom I am sending to had
this address assigned to as far back as this date-time." A receiving this address assigned to as far back as this date-time." A receiving
system can then compare this information against the date and time system can then compare this information against the date and time
the address was assigned to its current user. If the assignment was the address was assigned to its current user. If the assignment was
made later than the date-time indicated in the message, there is a made later than the date-time indicated in the message, there is a
good chance the current user of the address is not the intended good chance the current user of the address is not the correct
recipient. The receiving system can then choose to prevent delivery recipient. The receiving system can then choose to prevent delivery
and, possibly, to notify the original sender of the problem. and, possibly, to notify the original sender of the problem.
The primary application is automatically generated messages rather The primary application is automatically generated messages rather
than user-authored content, though it may be useful in other than user-authored content, though it may be useful in other
contexts. contexts.
2. Definitions 2. Definitions
For a description of the email architecture, consult [EMAIL-ARCH]. For a description of the email architecture, consult [EMAIL-ARCH].
skipping to change at page 3, line 51 skipping to change at page 3, line 51
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [KEYWORDS]. document are to be interpreted as described in [KEYWORDS].
3. Description 3. Description
To address the problem described above, a mail sending client needs To address the problem described above, a mail sending client needs
to indicate to the server to which it is connecting that there is an to indicate to the server to which it is connecting that there is an
expectation that the destination of the message has been under expectation that the destination of the message has been under
continuous ownership since some date-time, presumably the most recent continuous ownership since some date-time, presumably the most recent
time the message author had confirmed its understanding of who owned time the message author had confirmed its understanding of who owned
that mailbox. The mechanism defined here is an extension to the that mailbox. Two mechanisms are defined here: an extension to the
Simple Mail Transfer Protocol [SMTP] for use between a client and Simple Mail Transfer Protocol [SMTP], for use between a client and
server that both implement the extension. server that both implement the extension, and a header field that can
be used when passing a message to a server that appears not to
implement this extension.
The SMTP extenion is called "RRVS" (Require Recipient Valid Since), The SMTP extenion is called "RRVS" (Require Recipient Valid Since),
and adds a parameter to the SMTP "RCPT" command that indicates the and adds a parameter to the SMTP "RCPT" command that indicates the
most recent date and time when the message author believed the most recent date and time when the message author believed the
destination mailbox to be under the continuous ownership (see destination mailbox to be under the continuous ownership (see
Section 7) of a specific party. Presumably there has been some Section 9) of a specific party. Similarly, the Require-Recipient-
confirmation process applied to establish this ownership; however, Valid-Since header field includes an intended recipient coupled with
the method of making such determinations is a local matter and a timestamp indicating the same thing. Presumably there has been
outside the scope of this document. some confirmation process applied to establish this ownership;
however, the method of making such determinations is a local matter
and outside the scope of this document.
3.1. The 'RRVS' SMTP Extension 3.1. The 'RRVS' SMTP Extension
Extensions to SMTP are described in Section 2.2 of [SMTP]. Extensions to SMTP are described in Section 2.2 of [SMTP].
The name of the extension is "RRVS", an abbreviation of "Require The name of the extension is "RRVS", an abbreviation of "Require
Recipient Valid Since". Servers implementing the SMTP extension Recipient Valid Since". Servers implementing the SMTP extension
advertise an additional EHLO keyword of "RRVS", which has no advertise an additional EHLO keyword of "RRVS", which has no
associated parameters, introduces no new SMTP verbs, and does not associated parameters, introduces no new SMTP verbs, and does not
alter the MAIL verb. alter the MAIL verb.
skipping to change at page 4, line 35 skipping to change at page 4, line 39
An MTA implementing RRVS can transmit or accept a new parameter to An MTA implementing RRVS can transmit or accept a new parameter to
the RCPT command. The new parameter is "RRVS", which takes a value the RCPT command. The new parameter is "RRVS", which takes a value
that is a timestamp expressed as a "date-time" as defiend in that is a timestamp expressed as a "date-time" as defiend in
[DATETIME], with the added restriction that a "time-secfrac" MUST NOT [DATETIME], with the added restriction that a "time-secfrac" MUST NOT
be used. Accordingly, this extension increases the maximum command be used. Accordingly, this extension increases the maximum command
length for the RCPT verb by 31 characters. length for the RCPT verb by 31 characters.
The meaning of this extension, when used, is described in The meaning of this extension, when used, is described in
Section 4.1. Section 4.1.
3.2. The 'Require-Recipient-Valid-Since' Header Field
The general constraints on syntax and placement of header fields in a
message are defined in Internet Message Format [MAIL].
Using Augmented Backus-Naur Form [ABNF], the syntax for the field is:
rrvs = "Require-Recipient-Valid-Since:" addr-spec; date-time CRLF
"CFWS" is defined in Section 3.2.2, "date-time" is defined in Section
3.3, and "addr-spec" is defined in Section 3.4.1, of [MAIL].
4. Handling By Receivers 4. Handling By Receivers
If a receiver implements the RRVS SMTP extension, then there are two If a receiver implements the RRVS SMTP extension, then there are two
possible evaluation paths: possible evaluation paths:
1. The sending client implements the extension, and so there was an 1. The sending client implements the extension, and so there was an
RRVS parameter on a RCPT TO command in the SMTP session; or RRVS parameter on a RCPT TO command in the SMTP session; or
2. The sending client does not (or elected not to) implement the 2. The sending client does not (or elected not to) implement the
extension, so the RRVS parameter was not present on the RCPT TO extension, so the RRVS parameter was not present on the RCPT TO
commands in the SMTP session. commands in the SMTP session.
4.1. SMTP Extension Offered 4.1. SMTP Extension Used
A receiving system that implements the SMTP extension declared above A receiving system that implements the SMTP extension declared above
and observes an RRVS parameter on a RCPT TO command checks whether and observes an RRVS parameter on a RCPT TO command checks whether
the current owner of the destination mailbox has held it the current owner of the destination mailbox has held it
continuously, far enough back to inclue the given date-time, and continuously, far enough back to inclue the given date-time, and
delivers it unless that check returns in the negative. Expressed as delivers it unless that check returns in the negative. Expressed as
a sequence of steps: a sequence of steps:
1. Ignore the parameter if the named mailbox is a role account as 1. Ignore the parameter if the named mailbox is a role account as
listed in Mailbox Names For Common Services, Roles And Functions listed in Mailbox Names For Common Services, Roles And Functions
[ROLES]. (See Section 5.) [ROLES]. (See Section 5.)
2. Determine if the named address is serviced for local delivery. 2. Determine if the named address is serviced for local delivery.
If so, and if that address has not been under continuous If so, and if that address, has not been under continuous
ownership since the specified timestamp, return a 550 error to ownership since the specified timestamp, return a 550 error to
the RCPT command. If the server implements Enhanced Mail System the RCPT command. (See also Section 13.3.)
Status Codes [ESC], it SHOULD use the code defined in
Section 11.2.
3. Otherwise, continue with normal delivery. 3. RECOMMENDED: If any Require-Recipient-Valid-Since header fields
are present and refer to the named address, remove them prior to
delivery or relaying. (See Section 4.2 for discussion.)
To further obscure account details on the receiving system, the 4.1.1. Relays
receiver SHOULD ignore the SMTP extension if the address specified
has had one continuous owner since it was created, regardless of the
purported confirmation date of the address. This is further
discussed in Section 9.
4.2. SMTP Extension Not Offered An MTA that does not make mailbox ownership checks, such as an MTA
positioned to do SMTP ingress at an organizational boundary, SHOULD
relay the RRVS extension parameter to the next MTA so that it can be
processed there.
For a message being sent that includes content meant to be protected An MTA could replace the envelope as a result of simple alias
by this extension, the client MUST NOT continue to deliver a message expansion, mapping one mailbox to several other mailboxes. In this
to a server where the server does not advertise the RRVS SMTP case, each of the new SMTP recipients SHOULD NOT include RRVS RRVS
extension. parameter when relaying to the new addresses.
4.2. Header Field Used
A receiving system that implements this specification, upon receiving
a message bearing a Require-Recipient-Valid-Since header field when
no corresponding RRVS SMTP extension was used, checks whether the
destination mailbox owner has held it continuously, far enough back
to include the given date-time, and delivers it unless that check
returns in the negative. Expressed as a sequence of steps:
1. Extract the set of Require-Recipient-Valid-Since fields from the
message for which no corresponding RRVS SMTP extension was used.
2. Discard any such fields that are syntactically invalid.
3. Discard any such fields that name a role account as listed in
[ROLES] (see Section 5).
4. Discard any such fields for which the "addr-spec" portion does
not match a current recipient, as listed in the RCPT TO commands
in the SMTP session.
5. Discard any such fields for which the "addr-spec" portion does
not refer to a mailbox handled for local delivery by this MTA.
6. For each field remaining, determine if the named address has been
under continuous ownership since the corresponding timestamp. If
it has not, reject the message.
7. RECOMMENDED: If local delivery is being performed, remove all
instances of this field prior to delivery to a mailbox; if the
message is being forwarded, remove those instances of this header
field that were not discarded by steps 1-4 above.
Handling proceeds normally upon completion of the above steps if
rejection has not been performed.
The final step is not mandatory as not all mail handling agents are
capable of stripping away header fields, and there are sometimes
reasons to keep the field intact such as debugging or presence of
digital signatures that might be invalidated by such a change.
If a message is to be rejected within the SMTP protocol itself
(versus generating a rejection message separately), servers
implementing this protocol SHOULD also implement the SMTP extension
described in Enhanced Mail System Status Codes [ESC] and use the
enhanced status codes described in Section 13.3 as appropriate.
Implementation by this method is expected to be transparent to non-
participants, since they would typically ignore this header field.
This header field is not normally added to a message that is
addressed to multiple recipients. The intended use of this field
involves an author seeking to protect transactional or otherwise
sensitive data intended for a single recipient, and thus generating
independent messages for each individual recipient is normal
practice. Because of the nature of SMTP, a message bearing this
header field for multiple addressees could result in a single
delivery attempt for multiple recipients (in particular, if two of
the recipients are handled by the same server), and if any one of
them fails the test, the delivery fails to all of them; it then
becomes necessary to generate a Delivery Status Notification [DSN]
message for each of the failed recipients indicating the specific
failure cause for each.
5. Role Accounts 5. Role Accounts
It is necessary not to interfere with delivery of messages to role It is necessary not to interfere with delivery of messages to role
mailboxes (see [ROLES]), but it could be useful to indicate to users mailboxes (see [ROLES]), but it could be useful to indicate to users
handling those mailboxes that a change of ownership might have taken handling those mailboxes that a change of ownership might have taken
place where such notification is possible. place where doing so is possible.
6. Use with Mailing Lists 6. Method Conversion
Use of the SMTP extension provided here is preferable over the header
field method, since the additional detail about the relationship
between the message author and its intended recipient is at best a
property of the message transaction and not part of the message
itself. The header field mechanism is defined only to enable passage
of the request between and through systems that that do not implement
the SMTP extension.
If an SMTP server receives a message from a client and both of them
use the SMTP extension described here, the server thus has "valid-
since" timestamps associated with one or more of the destination
mailboxes. If that server needs to relay the message on to another
server (thereby becoming a client), but this new server does not
advertise the SMTP extension, the client SHOULD add Require-
Recipient-Valid-Since header fields matching each mailbox to which
relaying is being done, and the corresponding valid-since timestamp
for each.
Similarly, if an SMTP server receives a message bearing one or more
Require-Recipient-Valid-Since header fields for which it must now
relay the message (thereby becoming a client) and the new server
advertises support for the SMTP extension, the client SHOULD delete
the header field(s) and instead relay this information by making use
of the SMTP extension.
7. Use with Mailing Lists
Mailing list services can store the timestamp at which a subscriber Mailing list services can store the timestamp at which a subscriber
was added to a mailing list. This specification can be used in was added to a mailing list. This specification can be used in
conjunction with that information in order to restrict traffic to the conjunction with that information in order to restrict traffic to the
original subscriber, rather than a different person now in possession original subscriber, rather than a different person now in possession
of an address under which the original subscriber registered. Upon of an address under which the original subscriber registered. Upon
receiving a rejection caused by this specification, the list service receiving a rejection caused by this specification, the list service
can remove that address from further distribution. can remove that address from further distribution.
7. Continuous Ownership A mailing list service that receives a message containing this field
removes it from the message prior to redistributing it, limiting
exposure of information regarding the relationship between the
message's author and mailing list.
8. Discussion
To further obscure account details on the receiving system, the
receiver SHOULD ignore the SMTP extension or the header field if the
address specified has had one continuous owner since it was created,
regardless of the purported confirmation date of the address. This
is further discussed in Section 11.
The presence of the intended address in the field content supports
the case where a message bearing this header field is forwarded. The
specific use case is as follows:
1. A user subscribes to a service "S" on date "D" and confirms an
email address at the user's current location, "A";
2. At some later date, the user intends to leave the current
location, and thus creates a new mailbox elsewhere, at "B";
3. The user replaces address "A" with forwarding to "B";
4. "S" constructs a message to "A" claiming that address was valid
at date "D" and sends it to "A";
5. The receiving MTA at "A" determines that the forwarding in effect
was created by the same party that owned the mailbox there, and
thus concludes the continuous ownership test has been satisfied;
6. If possible, "A" removes this header field from the message, and
in either case, forwards it to "B";
7. On receipt at "B", either the header field has been removed, or
the header field does not refer to a current envelope recipient,
and in either case delivers the message.
Some services generate messages with an RFC5322.To field that does
not contain a valid address, in order to obscure the intended
recipient. For this reason, the original intended recipient is
included in this header field.
9. Continuous Ownership
Determining continuous ownership of a mailbox is a local matter at Determining continuous ownership of a mailbox is a local matter at
the receiving site. In particular, the only possible answers to the the receiving site. In particular, the only possible answers to the
continuous-ownership-since question are "yes", "no", and "unknown"; continuous-ownership-since question are "yes", "no", and "unknown";
the action to be taken in the "unknown" case is a matter of local the action to be taken in the "unknown" case is a matter of local
policy. policy.
For example, when control of a domain name is transferred, the new For example, when control of a domain name is transferred, the new
domain owner might be unable to determine whether the owner of the domain owner might be unable to determine whether the owner of the
subject address has been under continuous ownership since the stated subject address has been under continuous ownership since the stated
date if the mailbox history is not also transferred (or was not date if the mailbox history is not also transferred (or was not
previously maintained). previously maintained).
It will also be "unknown" if whatever database contains mailbox It will also be "unknown" if whatever database contains mailbox
ownership data is temporarily unavailable at the time a message ownership data is temporarily unavailable at the time a message
arrives for delivery. In this case, typical SMTP temporary failure arrives for delivery. In this case, typical SMTP temporary failure
handling is appropriate. handling is appropriate.
8. Examples 10. Examples
In the following examples, "C:" indicates data sent by an SMTP In the following examples, "C:" indicates data sent by an SMTP
client, and "S:" indicates responses by the SMTP server. Message client, and "S:" indicates responses by the SMTP server. Message
content is CRLF terminated, though these are omitted here for ease of content is CRLF terminated, though these are omitted here for ease of
reading. reading.
8.1. SMTP Extension Example 10.1. SMTP Extension Example
C: [connection established] C: [connection established]
S: 220 server.example.com ESMTP ready S: 220 server.example.com ESMTP ready
C: EHLO client.example.net C: EHLO client.example.net
S: 250-server.example.com S: 250-server.example.com
S: 250 RRVS S: 250 RRVS
C: MAIL FROM:<sender@example.net> C: MAIL FROM:<sender@example.net>
S: 250 OK S: 250 OK
C: RCPT TO:<receiver@example.com> RRVS=2013-12-31T23:59:59 C: RCPT TO:<receiver@example.com> RRVS=1381993177
S: 550 5.7.15 receiver@example.com is no longer valid S: 550 5.7.15 receiver@example.com is no longer valid
C: QUIT C: QUIT
S: 221 So long! S: 221 So long!
9. Security Considerations 10.2. Header Field Example
9.1. Abuse Countermeasures C: [connection established]
S: 220 server.example.com ESMTP ready
C: HELO client.example.net
S: 250 server.example.com
C: MAIL FROM:<sender@example.net>
S: 250 OK
C: RCPT TO:<receiver@example.com>
S: 250 OK
C: DATA
S: 354 Ready for message content
C: From: Mister Sender <sender@example.net>
To: Miss Receiver <receiver@example.com>
Subject: Are you still there?
Date: Fri, 28 Jun 2013 18:01:01 +0200
Require-Recipient-Valid-Since: receiver@example.com;
Sat, 1 Jun 2013 09:23:01 -0700
Are you still there?
.
S: 550 5.7.15 receiver@example.com is no longer valid
C: QUIT
S: 221 So long!
If an authentication scheme is applied to claim the added header
field is valid, but the scheme fails, a receiver might reject the
message with an SMTP reply such as:
S: 550-5.7.7 Use of Require-Recipient-Valid-Since header
S: 550 field requires a valid signature
11. Security Considerations
11.1. Abuse Countermeasures
The response of a server implementing this protocol can disclose The response of a server implementing this protocol can disclose
information about the age of existing email mailbox. Implementation information about the age of existing email mailbox. Implementation
of countermeasures against probing attacks is advised. For example, of countermeasures against probing attacks is advised. For example,
an operator could track appearance of this extension with respect to an operator could track appearance of this field with respect to a
a particular mailbox and observe the timestamps being submitted for particular mailbox and observe the timestamps being submitted for
testing; if it appears a variety of timestamps is being tried against testing; if it appears a variety of timestamps is being tried against
a single mailbox in short order, the extension could be ignored and a single mailbox in short order, the field could be ignored and the
the message silently discarded. This concern is discussed further in message silently discarded. This concern is discussed further in
Section 10. Section 12.
9.2. Suggested Use Restrictions 11.2. Risks with Use of Header Field
If the mailbox named in the RCPT TO command is known to have had only MTAs might not implement the recommendation to remove the header
a single continuous owner since creation, or not to have existed at field defined here, either out of ignorance or due to error. Since
all (under any owner) prior to the time specified in the parameter, user agents often do not render all of the header fields present, the
then the field can be silently ignored and normal message handling message could be forwarded to a party that would then inadvertently
applied so that this information is not disclosed. Such parameters have the content of this header field.
are likely the product of either gross error or an attack.
A message author using this specification might restrict use of the 11.3. Suggested Use Restrictions
extension such that it is only done for recipients known also to
implement this specification, in order to reduce the possibility of If the mailbox named in the field is known to have had only a single
revealing information about the relationship between the author and continuous owner since creation, or not to have existed at all (under
the mailbox. any owner) prior to the date specified in the field, then the field
can be silently ignored and normal message handling applied so that
this information is not disclosed. Such fields are likely the
product of either gross error or an attack.
A message author using this specification might restrict inclusion of
the header field such that it is only done for recipients known also
to implement this specification, in order to reduce the possibility
of revealing information about the relationship between the author
and the mailbox.
If ownership of an entire domain is transferred, the new owner may If ownership of an entire domain is transferred, the new owner may
not know what addresses were assigned in the past by the prior owner. not know what addresses were assigned in the past by the prior owner.
Hence, no address can be known not to have had a single owner, or to Hence, no address can be known not to have had a single owner, or to
have existed (or not) at all. have existed (or not) at all.
10. Privacy Considerations 12. Privacy Considerations
10.1. Probing Attacks 12.1. Probing Attacks
As described above, use of this extension in probing attacks can As described above, use of this header field in probing attacks can
disclose information about the history of the mailbox. The harm that disclose information about the history of the mailbox. The harm that
can be done by leaking any kind of private information is difficult can be done by leaking any kind of private information is difficult
to predict, so it is prudent to be sensitive to this sort of to predict, so it is prudent to be sensitive to this sort of
disclosure, be it inadvertently or in response to probing by an disclosure, either inadvertently or in response to probing by an
attacker. It bears restating, then, that implementing attacker. It bears restating, then, that implementing
countermeasures to abuse of this capability needs strong countermeasures to abuse of this capability needs strong
consideration. consideration.
That some MSPs allow for expiration of account names when they have That some MSPs allow for expiration of account names when they have
been unused for a protracted period forces a choice between two been unused for a protracted period forces a choice between two
potential types of privacy vulnerabilities, one of which presents potential types of privacy vulnerabilities, one of which presents
significantly greater threats to users than the other. Automatically significantly greater threats to users than the other. Automatically
generated mail is often used to convey authentication credentials generated mail is often used to convey authentication credentials
that can potentially provide access to extremely sensitive that can potentially provide access to extremely sensitive
information. Supplying such credentials to the wrong party after a information. Supplying such credentials to the wrong party after a
mailbox ownership change could allow the previous owner's data to be mailbox ownership change could allow the previous owner's data to be
exposed without his or her authorization or knowledge. In contrast, exposed without his or her authorization or knowledge. In contrast,
the information that may be exposed to a third party via the proposal the information that may be exposed to a third party via the proposal
in this document is limited to information about the mailbox history. in this document is limited to information about the mailbox history.
Given that MSPs have chosen to allow transfers of mailbox ownership Given that MSPs have chosen to allow transfers of mailbox ownership
without the prior owner's involvement, the information leakage from without the prior owner's involvement, the information leakage from
the header field specified here creates far fewer risks than the the header field specified here creates far fewer risks than the
potential for delivering mail to the wrong party. potential for delivering mail to the wrong party.
11. IANA Considerations 12.2. Envelope Recipients
11.1. SMTP Extension Registration The email To and Cc header fields are not required to be populated
with addresses that match the envelope recipient set, and Cc may even
be absent. However, the algorithm in Section 3 requires that this
header field contain a match for an envelope recipient in order to be
actionable. As such, use of this specification can reveal some or
all of the original intended recipient set to any party that can see
the message in transit or upon delivery.
For a message destined to a single recipient, this is unlikely to be
a concern, which is one of the reasons use of this specification on
multi-recipient messages is discouraged.
13. IANA Considerations
13.1. SMTP Extension Registration
IANA is requested to register the SMTP extension described in IANA is requested to register the SMTP extension described in
Section 3.1. Section 3.1.
11.2. Enhanced Status Code Registration 13.2. Header Field Registration
IANA is requested to add the following entry to the Permanent Message
Header Field registry, as per the procedure found in [IANA-HEADERS]:
Header field name: Require-Recipient-Valid-Since
Applicable protocol: mail ([MAIL])
Status: Standard
Author/Change controller: IETF
Specification document(s): [this document]
Related information:
Requesting review of any proposed changes and additions to
this field is recommended.
13.3. Enhanced Status Code Registration
IANA is requested to register the following in the SMTP Enhanced IANA is requested to register the following in the SMTP Enhanced
Status Codes registry: Status Codes registry:
Code: X.7.15 Code: X.7.15
Sample Text: Mailbox owner has changed Sample Text: Mailbox owner has changed
Associated basic status code: 5 Associated basic status code: 5
Description: This status code is returned when a message is Description: This status code is returned when a message is
received with a Require-Recipient-Valid-Since received with a Require-Recipient-Valid-Since
field and the receiving system is able to field or RRVS extension and the receiving
determine that the intended recipient mailbox system is able to determine that the intended
has not been under continuous ownership since recipient mailbox has not been under
the specified date. continuous ownership since the specified date.
Reference: [this document] Reference: [this document]
Submitter: M. Kucherawy Submitter: M. Kucherawy
Change controller: IESG Change controller: IESG
12. References >
12.1. Normative References Code: X.7.16
Sample Text: Domain owner has changed
Associated basic status code: 5
Description: This status code is returned when a message is
received with a Require-Recipient-Valid-Since
field or RRVS extension and the receiving
system wishes to disclose that the owner of
the domain name of the recipient has changed
since the specified date.
Reference: [this document]
Submitter: M. Kucherawy
Change controller: IESG
[DATETIME] Klyne, G. and C. Newman, "Date and Time on the 14. References
Internet: Timestamps", RFC 3339, July 2002.
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate 14.1. Normative References
Requirement Levels", BCP 14, RFC 2119, March 1997.
[ROLES] Crocker, D., "Mailbox Names For Common Services, Roles [ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for
And Functions", RFC 2142, May 1997. Syntax Specifications: ABNF", RFC 5234, January 2008.
[SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, [DATETIME] Klyne, G. and C. Newman, "Date and Time on the
October 2008. Internet: Timestamps", RFC 3339, July 2002.
12.2. Informative References [IANA-HEADERS] Klyne, G., Nottingham, M., and J. Mogul,
"Registration Procedures for Message Header Fields",
BCP 90, RFC 3864, September 2004.
[EMAIL-ARCH] Crocker, D., "Internet Mail Architecture", RFC 5598, [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
July 2009. Requirement Levels", BCP 14, RFC 2119, March 1997.
[ESC] Vaudreuil, G., "Enhanced Mail System Status Codes", [MAIL] Resnick, P., "Internet Message Format", RFC 5322,
RFC 3463, January 2003. October 2008.
[ROLES] Crocker, D., "Mailbox Names For Common Services,
Roles And Functions", RFC 2142, May 1997.
[SMTP] Klensin, J., "Simple Mail Transfer Protocol",
RFC 5321, October 2008.
14.2. Informative References
[DSN] Moore, K. and G. Vaudreuil, "An Extensible Message
Format for Delivery Status Notifications", RFC 3464,
January 2003.
[EMAIL-ARCH] Crocker, D., "Internet Mail Architecture", RFC 5598,
July 2009.
[ESC] Vaudreuil, G., "Enhanced Mail System Status Codes",
RFC 3463, January 2003.
Appendix A. Acknowledgments Appendix A. Acknowledgments
Erling Ellingsen proposed the idea. Erling Ellingsen proposed the idea.
Reviews and comments were provided by Michael Adkins, Kurt Andersen, Reviews and comments were provided by Michael Adkins, Kurt Andersen,
Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed, John Levine, Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed, John Levine,
Hector Santos, Gregg Stefancik, Ed Zayas, (others) Hector Santos, Gregg Stefancik, Ed Zayas, (others)
Authors' Addresses Authors' Addresses
 End of changes. 48 change blocks. 
111 lines changed or deleted 367 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/