draft-ietf-appsawg-rrvs-header-field-05.txt   draft-ietf-appsawg-rrvs-header-field-06.txt 
Network Working Group W. Mills Network Working Group W. Mills
Internet-Draft Yahoo! Inc. Internet-Draft Yahoo! Inc.
Intended status: Standards Track M. Kucherawy Intended status: Standards Track M. Kucherawy
Expires: June 14, 2014 Facebook, Inc. Expires: July 14, 2014 Facebook, Inc.
December 11, 2013 January 10, 2014
The Require-Recipient-Valid-Since Header Field and SMTP Service The Require-Recipient-Valid-Since Header Field and SMTP Service
Extension Extension
draft-ietf-appsawg-rrvs-header-field-05 draft-ietf-appsawg-rrvs-header-field-06
Abstract Abstract
This document defines an extension for the Simple Mail Transfer This document defines an extension for the Simple Mail Transfer
Protocol called RRVS, and a header field called Require-Recipient- Protocol called RRVS, and a header field called Require-Recipient-
Valid-Since, to provide a method for senders to indicate to receivers Valid-Since, to provide a method for senders to indicate to receivers
the time when the sender last confirmed the ownership of the target the time when the sender last confirmed the ownership of the target
mailbox. This can be used to detect changes of mailbox ownership, mailbox. This can be used to detect changes of mailbox ownership,
and thus prevent mail from being delivered to the wrong party. and thus prevent mail from being delivered to the wrong party.
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 14, 2014. This Internet-Draft will expire on July 14, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 3, line 14 skipping to change at page 3, line 14
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . 5 3.1. The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . 5
3.2. The 'Require-Recipient-Valid-Since' Header Field . . . . . 5 3.2. The 'Require-Recipient-Valid-Since' Header Field . . . . . 5
4. Use By Generators . . . . . . . . . . . . . . . . . . . . . . 6 4. Use By Generators . . . . . . . . . . . . . . . . . . . . . . 6
5. Handling By Receivers . . . . . . . . . . . . . . . . . . . . 6 5. Handling By Receivers . . . . . . . . . . . . . . . . . . . . 6
5.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 6 5.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 7
5.1.1. Relays . . . . . . . . . . . . . . . . . . . . . . . . 7 5.1.1. Relays . . . . . . . . . . . . . . . . . . . . . . . . 7
5.2. Header Field Used . . . . . . . . . . . . . . . . . . . . 7 5.2. Header Field Used . . . . . . . . . . . . . . . . . . . . 7
6. Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . 8 5.2.1. Design Choices . . . . . . . . . . . . . . . . . . . . 9
7. Relaying Without RRVS Support . . . . . . . . . . . . . . . . 8 6. Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . 9
7.1. Header Field Conversion . . . . . . . . . . . . . . . . . 9 7. Relaying Without RRVS Support . . . . . . . . . . . . . . . . 9
8. Header Field with Multiple Recipients . . . . . . . . . . . . 9 7.1. Header Field Conversion . . . . . . . . . . . . . . . . . 10
9. Special Use Addresses . . . . . . . . . . . . . . . . . . . . 10 8. Header Field with Multiple Recipients . . . . . . . . . . . . 10
9.1. Mailing Lists . . . . . . . . . . . . . . . . . . . . . . 10 9. Special Use Addresses . . . . . . . . . . . . . . . . . . . . 11
9.2. Single-Recipient Alaises . . . . . . . . . . . . . . . . . 10 9.1. Mailing Lists . . . . . . . . . . . . . . . . . . . . . . 11
9.3. Multiple-Recipient Aliases . . . . . . . . . . . . . . . . 11 9.2. Single-Recipient Aliases . . . . . . . . . . . . . . . . . 11
9.4. Confidential Forwarding Addresses . . . . . . . . . . . . 11 9.3. Multiple-Recipient Aliases . . . . . . . . . . . . . . . . 12
9.5. Suggested Mailing List Enhancements . . . . . . . . . . . 11 9.4. Confidential Forwarding Addresses . . . . . . . . . . . . 12
10. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 12 9.5. Suggested Mailing List Enhancements . . . . . . . . . . . 12
11. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 13 10. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 13
12. Authentication-Results Definitions . . . . . . . . . . . . . . 13 11. Digital Signatures . . . . . . . . . . . . . . . . . . . . . . 14
13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 12. Authentication-Results Definitions . . . . . . . . . . . . . . 14
13.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 14 13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
13.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 15
13.2. Header Field Example . . . . . . . . . . . . . . . . . . . 15 13.2. Header Field Example . . . . . . . . . . . . . . . . . . . 15
14. Security Considerations . . . . . . . . . . . . . . . . . . . 15 13.3. Authentication-Results Example . . . . . . . . . . . . . . 16
14.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . 15 14. Security Considerations . . . . . . . . . . . . . . . . . . . 16
14.2. Suggested Use Restrictions . . . . . . . . . . . . . . . . 16 14.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . 16
15. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 16 14.2. Suggested Use Restrictions . . . . . . . . . . . . . . . . 17
15.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . 16 14.3. False Sense of Security . . . . . . . . . . . . . . . . . 17
15.2. Envelope Recipients . . . . . . . . . . . . . . . . . . . 17 15. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 17
15.3. Risks with Use of Header Field . . . . . . . . . . . . . . 17 15.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . 17
16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 15.2. Envelope Recipients . . . . . . . . . . . . . . . . . . . 18
16.1. SMTP Extension Registration . . . . . . . . . . . . . . . 17 15.3. Risks with Use of Header Field . . . . . . . . . . . . . . 18
16.2. Header Field Registration . . . . . . . . . . . . . . . . 17 16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19
16.3. Enhanced Status Code Registration . . . . . . . . . . . . 18 16.1. SMTP Extension Registration . . . . . . . . . . . . . . . 19
16.4. Authentication Results Registration . . . . . . . . . . . 18 16.2. Header Field Registration . . . . . . . . . . . . . . . . 19
17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 16.3. Enhanced Status Code Registration . . . . . . . . . . . . 19
17.1. Normative References . . . . . . . . . . . . . . . . . . . 19 16.4. Authentication Results Registration . . . . . . . . . . . 20
17.2. Informative References . . . . . . . . . . . . . . . . . . 20 17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 20 17.1. Normative References . . . . . . . . . . . . . . . . . . . 21
17.2. Informative References . . . . . . . . . . . . . . . . . . 21
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
Email addresses sometimes get reassigned to a different person. For Email addresses sometimes get reassigned to a different person. For
example, employment changes at a company can cause an address used example, employment changes at a company can cause an address used
for an ex-employee to be assigned to a new employee, or a mail for an ex-employee to be assigned to a new employee, or a mail
service provider (MSP) might expire an account and then let someone service provider (MSP) might expire an account and then let someone
else register for the local-part that was previously used. Those who else register for the local-part that was previously used. Those who
sent mail to the previous owner of an address might not know that it sent mail to the previous owner of an address might not know that it
has been reassigned. This can lead to the sending of email to the has been reassigned. This can lead to the sending of email to the
skipping to change at page 4, line 36 skipping to change at page 4, line 36
the address was assigned to its current user. If the assignment was the address was assigned to its current user. If the assignment was
made later than the date-time indicated in the message, there is a made later than the date-time indicated in the message, there is a
good chance the current user of the address is not the correct good chance the current user of the address is not the correct
recipient. The receiving system can then choose to prevent delivery recipient. The receiving system can then choose to prevent delivery
and, possibly, to notify the original sender of the problem. and, possibly, to notify the original sender of the problem.
The primary application is automatically generated messages rather The primary application is automatically generated messages rather
than user-authored content, though it may be useful in other than user-authored content, though it may be useful in other
contexts. contexts.
One important point is that the protocols presented here provide a
way for a sending system to make a request to receiving systems with
respect to handling of a message. In the end, there is no guarantee
that the request will have the desired effect.
2. Definitions 2. Definitions
For a description of the email architecture, consult [EMAIL-ARCH]. For a description of the email architecture, consult [EMAIL-ARCH].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [KEYWORDS]. document are to be interpreted as described in [KEYWORDS].
3. Description 3. Description
To address the problem described above, a mail sending client needs To address the problem described above, a mail sending client needs
to indicate to the server to which it is connecting that there is an to indicate to the server to which it is connecting that there is an
expectation that the destination of the message has been under expectation that the destination of the message has been under
continuous ownership (see Section 11) since some date-time, continuous ownership (see Section 10) since some date-time,
presumably the most recent time the message author had confirmed its presumably the most recent time the message author had confirmed its
understanding of who owned that mailbox. Two mechanisms are defined understanding of who owned that mailbox. Two mechanisms are defined
here: an extension to the Simple Mail Transfer Protocol [SMTP], for here: an extension to the Simple Mail Transfer Protocol [SMTP] and a
use between a client and server that both implement the extension, new message header field. The SMTP extension permits strong
and a header field that can be used when passing a message to a assurance of enforcement by confirming support at each handling step
server that appears not to implement this extension. for a message. The header field does not provide the strong
assurance, but only requires adoption by the receiving Message
Delivery Agent (MDA).
The SMTP extenion is called "RRVS" (Require Recipient Valid Since), The SMTP extension is called "RRVS" (Require Recipient Valid Since),
and adds a parameter to the SMTP "RCPT" command that indicates the and adds a parameter to the SMTP "RCPT" command that indicates the
most recent date and time when the message author believed the most recent date and time when the message author believed the
destination mailbox to be under the continuous ownership of a destination mailbox to be under the continuous ownership of a
specific party. Similarly, the Require-Recipient-Valid-Since header specific party. Similarly, the Require-Recipient-Valid-Since header
field includes an intended recipient coupled with a timestamp field includes an intended recipient coupled with a timestamp
indicating the same thing. indicating the same thing.
3.1. The 'RRVS' SMTP Extension 3.1. The 'RRVS' SMTP Extension
Extensions to SMTP are described in Section 2.2 of [SMTP]. Extensions to SMTP are described in Section 2.2 of [SMTP].
The name of the extension is "RRVS", an abbreviation of "Require The name of the extension is "RRVS", an abbreviation of "Require
Recipient Valid Since". Servers implementing the SMTP extension Recipient Valid Since". Servers implementing the SMTP extension
advertise an additional EHLO keyword of "RRVS", which has no advertise an additional EHLO keyword of "RRVS", which has no
associated parameters, introduces no new SMTP verbs, and does not associated parameters, introduces no new SMTP verbs, and does not
alter the MAIL verb. alter the MAIL verb.
An MTA implementing RRVS can transmit or accept a new parameter to A Message Transfer Agent (MTA) implementing RRVS can transmit or
the RCPT command. The new parameter is "RRVS", which takes a value accept a new parameter to the RCPT command. An MDA can also accept
that is a timestamp expressed as a "date-time" as defiend in this new parameter. The new parameter is "RRVS", which takes a value
that is a timestamp expressed as a "date-time" as defined in
[DATETIME], with the added restriction that a "time-secfrac" MUST NOT [DATETIME], with the added restriction that a "time-secfrac" MUST NOT
be used. Accordingly, this extension increases the maximum command be used. Accordingly, this extension increases the maximum command
length for the RCPT verb by 31 characters. length for the RCPT verb by 31 characters.
The meaning of this extension, when used, is described in The meaning of this extension, when used, is described in
Section 5.1. Section 5.1.
3.2. The 'Require-Recipient-Valid-Since' Header Field 3.2. The 'Require-Recipient-Valid-Since' Header Field
The general constraints on syntax and placement of header fields in a The general constraints on syntax and placement of header fields in a
skipping to change at page 6, line 16 skipping to change at page 6, line 20
When a message is generated whose content is sufficiently sensitive When a message is generated whose content is sufficiently sensitive
that an author or author's Administrative Management Domain (ADMD; that an author or author's Administrative Management Domain (ADMD;
see [EMAIL-ARCH]) wishes to protect against misdelivery using this see [EMAIL-ARCH]) wishes to protect against misdelivery using this
protocol, it determines for each recipient mailbox on the message a protocol, it determines for each recipient mailbox on the message a
timestamp at which it last confirmed ownership of that mailbox. It timestamp at which it last confirmed ownership of that mailbox. It
then applies either the SMTP extension or the header field defined then applies either the SMTP extension or the header field defined
above when sending the message to its destination. above when sending the message to its destination.
Use of the SMTP extension provided here is preferable over the header Use of the SMTP extension provided here is preferable over the header
field method, since the additional detail about the relationship field method because of:
between the message author and its intended recipient is at best a
property of the message transaction and not part of the message 1. the positive confirmation of support at each handling node;
itself. Further, SMTP parameters are not typically recorded in the
message upon delivery, so detail about the relationship between the 2. the fact that the protocol is focused on affecting delivery (that
author or author's ADMD and the intended recipient are not recorded. is, the transaction) rather than on content; and
3. the fact that there is less risk of the timestamp parameter being
inadvertently forwarded (see Section 15.3).
The header field mechanism is defined only to enable passage of the The header field mechanism is defined only to enable passage of the
request between and through systems that that do not implement the request between and through systems that do not implement the SMTP
SMTP extension. extension.
5. Handling By Receivers 5. Handling By Receivers
If a receiver implements the RRVS SMTP extension, then there are two If a receiver implements this specification, then there are two
possible evaluation paths: possible evaluation paths:
1. The sending client implements the extension, and so there was an 1. The sending client implements the extension, and so there was an
RRVS parameter on a RCPT TO command in the SMTP session; or RRVS parameter on a RCPT TO command in the SMTP session and the
parameters of interest are taken only from there (and the header
field, if present, is disregarded); or
2. The sending client does not (or elected not to) implement the 2. The sending client does not (or elected not to) implement the
extension, so the RRVS parameter was not present on the RCPT TO extension, so the RRVS parameter was not present on the RCPT TO
commands in the SMTP session. commands in the SMTP session, but the corresponding header field
might be present in the message.
5.1. SMTP Extension Used 5.1. SMTP Extension Used
A receiving system that implements the SMTP extension declared above For an MTA supporting the SMTP extension, the requirement is to
and observes an RRVS parameter on a RCPT TO command checks whether continue enforcement of RRVS during the relaying process to the next
the current owner of the destination mailbox has held it MTA or the MDA.
continuously, far enough back to inclue the given date-time, and
delivers it unless that check returns in the negative. Expressed as
a sequence of steps:
1. Ignore the parameter if the named mailbox is a role account as A receiving MDA that implements the SMTP extension declared above and
listed in Mailbox Names For Common Services, Roles And Functions observes an RRVS parameter on a RCPT TO command checks whether the
[ROLES]. (See Section 6.) current owner of the destination mailbox has held it continuously,
far enough back to include the given date-time, and delivers it
unless that check returns in the negative. Specifically, an MDA will
do the following before continuing with delivery:
2. Determine if the named address is serviced for local delivery. 1. Ignore the parameter if the named mailbox is known to be a role
If so, and if that address has not been under continuous account as listed in Mailbox Names For Common Services, Roles And
ownership since the specified timestamp, return a 550 error to Functions [ROLES]. (See Section 6.)
the RCPT command. (See also Section 16.3.)
3. RECOMMENDED: If any Require-Recipient-Valid-Since header fields 2. If the address is not known to be a role account, and if that
are present and refer to the named address, remove them prior to address has not been under continuous ownership since the
delivery or relaying. (See Section 5.2 for discussion.) timestamp specified in the extension, return a 550 error to the
RCPT command. (See also Section 16.3.)
Where a message arrives using the SMTP extension that also contains 3. If any Require-Recipient-Valid-Since header fields are present
the Require-Recipient-Valid-Since header field in its header, the and refer to the named address, they SHOULD be removed prior to
header field SHOULD be removed. (See Section 7.1 for further delivery or relaying. (See Section 5.2 and Section 7.1 for
discussion about removal of the header field.) discussion.)
5.1.1. Relays 5.1.1. Relays
An MTA that does not make mailbox ownership checks, such as an MTA An MTA that does not make mailbox ownership checks, such as an MTA
positioned to do SMTP ingress at an organizational boundary, SHOULD positioned to do SMTP ingress at an organizational boundary, SHOULD
relay the RRVS extension parameter to the next MTA so that it can be relay the RRVS extension parameter to the next MTA or MDA so that it
processed there. can be processed there.
See Section 9.2 for additional discussion. See Section 9.2 for additional discussion.
5.2. Header Field Used 5.2. Header Field Used
A receiving system that implements this specification, upon receiving A receiving system that implements this specification, upon receiving
a message bearing a Require-Recipient-Valid-Since header field when a message bearing a Require-Recipient-Valid-Since header field when
no corresponding RRVS SMTP extension was used, checks whether the no corresponding RRVS SMTP extension was used, checks whether the
destination mailbox owner has held it continuously, far enough back destination mailbox owner has held it continuously, far enough back
to include the given date-time, and delivers it unless that check to include the given date-time, and delivers it unless that check
returns in the negative. Expressed as a sequence of steps: returns in the negative. Expressed as a sequence of steps:
1. Extract the set of Require-Recipient-Valid-Since fields from the 1. Extract the set of Require-Recipient-Valid-Since fields from MDA
message for which no corresponding RRVS SMTP extension was used. the message for which no corresponding RRVS SMTP extension was
used.
2. Discard any such fields that are syntactically invalid. 2. Discard any such fields that are syntactically invalid.
3. Discard any such fields that name a role account as listed in 3. Discard any such fields that name a role account as listed in
[ROLES] (see Section 6). [ROLES] (see Section 6).
4. Discard any such fields for which the "addr-spec" portion does 4. Discard any such fields for which the "addr-spec" portion does
not match a current recipient, as listed in the RCPT TO commands not match a current recipient, as listed in the RCPT TO commands
in the SMTP session. in the SMTP session.
5. Discard any such fields for which the "addr-spec" portion does 5. Discard any such fields for which the "addr-spec" portion does
not refer to a mailbox handled for local delivery by this MTA. not refer to a mailbox handled for local delivery by this ADMD.
6. For each field remaining, determine if the named address has been 6. For each field remaining, determine if the named address has been
under continuous ownership since the corresponding timestamp. If under continuous ownership since the corresponding timestamp. If
it has not, reject the message. it has not, reject the message.
7. RECOMMENDED: If local delivery is being performed, remove all 7. RECOMMENDED: If local delivery is being performed, remove all
instances of this field prior to delivery to a mailbox; if the instances of this field prior to delivery to a mailbox; if the
message is being forwarded, remove those instances of this header message is being forwarded, remove those instances of this header
field that were not discarded by steps 1-4 above. field that were not discarded by steps 1-4 above.
Handling proceeds normally upon completion of the above steps if Handling proceeds normally upon completion of the above steps if
rejection has not been performed. rejection has not been performed.
The final step is not mandatory as not all mail handling agents are The final step is not mandatory as not all mail handling agents are
capable of stripping away header fields, and there are sometimes capable of stripping away header fields, and there are sometimes
reasons to keep the field intact such as debugging or presence of reasons to keep the field intact such as debugging or presence of
digital signatures that might be invalidated by such a change. digital signatures that might be invalidated by such a change. See
Section 11 for additional discussion.
If a message is to be rejected within the SMTP protocol itself If a message is to be rejected within the SMTP protocol itself
(versus generating a rejection message separately), servers (versus generating a rejection message separately), servers
implementing this protocol SHOULD also implement the SMTP extension implementing this protocol SHOULD also implement the SMTP extension
described in Enhanced Mail System Status Codes [ESC] and use the described in Enhanced Mail System Status Codes [ESC] and use the
enhanced status codes described in Section 16.3 as appropriate. enhanced status codes described in Section 16.3 as appropriate.
Implementation by this method is expected to be transparent to non- Implementation by this method is expected to be transparent to non-
participants, since they would typically ignore this header field. participants, since they would typically ignore this header field.
This header field is not normally added to a message that is This header field is not normally added to a message that is
addressed to multiple recipients. The intended use of this field addressed to multiple recipients. The intended use of this field
involves an author seeking to protect transactional or otherwise involves an author seeking to protect transactional or otherwise
sensitive data intended for a single recipient, and thus generating sensitive data intended for a single recipient, and thus generating
independent messages for each individual recipient is normal independent messages for each individual recipient is normal
practice. See Section 8 for further discussion. practice. See Section 8 for further discussion.
5.2.1. Design Choices
The presence of the intended address in the field content supports
the case where a message bearing this header field is forwarded. The
specific use case is as follows:
1. A user subscribes to a service "S" on date "D" and confirms an
email address at the user's current location, "A";
2. At some later date, the user intends to leave the current
location, and thus creates a new mailbox elsewhere, at "B";
3. The user replaces address "A" with forwarding to "B";
4. "S" constructs a message to "A" claiming that address was valid
at date "D" and sends it to "A";
5. The receiving MTA at "A" determines that the forwarding in effect
was created by the same party that owned the mailbox there, and
thus concludes the continuous ownership test has been satisfied;
6. If possible, "A" removes this header field from the message, and
in either case, forwards it to "B";
7. On receipt at "B", either the header field has been removed, or
the header field does not refer to a current envelope recipient,
and in either case delivers the message.
SMTP has never required any correspondence between addresses in the
RFC5321.MailFrom and RFC5321.RcptTo parameters and header fields of a
message, which is why the header field defined here contains the
recipient address to which the timestamp applies.
6. Role Accounts 6. Role Accounts
It is necessary not to interfere with delivery of messages to role It is necessary not to interfere with delivery of messages to role
mailboxes (see [ROLES]), but it could be useful to indicate to users mailboxes (see [ROLES]), but it could be useful to notify users
handling those mailboxes that a change of ownership might have taken sending to those mailboxes that a change of ownership might have
place where doing so is possible. taken place, if such notification is possible.
7. Relaying Without RRVS Support 7. Relaying Without RRVS Support
When a message is received using the SMTP extension defined here but When a message is received using the SMTP extension defined here but
will not be delivered locally (that is, it needs to be relayed will not be delivered locally (that is, it needs to be relayed
further), the MTA to which the relay will take place might not be further), the MTA to which the relay will take place might not be
compliant with this specification. Where the MTA in possession of compliant with this specification. Where the MTA in possession of
the message observes it is going to relay the message to an MTA that the message observes it is going to relay the message to an MTA that
does not advertise this extension, it needs to choose one of the does not advertise this extension, it needs to choose one of the
following actions: following actions:
skipping to change at page 10, line 39 skipping to change at page 11, line 39
is a mailing list. This extension has similar concerns which are is a mailing list. This extension has similar concerns which are
covered here following that document as a model. covered here following that document as a model.
9.1. Mailing Lists 9.1. Mailing Lists
Delivery to a mailing list service is considered a final delivery. Delivery to a mailing list service is considered a final delivery.
Where this protocol is in use, it is evaluated as per any normal Where this protocol is in use, it is evaluated as per any normal
delivery: If the same mailing list has been operating in place of the delivery: If the same mailing list has been operating in place of the
specified recipient mailbox since at least the timestamp given as the specified recipient mailbox since at least the timestamp given as the
RRVS parameter, the message is delivered to the list service RRVS parameter, the message is delivered to the list service
normally, and is otherwise not delivered. However, the MTA passing normally, and is otherwise not delivered.
the message to the list service does not convey the RRVS parameter in
either form (SMTP extension or header field) to the list service. It is important, however, that the participating MDA passing the
The emission of a message from the list service to its subscribers message to the list service needs to omit the RRVS parameter in
either form (SMTP extension or header field) when doing so. The
emission of a message from the list service to its subscribers
constitutes a new message not covered by the previous transaction. constitutes a new message not covered by the previous transaction.
9.2. Single-Recipient Alaises 9.2. Single-Recipient Aliases
Upon delivery of an RRVS-protected message to an alias (acting in Upon delivery of an RRVS-protected message to an alias (acting in
place of a mailbox) that results in relaying of the message to a place of a mailbox) that results in relaying of the message to a
single other destination, the usual RRVS check is performed. The single other destination, the usual RRVS check is performed. The
continuous ownership test here might succeed if a conventional user continuous ownership test here might succeed if a conventional user
inbox was replaced with an alias on behalf of that same user, and inbox was replaced with an alias on behalf of that same user, and
this information is recorded someplace. If the message is thus this information is recorded someplace. If the message is thus
accepted, the relaying MTA can choose to do one of the following: accepted, the relaying MTA can choose to do one of the following:
1. Do not include an RRVS parameter or header field when relaying to 1. Do not include an RRVS parameter or header field when relaying to
skipping to change at page 12, line 13 skipping to change at page 13, line 15
now in possession of an address under which the original subscriber now in possession of an address under which the original subscriber
was added to the list. Upon receiving a rejection caused by this was added to the list. Upon receiving a rejection caused by this
specification, the list service can remove that address from further specification, the list service can remove that address from further
distribution. distribution.
A mailing list service that receives a message containing the header A mailing list service that receives a message containing the header
field defined here needs to remove it from the message prior to field defined here needs to remove it from the message prior to
redistributing it, limiting exposure of information regarding the redistributing it, limiting exposure of information regarding the
relationship between the message's author and the mailing list. relationship between the message's author and the mailing list.
10. Discussion 10. Continuous Ownership
To further obscure account details on the receiving system, the
receiver SHOULD ignore the SMTP extension or the header field if the
address specified has had one continuous owner since it was created,
regardless of the purported confirmation date of the address. This
is further discussed in Section 14.
The presence of the intended address in the field content supports
the case where a message bearing this header field is forwarded. The
specific use case is as follows:
1. A user subscribes to a service "S" on date "D" and confirms an
email address at the user's current location, "A";
2. At some later date, the user intends to leave the current
location, and thus creates a new mailbox elsewhere, at "B";
3. The user replaces address "A" with forwarding to "B";
4. "S" constructs a message to "A" claiming that address was valid
at date "D" and sends it to "A";
5. The receiving MTA at "A" determines that the forwarding in effect
was created by the same party that owned the mailbox there, and
thus concludes the continuous ownership test has been satisfied;
6. If possible, "A" removes this header field from the message, and
in either case, forwards it to "B";
7. On receipt at "B", either the header field has been removed, or
the header field does not refer to a current envelope recipient,
and in either case delivers the message.
SMTP has never required any correspondence between addresses in the
RFC5321.MailFrom and RFC5321.RcptTo parameters and header fields of a
message, which is why the header field defined here contains the
recipient address to which the timestamp applies.
11. Continuous Ownership
For the purposes of this specification, an address is defined as For the purposes of this specification, an address is defined as
having been under continuous ownership since a given date-time if a having been under continuous ownership since a given date-time if a
message sent to the address at any point since the given date would message sent to the address at any point since the given date would
not go to anyone except the owner at that given date-time. That is, not go to anyone except the owner at that given date-time. That is,
while an address may have been suspended or otherwise disabled for while an address may have been suspended or otherwise disabled for
some period, any mail actually delivered would have been delivered some period, any mail actually delivered would have been delivered
exclusively to the same owner. It is is presumed that some sort of exclusively to the same owner. It is is presumed that some sort of
relationship exists between the message sender and the intended relationship exists between the message sender and the intended
recipient. Presumably there has been some confirmation process recipient. Presumably there has been some confirmation process
skipping to change at page 13, line 38 skipping to change at page 13, line 48
For example, when control of a domain name is transferred, the new For example, when control of a domain name is transferred, the new
domain owner might be unable to determine whether the owner of the domain owner might be unable to determine whether the owner of the
subject address has been under continuous ownership since the stated subject address has been under continuous ownership since the stated
date if the mailbox history is not also transferred (or was not date if the mailbox history is not also transferred (or was not
previously maintained). It will also be "unknown" if whatever previously maintained). It will also be "unknown" if whatever
database contains mailbox ownership data is temporarily unavailable database contains mailbox ownership data is temporarily unavailable
at the time a message arrives for delivery. In this latter case, at the time a message arrives for delivery. In this latter case,
typical SMTP temporary failure handling is appropriate. typical SMTP temporary failure handling is appropriate.
To further obscure account details on the receiving system, the
receiver SHOULD ignore the SMTP extension or the header field if the
address specified has had one continuous owner since it was created,
regardless of the purported confirmation date of the address. This
is further discussed in Section 14.
11. Digital Signatures
This protocol mandates removal of the header field (when used) upon
delivery in all but iexceptional circumstances. Altering a message
in this way will invalidate a digital signature intended to guard
against message modification in transit, which can interfere with
delivery.
Section 5.4.1 of DomainKeys Identified Mail [DKIM] proposes a
strategy for selecting header fields to sign. Specifically, it
advises including in the signed portion of the message only those
header fields that comprise part of the core content of the message.
As the header field version of this protocol is ephemeral, it cannot
be considered core content.
Accordingly, applying digital signatures that attempt to protect the
content of this header field is NOT RECOMMENDED.
12. Authentication-Results Definitions 12. Authentication-Results Definitions
[AUTHRES] defines a mechanism for indicating, via a header field, the [AUTHRES] defines a mechanism for indicating, via a header field, the
results of message authentication checks. Section 16 registers RRVS results of message authentication checks. Section 16 registers RRVS
as a new method that can be reported in this way, and corresponding as a new method that can be reported in this way, and corresponding
result names. The possible result names and their meanings are as result names. The possible result names and their meanings are as
follows: follows:
none: The message had no recipient mailbox timestamp associated with none: The message had no recipient mailbox timestamp associated with
it, either via the SMTP extension or header field method; this it, either via the SMTP extension or header field method; this
skipping to change at page 14, line 45 skipping to change at page 15, line 29
13.1. SMTP Extension Example 13.1. SMTP Extension Example
C: [connection established] C: [connection established]
S: 220 server.example.com ESMTP ready S: 220 server.example.com ESMTP ready
C: EHLO client.example.net C: EHLO client.example.net
S: 250-server.example.com S: 250-server.example.com
S: 250 RRVS S: 250 RRVS
C: MAIL FROM:<sender@example.net> C: MAIL FROM:<sender@example.net>
S: 250 OK S: 250 OK
C: RCPT TO:<receiver@example.com> RRVS=1381993177 C: RCPT TO:<receiver@example.com> RRVS=1381993177
S: 550 5.7.15 receiver@example.com is no longer valid S: 550 5.7.17 receiver@example.com is no longer valid
C: QUIT C: QUIT
S: 221 So long! S: 221 So long!
13.2. Header Field Example 13.2. Header Field Example
C: [connection established] C: [connection established]
S: 220 server.example.com ESMTP ready S: 220 server.example.com ESMTP ready
C: HELO client.example.net C: HELO client.example.net
S: 250 server.example.com S: 250 server.example.com
C: MAIL FROM:<sender@example.net> C: MAIL FROM:<sender@example.net>
S: 250 OK S: 250 OK
C: RCPT TO:<receiver@example.com> C: RCPT TO:<receiver@example.com>
S: 250 OK S: 250 OK
C: DATA C: DATA
S: 354 Ready for message content S: 354 Ready for message content
skipping to change at page 15, line 26 skipping to change at page 16, line 23
S: 354 Ready for message content S: 354 Ready for message content
C: From: Mister Sender <sender@example.net> C: From: Mister Sender <sender@example.net>
To: Miss Receiver <receiver@example.com> To: Miss Receiver <receiver@example.com>
Subject: Are you still there? Subject: Are you still there?
Date: Fri, 28 Jun 2013 18:01:01 +0200 Date: Fri, 28 Jun 2013 18:01:01 +0200
Require-Recipient-Valid-Since: receiver@example.com; Require-Recipient-Valid-Since: receiver@example.com;
Sat, 1 Jun 2013 09:23:01 -0700 Sat, 1 Jun 2013 09:23:01 -0700
Are you still there? Are you still there?
. .
S: 550 5.7.15 receiver@example.com is no longer valid S: 550 5.7.17 receiver@example.com is no longer valid
C: QUIT C: QUIT
S: 221 So long! S: 221 So long!
If an authentication scheme is applied to claim the added header 13.3. Authentication-Results Example
field is valid, but the scheme fails, a receiver might reject the
message with an SMTP reply such as:
S: 550-5.7.7 Use of Require-Recipient-Valid-Since header An example use of the Authentication-Results header field used to
S: 550 field requires a valid signature yield the results of an RRVS evaluation:
Authentication-Results: mx.example.com; rrvs=pass
smtp.rcptto=user@example.com
This indicates that the message arrived addressed to the mailbox
user@example.com, the continuous ownership test was applied with the
provided timestamp, and the check revealed that test was satisfied.
The timestamp is not revealed.
14. Security Considerations 14. Security Considerations
14.1. Abuse Countermeasures 14.1. Abuse Countermeasures
The response of a server implementing this protocol can disclose The response of a server implementing this protocol can disclose
information about the age of existing email mailbox. Implementation information about the age of existing email mailbox. Implementation
of countermeasures against probing attacks is advised. For example, of countermeasures against probing attacks is advised. For example,
an operator could track appearance of this field with respect to a an operator could track appearance of this field with respect to a
particular mailbox and observe the timestamps being submitted for particular mailbox and observe the timestamps being submitted for
skipping to change at page 16, line 26 skipping to change at page 17, line 27
to implement this specification, in order to reduce the possibility to implement this specification, in order to reduce the possibility
of revealing information about the relationship between the author of revealing information about the relationship between the author
and the mailbox. and the mailbox.
If ownership of an entire domain is transferred, the new owner may If ownership of an entire domain is transferred, the new owner may
not know what addresses were assigned in the past by the prior owner. not know what addresses were assigned in the past by the prior owner.
Hence, no address can be known not to have had a single owner, or to Hence, no address can be known not to have had a single owner, or to
have existed (or not) at all. In this case, the "unknown" result is have existed (or not) at all. In this case, the "unknown" result is
likely appropriate. likely appropriate.
14.3. False Sense of Security
Senders implementing this protocol likely believe their content is
being protected by doing so. It has to be considered, however, that
receiving systems might not implement this protocol correctly, or at
all. Furthermore, use of RRVS by a sending system constitutes
nothing more than a request to the receiving system; that system
could choose not to prevent delivery for some local policy or
operational reason, which compromises the security the sending system
believed was a benefit to using RRVS. This could mean the timestamp
information involved in the protocol becomes inadvertently revealed.
This concern lends further support to the notion that senders would
do well to avoid using this protocol other than when sending to
known, trusted receivers.
15. Privacy Considerations 15. Privacy Considerations
15.1. Probing Attacks 15.1. Probing Attacks
As described above, use of this extension or header field in probing As described above, use of this extension or header field in probing
attacks can disclose information about the history of the mailbox. attacks can disclose information about the history of the mailbox.
The harm that can be done by leaking any kind of private information The harm that can be done by leaking any kind of private information
is difficult to predict, so it is prudent to be sensitive to this is difficult to predict, so it is prudent to be sensitive to this
sort of disclosure, either inadvertently or in response to probing by sort of disclosure, either inadvertently or in response to probing by
an attacker. It bears restating, then, that implementing an attacker. It bears restating, then, that implementing
skipping to change at page 17, line 22 skipping to change at page 18, line 40
actionable. As such, use of this specification can reveal some or actionable. As such, use of this specification can reveal some or
all of the original intended recipient set to any party that can see all of the original intended recipient set to any party that can see
the message in transit or upon delivery. the message in transit or upon delivery.
For a message destined to a single recipient, this is unlikely to be For a message destined to a single recipient, this is unlikely to be
a concern, which is one of the reasons use of this specification on a concern, which is one of the reasons use of this specification on
multi-recipient messages is discouraged. multi-recipient messages is discouraged.
15.3. Risks with Use of Header Field 15.3. Risks with Use of Header Field
MTAs might not implement the recommendation to remove the header MDAs might not implement the recommendation to remove the header
field defined here, either out of ignorance or due to error. Since field defined here when messages are delivered, either out of
user agents often do not render all of the header fields present, the ignorance or due to error. Since user agents often do not render all
message could be forwarded to another party that would then of the header fields present, the message could be forwarded to
inadvertently have the content of this header field. another party that would then inadvertently have the content of this
header field.
A bad actor may detect use of either form of the RRVS protocol and
interpret it as an indication of high value content.
16. IANA Considerations 16. IANA Considerations
16.1. SMTP Extension Registration 16.1. SMTP Extension Registration
Section 2.2.2 of [MAIL] sets out the procedure for registering a new Section 2.2.2 of [MAIL] sets out the procedure for registering a new
SMTP extension. IANA is requested to register the SMTP extension SMTP extension. IANA is requested to register the SMTP extension
using the details provided in Section 3.1 of this document. using the details provided in Section 3.1 of this document.
16.2. Header Field Registration 16.2. Header Field Registration
IANA is requested to add the following entry to the Permanent Message IANA is requested to add the following entry to the Permanent Message
Header Field registry, as per the procedure found in [IANA-HEADERS]: Header Field Names registry, as per the procedure found in
[IANA-HEADERS]:
Header field name: Require-Recipient-Valid-Since Header field name: Require-Recipient-Valid-Since
Applicable protocol: mail ([MAIL]) Applicable protocol: mail ([MAIL])
Status: Standard Status: Standard
Author/Change controller: IETF Author/Change controller: IETF
Specification document(s): [this document] Specification document(s): [this document]
Related information: Related information:
Requesting review of any proposed changes and additions to Requesting review of any proposed changes and additions to
this field is recommended. this field is recommended.
16.3. Enhanced Status Code Registration 16.3. Enhanced Status Code Registration
IANA is requested to register the following in the SMTP Enhanced IANA is requested to register the following in the Enumerated Status
Status Codes registry: Codes table of the Simple Mail Transfer Protocol (SMTP) Enhanced
Status Codes Registry:
Code: X.7.15 Code: X.7.17
Sample Text: Mailbox owner has changed Sample Text: Mailbox owner has changed
Associated basic status code: 5 Associated basic status code: 5
Description: This status code is returned when a message is Description: This status code is returned when a message is
received with a Require-Recipient-Valid-Since received with a Require-Recipient-Valid-Since
field or RRVS extension and the receiving field or RRVS extension and the receiving
system is able to determine that the intended system is able to determine that the intended
recipient mailbox has not been under recipient mailbox has not been under
continuous ownership since the specified date. continuous ownership since the specified date.
Reference: [this document] Reference: [this document]
Submitter: M. Kucherawy Submitter: M. Kucherawy
Change controller: IESG Change controller: IESG
Code: X.7.18
Code: X.7.16
Sample Text: Domain owner has changed Sample Text: Domain owner has changed
Associated basic status code: 5 Associated basic status code: 5
Description: This status code is returned when a message is Description: This status code is returned when a message is
received with a Require-Recipient-Valid-Since received with a Require-Recipient-Valid-Since
field or RRVS extension and the receiving field or RRVS extension and the receiving
system wishes to disclose that the owner of system wishes to disclose that the owner of
the domain name of the recipient has changed the domain name of the recipient has changed
since the specified date. since the specified date.
Reference: [this document] Reference: [this document]
Submitter: M. Kucherawy Submitter: M. Kucherawy
skipping to change at page 20, line 11 skipping to change at page 21, line 34
[SMTP] Klensin, J., "Simple Mail Transfer Protocol", [SMTP] Klensin, J., "Simple Mail Transfer Protocol",
RFC 5321, October 2008. RFC 5321, October 2008.
17.2. Informative References 17.2. Informative References
[AUTHRES] Kucherawy, M., "Message Header Field for Indicating [AUTHRES] Kucherawy, M., "Message Header Field for Indicating
Message Authentication Status", RFC 7001, Message Authentication Status", RFC 7001,
September 2013. September 2013.
[DKIM] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy,
Ed., "DomainKeys Identified Mail (DKIM) Signatures",
RFC 6376, September 2011.
[DSN] Moore, K. and G. Vaudreuil, "An Extensible Message [DSN] Moore, K. and G. Vaudreuil, "An Extensible Message
Format for Delivery Status Notifications", RFC 3464, Format for Delivery Status Notifications", RFC 3464,
January 2003. January 2003.
[DSN-SMTP] Moore, K., "Simple Mail Transfer Protocol (SMTP) [DSN-SMTP] Moore, K., "Simple Mail Transfer Protocol (SMTP)
Service Extension for Delivery Status Notifications Service Extension for Delivery Status Notifications
(DSNs)", RFC 3461, January 2003. (DSNs)", RFC 3461, January 2003.
[EMAIL-ARCH] Crocker, D., "Internet Mail Architecture", RFC 5598, [EMAIL-ARCH] Crocker, D., "Internet Mail Architecture", RFC 5598,
July 2009. July 2009.
[ESC] Vaudreuil, G., "Enhanced Mail System Status Codes", [ESC] Vaudreuil, G., "Enhanced Mail System Status Codes",
RFC 3463, January 2003. RFC 3463, January 2003.
Appendix A. Acknowledgments Appendix A. Acknowledgments
Erling Ellingsen proposed the idea. Erling Ellingsen proposed the idea.
Reviews and comments were provided by Michael Adkins, Kurt Andersen, Reviews and comments were provided by Michael Adkins, Kurt Andersen,
Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed, John Levine, Eric Burger, Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed,
Alexey Melnikov, Hector Santos, Gregg Stefancik, Ed Zayas, (others) John Levine, Alexey Melnikov, Hector Santos, Gregg Stefancik, Ed
Zayas, (others)
Authors' Addresses Authors' Addresses
William J. Mills William J. Mills
Yahoo! Inc. Yahoo! Inc.
EMail: wmills_92105@yahoo.com EMail: wmills_92105@yahoo.com
Murray S. Kucherawy Murray S. Kucherawy
Facebook, Inc. Facebook, Inc.
 End of changes. 45 change blocks. 
152 lines changed or deleted 222 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/