--- 1/draft-ietf-appsawg-rrvs-header-field-03.txt 2013-11-20 00:14:29.658262168 -0800 +++ 2/draft-ietf-appsawg-rrvs-header-field-04.txt 2013-11-20 00:14:29.694263122 -0800 @@ -1,20 +1,20 @@ Network Working Group W. Mills Internet-Draft Yahoo! Inc. Intended status: Standards Track M. Kucherawy -Expires: May 17, 2014 Facebook, Inc. - November 13, 2013 +Expires: May 23, 2014 Facebook, Inc. + November 19, 2013 The Require-Recipient-Valid-Since Header Field and SMTP Service Extension - draft-ietf-appsawg-rrvs-header-field-03 + draft-ietf-appsawg-rrvs-header-field-04 Abstract This document defines an extension for the Simple Mail Transfer Protocol called RRVS, and a header field called Require-Recipient- Valid-Since, to provide a method for senders to indicate to receivers the time when the sender last confirmed the ownership of the target mailbox. This can be used to detect changes of mailbox ownership, and thus prevent mail from being delivered to the wrong party. @@ -30,71 +30,81 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on May 17, 2014. + This Internet-Draft will expire on May 23, 2014. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 3 - 3.1. The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . 4 - 3.2. The 'Require-Recipient-Valid-Since' Header Field . . . . . 4 - 4. Handling By Receivers . . . . . . . . . . . . . . . . . . . . 5 - 4.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 5 - 4.1.1. Relays . . . . . . . . . . . . . . . . . . . . . . . . 5 - 4.2. Header Field Used . . . . . . . . . . . . . . . . . . . . 6 - 5. Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . 7 - 6. Method Conversion . . . . . . . . . . . . . . . . . . . . . . 7 - 7. Use with Mailing Lists . . . . . . . . . . . . . . . . . . . . 8 - 8. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 8 - 9. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 9 - 10. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 - 10.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 9 - 10.2. Header Field Example . . . . . . . . . . . . . . . . . . . 10 - 11. Security Considerations . . . . . . . . . . . . . . . . . . . 10 - 11.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . 10 - 11.2. Risks with Use of Header Field . . . . . . . . . . . . . . 11 - 11.3. Suggested Use Restrictions . . . . . . . . . . . . . . . . 11 - 12. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 11 - 12.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . 11 - 12.2. Envelope Recipients . . . . . . . . . . . . . . . . . . . 12 - 13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 - 13.1. SMTP Extension Registration . . . . . . . . . . . . . . . 12 - 13.2. Header Field Registration . . . . . . . . . . . . . . . . 12 - 13.3. Enhanced Status Code Registration . . . . . . . . . . . . 13 - 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 - 14.1. Normative References . . . . . . . . . . . . . . . . . . . 13 - 14.2. Informative References . . . . . . . . . . . . . . . . . . 14 - Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 14 + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 3.1. The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . 5 + 3.2. The 'Require-Recipient-Valid-Since' Header Field . . . . . 5 + 4. Use By Generators . . . . . . . . . . . . . . . . . . . . . . 6 + 5. Handling By Receivers . . . . . . . . . . . . . . . . . . . . 6 + 5.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 6 + 5.1.1. Relays . . . . . . . . . . . . . . . . . . . . . . . . 7 + 5.2. Header Field Used . . . . . . . . . . . . . . . . . . . . 7 + 6. Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . 8 + 7. Relaying Without RRVS Support . . . . . . . . . . . . . . . . 8 + 7.1. Header Field Conversion . . . . . . . . . . . . . . . . . 9 + 8. Header Field with Multiple Recipients . . . . . . . . . . . . 9 + 9. Special Use Addresses . . . . . . . . . . . . . . . . . . . . 10 + 9.1. Mailing Lists . . . . . . . . . . . . . . . . . . . . . . 10 + 9.2. Single-Recipient Alaises . . . . . . . . . . . . . . . . . 10 + 9.3. Multiple-Recipient Aliases . . . . . . . . . . . . . . . . 11 + 9.4. Confidential Forwarding Addresses . . . . . . . . . . . . 11 + 9.5. Suggested Mailing List Enhancements . . . . . . . . . . . 11 + 10. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 12 + 11. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 12 + 12. Authentication-Results Definitions . . . . . . . . . . . . . . 13 + 13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 + 13.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 14 + 13.2. Header Field Example . . . . . . . . . . . . . . . . . . . 14 + 14. Security Considerations . . . . . . . . . . . . . . . . . . . 15 + 14.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . 15 + 14.2. Suggested Use Restrictions . . . . . . . . . . . . . . . . 15 + 15. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 15 + 15.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . 15 + 15.2. Envelope Recipients . . . . . . . . . . . . . . . . . . . 16 + 15.3. Risks with Use of Header Field . . . . . . . . . . . . . . 16 + 16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 + 16.1. SMTP Extension Registration . . . . . . . . . . . . . . . 17 + 16.2. Header Field Registration . . . . . . . . . . . . . . . . 17 + 16.3. Enhanced Status Code Registration . . . . . . . . . . . . 17 + 16.4. Authentication Results Registration . . . . . . . . . . . 18 + 17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 + 17.1. Normative References . . . . . . . . . . . . . . . . . . . 19 + 17.2. Informative References . . . . . . . . . . . . . . . . . . 19 + Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 19 1. Introduction Email addresses sometimes get reassigned to a different person. For example, employment changes at a company can cause an address used for an ex-employee to be assigned to a new employee, or a mail service provider (MSP) might expire an account and then let someone else register for the local-part that was previously used. Those who sent mail to the previous owner of an address might not know that it has been reassigned. This can lead to the sending of email to the @@ -138,21 +148,21 @@ that mailbox. Two mechanisms are defined here: an extension to the Simple Mail Transfer Protocol [SMTP], for use between a client and server that both implement the extension, and a header field that can be used when passing a message to a server that appears not to implement this extension. The SMTP extenion is called "RRVS" (Require Recipient Valid Since), and adds a parameter to the SMTP "RCPT" command that indicates the most recent date and time when the message author believed the destination mailbox to be under the continuous ownership (see - Section 9) of a specific party. Similarly, the Require-Recipient- + Section 11) of a specific party. Similarly, the Require-Recipient- Valid-Since header field includes an intended recipient coupled with a timestamp indicating the same thing. Presumably there has been some confirmation process applied to establish this ownership; however, the method of making such determinations is a local matter and outside the scope of this document. 3.1. The 'RRVS' SMTP Extension Extensions to SMTP are described in Section 2.2 of [SMTP]. @@ -163,96 +173,115 @@ alter the MAIL verb. An MTA implementing RRVS can transmit or accept a new parameter to the RCPT command. The new parameter is "RRVS", which takes a value that is a timestamp expressed as a "date-time" as defiend in [DATETIME], with the added restriction that a "time-secfrac" MUST NOT be used. Accordingly, this extension increases the maximum command length for the RCPT verb by 31 characters. The meaning of this extension, when used, is described in - Section 4.1. + Section 5.1. 3.2. The 'Require-Recipient-Valid-Since' Header Field The general constraints on syntax and placement of header fields in a message are defined in Internet Message Format [MAIL]. Using Augmented Backus-Naur Form [ABNF], the syntax for the field is: rrvs = "Require-Recipient-Valid-Since:" addr-spec; date-time CRLF "CFWS" is defined in Section 3.2.2, "date-time" is defined in Section 3.3, and "addr-spec" is defined in Section 3.4.1, of [MAIL]. -4. Handling By Receivers +4. Use By Generators + + When a message is generated whose content is sufficiently sensitive + that an author or author's Administrative Management Domain (ADMD; + see [EMAIL-ARCH]) wishes to protect against misdelivery using this + protocol, it determines for each recipient mailbox on the message a + timestamp at which it last confirmed ownership of that mailbox. It + then applies either the SMTP extension or the header field defined + above when sending the message to its destination. + + Use of the SMTP extension provided here is preferable over the header + field method, since the additional detail about the relationship + between the message author and its intended recipient is at best a + property of the message transaction and not part of the message + itself. Further, SMTP parameters are not typically recorded in the + message upon delivery, so detail about the relationship between the + author or author's ADMD and the intended recipient are not recorded. + + The header field mechanism is defined only to enable passage of the + request between and through systems that that do not implement the + SMTP extension. + +5. Handling By Receivers If a receiver implements the RRVS SMTP extension, then there are two possible evaluation paths: 1. The sending client implements the extension, and so there was an RRVS parameter on a RCPT TO command in the SMTP session; or 2. The sending client does not (or elected not to) implement the extension, so the RRVS parameter was not present on the RCPT TO commands in the SMTP session. -4.1. SMTP Extension Used +5.1. SMTP Extension Used A receiving system that implements the SMTP extension declared above and observes an RRVS parameter on a RCPT TO command checks whether the current owner of the destination mailbox has held it continuously, far enough back to inclue the given date-time, and delivers it unless that check returns in the negative. Expressed as a sequence of steps: 1. Ignore the parameter if the named mailbox is a role account as listed in Mailbox Names For Common Services, Roles And Functions - [ROLES]. (See Section 5.) + [ROLES]. (See Section 6.) 2. Determine if the named address is serviced for local delivery. If so, and if that address, has not been under continuous ownership since the specified timestamp, return a 550 error to - the RCPT command. (See also Section 13.3.) + the RCPT command. (See also Section 16.3.) 3. RECOMMENDED: If any Require-Recipient-Valid-Since header fields are present and refer to the named address, remove them prior to - delivery or relaying. (See Section 4.2 for discussion.) + delivery or relaying. (See Section 5.2 for discussion.) -4.1.1. Relays +5.1.1. Relays An MTA that does not make mailbox ownership checks, such as an MTA positioned to do SMTP ingress at an organizational boundary, SHOULD relay the RRVS extension parameter to the next MTA so that it can be processed there. - An MTA could replace the envelope as a result of simple alias - expansion, mapping one mailbox to several other mailboxes. In this - case, each of the new SMTP recipients SHOULD NOT include RRVS RRVS - parameter when relaying to the new addresses. + See Section 9.2 for additional discussion. -4.2. Header Field Used +5.2. Header Field Used A receiving system that implements this specification, upon receiving a message bearing a Require-Recipient-Valid-Since header field when no corresponding RRVS SMTP extension was used, checks whether the destination mailbox owner has held it continuously, far enough back to include the given date-time, and delivers it unless that check returns in the negative. Expressed as a sequence of steps: 1. Extract the set of Require-Recipient-Valid-Since fields from the message for which no corresponding RRVS SMTP extension was used. 2. Discard any such fields that are syntactically invalid. 3. Discard any such fields that name a role account as listed in - [ROLES] (see Section 5). + [ROLES] (see Section 6). 4. Discard any such fields for which the "addr-spec" portion does not match a current recipient, as listed in the RCPT TO commands in the SMTP session. 5. Discard any such fields for which the "addr-spec" portion does not refer to a mailbox handled for local delivery by this MTA. 6. For each field remaining, determine if the named address has been under continuous ownership since the corresponding timestamp. If @@ -268,95 +297,202 @@ The final step is not mandatory as not all mail handling agents are capable of stripping away header fields, and there are sometimes reasons to keep the field intact such as debugging or presence of digital signatures that might be invalidated by such a change. If a message is to be rejected within the SMTP protocol itself (versus generating a rejection message separately), servers implementing this protocol SHOULD also implement the SMTP extension described in Enhanced Mail System Status Codes [ESC] and use the - enhanced status codes described in Section 13.3 as appropriate. + enhanced status codes described in Section 16.3 as appropriate. Implementation by this method is expected to be transparent to non- participants, since they would typically ignore this header field. This header field is not normally added to a message that is addressed to multiple recipients. The intended use of this field involves an author seeking to protect transactional or otherwise sensitive data intended for a single recipient, and thus generating independent messages for each individual recipient is normal - practice. Because of the nature of SMTP, a message bearing this - header field for multiple addressees could result in a single - delivery attempt for multiple recipients (in particular, if two of - the recipients are handled by the same server), and if any one of - them fails the test, the delivery fails to all of them; it then - becomes necessary to generate a Delivery Status Notification [DSN] - message for each of the failed recipients indicating the specific - failure cause for each. + practice. See Section 8 for further discussion. -5. Role Accounts +6. Role Accounts It is necessary not to interfere with delivery of messages to role mailboxes (see [ROLES]), but it could be useful to indicate to users handling those mailboxes that a change of ownership might have taken place where doing so is possible. -6. Method Conversion +7. Relaying Without RRVS Support - Use of the SMTP extension provided here is preferable over the header - field method, since the additional detail about the relationship - between the message author and its intended recipient is at best a - property of the message transaction and not part of the message - itself. The header field mechanism is defined only to enable passage - of the request between and through systems that that do not implement - the SMTP extension. + When a message is received using the SMTP extension defined here but + will not be delivered locally (that is, it needs to be relayed + further), the MTA to which the relay will take place might not be + compliant with this specification. Where the MTA in possession of + the message observes it is going to relay the message to an MTA that + does not advertise this extension, it needs to choose one of the + following actions: - If an SMTP server receives a message from a client and both of them - use the SMTP extension described here, the server thus has "valid- - since" timestamps associated with one or more of the destination - mailboxes. If that server needs to relay the message on to another - server (thereby becoming a client), but this new server does not - advertise the SMTP extension, the client SHOULD add Require- - Recipient-Valid-Since header fields matching each mailbox to which - relaying is being done, and the corresponding valid-since timestamp - for each. + 1. Decline to relay the message further, preferably generating a + Delivery Status Notification [DSN] to indicate failure + (RECOMMENDED); - Similarly, if an SMTP server receives a message bearing one or more - Require-Recipient-Valid-Since header fields for which it must now - relay the message (thereby becoming a client) and the new server - advertises support for the SMTP extension, the client SHOULD delete - the header field(s) and instead relay this information by making use - of the SMTP extension. + 2. Downgrade the data thus provided in the SMTP extension to a + header field, as described in Section 7.1 below (RECOMMENDED when + the previous option is not available); or -7. Use with Mailing Lists + 3. Silently continue with delivery, dropping the protection offered + by this protocol. - Mailing list services can store the timestamp at which a subscriber - was added to a mailing list. This specification can be used in - conjunction with that information in order to restrict traffic to the - original subscriber, rather than a different person now in possession - of an address under which the original subscriber registered. Upon - receiving a rejection caused by this specification, the list service - can remove that address from further distribution. + Using other than the first option needs to be avoided unless there is + specific knowledge that further relaying with the degraded + protections thus provided does not introduce undue risk. - A mailing list service that receives a message containing this field - removes it from the message prior to redistributing it, limiting - exposure of information regarding the relationship between the - message's author and mailing list. +7.1. Header Field Conversion -8. Discussion + If an SMTP server ("B") that has received mailbox timestamps from a + client ("A") using this extension but then needs to relay the + corresponding message on to another server ("C") (thereby becoming a + client), but "C" does not advertise the SMTP extension and "B" elects + not to reject the message, "B" SHOULD add Require-Recipient-Valid- + Since header fields matching each mailbox to which relaying is being + done, and the corresponding valid-since timestamp for each. + + Similarly, if "B" receives a message bearing one or more Require- + Recipient-Valid-Since header fields from "A" for which it must now + relay the message, and "C" advertises support for the SMTP extension, + "B" SHOULD delete the header field(s) and instead relay this + information by making use of the SMTP extension. + +8. Header Field with Multiple Recipients + + Numerous issues arise when using the header field form of this + extension, particularly when multiple recipients are specified for a + single message resulting in one multiple fields each with a distinct + address and timestamp. + + Because of the nature of SMTP, a message bearing a multiplicity of + Require-Recipient-Valid-Since header fields could result in a single + delivery attempt for multiple recipients (in particular, if two of + the recipients are handled by the same server), and if any one of + them fails the test, the delivery fails to all of them; it then + becomes necessary to do one of the following: + + o reject the message on completion of the DATA phase of the SMTP + session, which is a rejection of delivery to all recipients; or + + o accept the message on completion of DATA, and then generate a + Delivery Status Notification [DSN] message for each of the failed + recipients + + Additional complexity arises when a message is sent to two + recipients, "A" and "B", presumably with different timestamps, both + of which are then redirected to a common address "C". The author is + not necessarily aware of the current or past ownership of mailbox + "C", or indeed that "A" and/or "B" have been redirected. This might + result in either or both of the two deliveries failing at "C", which + is likely to confuse the message author, who (as far as the author is + aware) never sent a message to "C" in the first place. + +9. Special Use Addresses + + In [DSN-SMTP], an SMTP extension was defined to allow SMTP clients to + request generation of DSNs, and related information to allow such + reports to be maximally useful. Section 5.2.7 of that document + explored the issue of the use of that extension where the recipient + is a mailing list. This extension has similar concerns which are + covered here following that document as a model. + +9.1. Mailing Lists + + Delivery to a mailing list service is considered a final delivery. + Where this protocol is in use, it is evaluated as per any normal + delivery: If the same mailing list has been operating in place of the + specified recipient mailbox since at least the timestamp given as the + RRVS parameter, the message is delivered to the list service + normally, and is otherwise not delivered. However, the MTA passing + the message to the list service does not convey the RRVS parameter in + either form (SMTP extension or header field) to the list service. + The emission of a message from the list service to its subscribers + constitutes a new message not covered by the previous transaction. + +9.2. Single-Recipient Alaises + + Upon delivery of an RRVS-protected message to an alias (acting in + place of a mailbox) that results in relaying of the message to a + single other destination, the usual RRVS check is performed. The + continuous ownership test here might succeed if a conventional user + inbox was replaced with an alias on behalf of that same user, and + this information is recorded someplace. If the message is thus + accepted, the relaying MTA can choose to do one of the following: + + 1. Do not include an RRVS parameter or header field when relaying to + the new address. (RECOMMENDED) + + 2. If, however, the relaying system knows the time when the alias + was established, it MAY add an RRVS parameter for the new target + address that includes that time. + + 3. If a confirmation of the new destination was done, it MAY add an + RRVS parameter for the new target address that includes that + time. + + There is risk and additional administrative burden associated with + all but the first option in that list which are believed to make them + not worth pursuing. + +9.3. Multiple-Recipient Aliases + + Upon delivery of an RRVS-protected message to an alias (acting in + place of a mailbox) that results in relaying of the message to + multiple other destinations, the usual RRVS check is performed as in + Section 9.2. The MTA expanding such an alias then decides which of + the options enumerated in that section is to be applied for each new + recipient. + +9.4. Confidential Forwarding Addresses + + In the above cases, the original author could receive message + rejections, such as DSNs, from the ultimate destination, where the + RRVS check (or indeed, any other) fails and rejection is warranted. + This can reveal the existence of a forwarding relationship between + the original intended recipient and the actual final recipient. + + Where this is a concern, the initial delivery attempt is to be + treated like a mailing list delivery, with RRVS evaluation done and + then all RRVS information removed from the message prior to relaying + it to its true destination. + +9.5. Suggested Mailing List Enhancements + + Mailing list services could store the timestamp at which a subscriber + was added to a mailing list. This specification could then be used + in conjunction with that information in order to restrict list + traffic to the original subscriber, rather than a different person + now in possession of an address under which the original subscriber + was added to the list. Upon receiving a rejection caused by this + specification, the list service can remove that address from further + distribution. + + A mailing list service that receives a message containing the header + field defined here needs to remove it from the message prior to + redistributing it, limiting exposure of information regarding the + relationship between the message's author and the mailing list. + +10. Discussion To further obscure account details on the receiving system, the receiver SHOULD ignore the SMTP extension or the header field if the address specified has had one continuous owner since it was created, regardless of the purported confirmation date of the address. This - is further discussed in Section 11. + is further discussed in Section 14. The presence of the intended address in the field content supports the case where a message bearing this header field is forwarded. The specific use case is as follows: 1. A user subscribes to a service "S" on date "D" and confirms an email address at the user's current location, "A"; 2. At some later date, the user intends to leave the current location, and thus creates a new mailbox elsewhere, at "B"; @@ -370,66 +506,101 @@ was created by the same party that owned the mailbox there, and thus concludes the continuous ownership test has been satisfied; 6. If possible, "A" removes this header field from the message, and in either case, forwards it to "B"; 7. On receipt at "B", either the header field has been removed, or the header field does not refer to a current envelope recipient, and in either case delivers the message. - Some services generate messages with an RFC5322.To field that does - not contain a valid address, in order to obscure the intended - recipient. For this reason, the original intended recipient is - included in this header field. + SMTP has never required any correspondence between addresses in the + RFC5321.MailFrom and RFC5321.RcptTo parameters and header fields of a + message, which is why the header field defined here contains the + recipient address to which the timestamp applies. -9. Continuous Ownership +11. Continuous Ownership Determining continuous ownership of a mailbox is a local matter at the receiving site. In particular, the only possible answers to the continuous-ownership-since question are "yes", "no", and "unknown"; the action to be taken in the "unknown" case is a matter of local policy. For example, when control of a domain name is transferred, the new domain owner might be unable to determine whether the owner of the subject address has been under continuous ownership since the stated date if the mailbox history is not also transferred (or was not previously maintained). It will also be "unknown" if whatever database contains mailbox ownership data is temporarily unavailable at the time a message arrives for delivery. In this case, typical SMTP temporary failure handling is appropriate. -10. Examples +12. Authentication-Results Definitions + + [AUTHRES] defines a mechanism for indicating, via a header field, the + results of message authentication checks. Section 16 registers RRVS + as a new method that can be reported in this way, and corresponding + result names. The possible result names and their meanings are as + follows: + + none: The message had no recipient mailbox timestamp associated with + it, either via the SMTP extension or header field method; this + protocol was not in use. + + unknown: At least one form of this protocol was in use, but + continuous ownership of the recipient mailbox could not be + determined. + + temperror: At least one form of this protocol was in use, but some + kind of error occurred during evaluation that was transient in + nature; a later retry will likely produce a final result. + + permerror: At least one form of this protocol was in use, but some + kind of error occurred during evaluation that was not recoverable; + a later retry will not likely produce a final result. + + pass: At least one form of this protocol was in use, and the + destination mailbox was confirmed to have been under constant + ownership since the timestamp thus provided. + + fail: At least one form of this protocol was in use, and the + destination mailbox was confirmed not to have been under constant + ownership since the timestamp thus provided. + + Where multiple recipients are present on a message, multiple results + can be reported using the mechanism described in [AUTHRES]. + +13. Examples In the following examples, "C:" indicates data sent by an SMTP client, and "S:" indicates responses by the SMTP server. Message content is CRLF terminated, though these are omitted here for ease of reading. -10.1. SMTP Extension Example +13.1. SMTP Extension Example C: [connection established] S: 220 server.example.com ESMTP ready C: EHLO client.example.net S: 250-server.example.com S: 250 RRVS C: MAIL FROM: S: 250 OK C: RCPT TO: RRVS=1381993177 S: 550 5.7.15 receiver@example.com is no longer valid C: QUIT S: 221 So long! -10.2. Header Field Example +13.2. Header Field Example C: [connection established] S: 220 server.example.com ESMTP ready C: HELO client.example.net S: 250 server.example.com C: MAIL FROM: S: 250 OK C: RCPT TO: S: 250 OK C: DATA @@ -447,162 +618,190 @@ C: QUIT S: 221 So long! If an authentication scheme is applied to claim the added header field is valid, but the scheme fails, a receiver might reject the message with an SMTP reply such as: S: 550-5.7.7 Use of Require-Recipient-Valid-Since header S: 550 field requires a valid signature -11. Security Considerations +14. Security Considerations -11.1. Abuse Countermeasures +14.1. Abuse Countermeasures The response of a server implementing this protocol can disclose information about the age of existing email mailbox. Implementation of countermeasures against probing attacks is advised. For example, an operator could track appearance of this field with respect to a particular mailbox and observe the timestamps being submitted for testing; if it appears a variety of timestamps is being tried against a single mailbox in short order, the field could be ignored and the message silently discarded. This concern is discussed further in - Section 12. - -11.2. Risks with Use of Header Field - - MTAs might not implement the recommendation to remove the header - field defined here, either out of ignorance or due to error. Since - user agents often do not render all of the header fields present, the - message could be forwarded to a party that would then inadvertently - have the content of this header field. + Section 15. -11.3. Suggested Use Restrictions +14.2. Suggested Use Restrictions If the mailbox named in the field is known to have had only a single continuous owner since creation, or not to have existed at all (under any owner) prior to the date specified in the field, then the field can be silently ignored and normal message handling applied so that this information is not disclosed. Such fields are likely the product of either gross error or an attack. A message author using this specification might restrict inclusion of the header field such that it is only done for recipients known also to implement this specification, in order to reduce the possibility of revealing information about the relationship between the author and the mailbox. If ownership of an entire domain is transferred, the new owner may not know what addresses were assigned in the past by the prior owner. Hence, no address can be known not to have had a single owner, or to have existed (or not) at all. -12. Privacy Considerations +15. Privacy Considerations -12.1. Probing Attacks +15.1. Probing Attacks - As described above, use of this header field in probing attacks can - disclose information about the history of the mailbox. The harm that - can be done by leaking any kind of private information is difficult - to predict, so it is prudent to be sensitive to this sort of - disclosure, either inadvertently or in response to probing by an - attacker. It bears restating, then, that implementing + As described above, use of this extension or header field in probing + attacks can disclose information about the history of the mailbox. + The harm that can be done by leaking any kind of private information + is difficult to predict, so it is prudent to be sensitive to this + sort of disclosure, either inadvertently or in response to probing by + an attacker. It bears restating, then, that implementing countermeasures to abuse of this capability needs strong consideration. That some MSPs allow for expiration of account names when they have been unused for a protracted period forces a choice between two potential types of privacy vulnerabilities, one of which presents significantly greater threats to users than the other. Automatically generated mail is often used to convey authentication credentials that can potentially provide access to extremely sensitive information. Supplying such credentials to the wrong party after a mailbox ownership change could allow the previous owner's data to be exposed without his or her authorization or knowledge. In contrast, the information that may be exposed to a third party via the proposal in this document is limited to information about the mailbox history. Given that MSPs have chosen to allow transfers of mailbox ownership without the prior owner's involvement, the information leakage from - the header field specified here creates far fewer risks than the + the extensions specified here creates far fewer risks than the potential for delivering mail to the wrong party. -12.2. Envelope Recipients +15.2. Envelope Recipients The email To and Cc header fields are not required to be populated with addresses that match the envelope recipient set, and Cc may even be absent. However, the algorithm in Section 3 requires that this header field contain a match for an envelope recipient in order to be actionable. As such, use of this specification can reveal some or all of the original intended recipient set to any party that can see the message in transit or upon delivery. For a message destined to a single recipient, this is unlikely to be a concern, which is one of the reasons use of this specification on multi-recipient messages is discouraged. -13. IANA Considerations +15.3. Risks with Use of Header Field -13.1. SMTP Extension Registration + MTAs might not implement the recommendation to remove the header + field defined here, either out of ignorance or due to error. Since + user agents often do not render all of the header fields present, the + message could be forwarded to another party that would then + inadvertently have the content of this header field. - IANA is requested to register the SMTP extension described in - Section 3.1. +16. IANA Considerations +16.1. SMTP Extension Registration -13.2. Header Field Registration + Section 2.2.2 of [MAIL] sets out the procedure for registering a new + SMTP extension. IANA is requested to register the SMTP extension + using the details provided in Section 3.1 of this document. + +16.2. Header Field Registration IANA is requested to add the following entry to the Permanent Message Header Field registry, as per the procedure found in [IANA-HEADERS]: Header field name: Require-Recipient-Valid-Since Applicable protocol: mail ([MAIL]) Status: Standard Author/Change controller: IETF Specification document(s): [this document] Related information: Requesting review of any proposed changes and additions to this field is recommended. -13.3. Enhanced Status Code Registration +16.3. Enhanced Status Code Registration IANA is requested to register the following in the SMTP Enhanced Status Codes registry: Code: X.7.15 Sample Text: Mailbox owner has changed Associated basic status code: 5 Description: This status code is returned when a message is received with a Require-Recipient-Valid-Since field or RRVS extension and the receiving system is able to determine that the intended recipient mailbox has not been under continuous ownership since the specified date. Reference: [this document] Submitter: M. Kucherawy Change controller: IESG - - > - Code: X.7.16 Sample Text: Domain owner has changed Associated basic status code: 5 Description: This status code is returned when a message is received with a Require-Recipient-Valid-Since field or RRVS extension and the receiving system wishes to disclose that the owner of the domain name of the recipient has changed since the specified date. Reference: [this document] Submitter: M. Kucherawy Change controller: IESG -14. References +16.4. Authentication Results Registration -14.1. Normative References + IANA is requested to register the following in the "Email + Authentication Methods" Registry: + + Method: rrvs + + Specifying Document: [this document] + + ptype: smtp + + Property: rcptto + + Value: envelope recipient + + Status: active + + Version: 1 + + IANA is also requested to register the following in the "Email + Authentication Result Names" Registry: + + Codes: none, unknown, temperror, permerror, pass, fail + + Defined: [this document] + + Auth Method(s): rrvs + + Meaning: Section 12 of [this document] + + Status: active + +17. References +17.1. Normative References [ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 5234, January 2008. [DATETIME] Klyne, G. and C. Newman, "Date and Time on the Internet: Timestamps", RFC 3339, July 2002. [IANA-HEADERS] Klyne, G., Nottingham, M., and J. Mogul, "Registration Procedures for Message Header Fields", BCP 90, RFC 3864, September 2004. @@ -612,39 +811,47 @@ [MAIL] Resnick, P., "Internet Message Format", RFC 5322, October 2008. [ROLES] Crocker, D., "Mailbox Names For Common Services, Roles And Functions", RFC 2142, May 1997. [SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, October 2008. -14.2. Informative References +17.2. Informative References + + [AUTHRES] Kucherawy, M., "Message Header Field for Indicating + Message Authentication Status", RFC 7001, + September 2013. [DSN] Moore, K. and G. Vaudreuil, "An Extensible Message Format for Delivery Status Notifications", RFC 3464, January 2003. + [DSN-SMTP] Moore, K., "Simple Mail Transfer Protocol (SMTP) + Service Extension for Delivery Status Notifications + (DSNs)", RFC 3461, January 2003. + [EMAIL-ARCH] Crocker, D., "Internet Mail Architecture", RFC 5598, July 2009. [ESC] Vaudreuil, G., "Enhanced Mail System Status Codes", RFC 3463, January 2003. Appendix A. Acknowledgments Erling Ellingsen proposed the idea. Reviews and comments were provided by Michael Adkins, Kurt Andersen, Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed, John Levine, - Hector Santos, Gregg Stefancik, Ed Zayas, (others) + Alexey Melnikov, Hector Santos, Gregg Stefancik, Ed Zayas, (others) Authors' Addresses William J. Mills Yahoo! Inc. EMail: wmills_92105@yahoo.com Murray S. Kucherawy Facebook, Inc.