--- 1/draft-ietf-appsawg-rrvs-header-field-05.txt 2014-01-10 12:14:34.019067580 -0800 +++ 2/draft-ietf-appsawg-rrvs-header-field-06.txt 2014-01-10 12:14:34.063068692 -0800 @@ -1,20 +1,20 @@ Network Working Group W. Mills Internet-Draft Yahoo! Inc. Intended status: Standards Track M. Kucherawy -Expires: June 14, 2014 Facebook, Inc. - December 11, 2013 +Expires: July 14, 2014 Facebook, Inc. + January 10, 2014 The Require-Recipient-Valid-Since Header Field and SMTP Service Extension - draft-ietf-appsawg-rrvs-header-field-05 + draft-ietf-appsawg-rrvs-header-field-06 Abstract This document defines an extension for the Simple Mail Transfer Protocol called RRVS, and a header field called Require-Recipient- Valid-Since, to provide a method for senders to indicate to receivers the time when the sender last confirmed the ownership of the target mailbox. This can be used to detect changes of mailbox ownership, and thus prevent mail from being delivered to the wrong party. @@ -30,25 +30,25 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on June 14, 2014. + This Internet-Draft will expire on July 14, 2014. Copyright Notice - Copyright (c) 2013 IETF Trust and the persons identified as the + Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as @@ -56,55 +56,58 @@ Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 4 3.1. The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . 5 3.2. The 'Require-Recipient-Valid-Since' Header Field . . . . . 5 4. Use By Generators . . . . . . . . . . . . . . . . . . . . . . 6 5. Handling By Receivers . . . . . . . . . . . . . . . . . . . . 6 - 5.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 6 + 5.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 7 5.1.1. Relays . . . . . . . . . . . . . . . . . . . . . . . . 7 5.2. Header Field Used . . . . . . . . . . . . . . . . . . . . 7 - 6. Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . 8 - 7. Relaying Without RRVS Support . . . . . . . . . . . . . . . . 8 - 7.1. Header Field Conversion . . . . . . . . . . . . . . . . . 9 - 8. Header Field with Multiple Recipients . . . . . . . . . . . . 9 - 9. Special Use Addresses . . . . . . . . . . . . . . . . . . . . 10 - 9.1. Mailing Lists . . . . . . . . . . . . . . . . . . . . . . 10 - 9.2. Single-Recipient Alaises . . . . . . . . . . . . . . . . . 10 - 9.3. Multiple-Recipient Aliases . . . . . . . . . . . . . . . . 11 - 9.4. Confidential Forwarding Addresses . . . . . . . . . . . . 11 - 9.5. Suggested Mailing List Enhancements . . . . . . . . . . . 11 - 10. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 12 - 11. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 13 - 12. Authentication-Results Definitions . . . . . . . . . . . . . . 13 - 13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 - 13.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 14 + 5.2.1. Design Choices . . . . . . . . . . . . . . . . . . . . 9 + 6. Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . 9 + 7. Relaying Without RRVS Support . . . . . . . . . . . . . . . . 9 + 7.1. Header Field Conversion . . . . . . . . . . . . . . . . . 10 + 8. Header Field with Multiple Recipients . . . . . . . . . . . . 10 + 9. Special Use Addresses . . . . . . . . . . . . . . . . . . . . 11 + 9.1. Mailing Lists . . . . . . . . . . . . . . . . . . . . . . 11 + 9.2. Single-Recipient Aliases . . . . . . . . . . . . . . . . . 11 + 9.3. Multiple-Recipient Aliases . . . . . . . . . . . . . . . . 12 + 9.4. Confidential Forwarding Addresses . . . . . . . . . . . . 12 + 9.5. Suggested Mailing List Enhancements . . . . . . . . . . . 12 + 10. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 13 + 11. Digital Signatures . . . . . . . . . . . . . . . . . . . . . . 14 + 12. Authentication-Results Definitions . . . . . . . . . . . . . . 14 + 13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 + 13.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 15 13.2. Header Field Example . . . . . . . . . . . . . . . . . . . 15 - 14. Security Considerations . . . . . . . . . . . . . . . . . . . 15 - 14.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . 15 - 14.2. Suggested Use Restrictions . . . . . . . . . . . . . . . . 16 - 15. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 16 - 15.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . 16 - 15.2. Envelope Recipients . . . . . . . . . . . . . . . . . . . 17 - 15.3. Risks with Use of Header Field . . . . . . . . . . . . . . 17 - 16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 - 16.1. SMTP Extension Registration . . . . . . . . . . . . . . . 17 - 16.2. Header Field Registration . . . . . . . . . . . . . . . . 17 - 16.3. Enhanced Status Code Registration . . . . . . . . . . . . 18 - 16.4. Authentication Results Registration . . . . . . . . . . . 18 - 17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 - 17.1. Normative References . . . . . . . . . . . . . . . . . . . 19 - 17.2. Informative References . . . . . . . . . . . . . . . . . . 20 - Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 20 + 13.3. Authentication-Results Example . . . . . . . . . . . . . . 16 + 14. Security Considerations . . . . . . . . . . . . . . . . . . . 16 + 14.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . 16 + 14.2. Suggested Use Restrictions . . . . . . . . . . . . . . . . 17 + 14.3. False Sense of Security . . . . . . . . . . . . . . . . . 17 + 15. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 17 + 15.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . 17 + 15.2. Envelope Recipients . . . . . . . . . . . . . . . . . . . 18 + 15.3. Risks with Use of Header Field . . . . . . . . . . . . . . 18 + 16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 19 + 16.1. SMTP Extension Registration . . . . . . . . . . . . . . . 19 + 16.2. Header Field Registration . . . . . . . . . . . . . . . . 19 + 16.3. Enhanced Status Code Registration . . . . . . . . . . . . 19 + 16.4. Authentication Results Registration . . . . . . . . . . . 20 + 17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 21 + 17.1. Normative References . . . . . . . . . . . . . . . . . . . 21 + 17.2. Informative References . . . . . . . . . . . . . . . . . . 21 + Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 22 1. Introduction Email addresses sometimes get reassigned to a different person. For example, employment changes at a company can cause an address used for an ex-employee to be assigned to a new employee, or a mail service provider (MSP) might expire an account and then let someone else register for the local-part that was previously used. Those who sent mail to the previous owner of an address might not know that it has been reassigned. This can lead to the sending of email to the @@ -123,62 +126,70 @@ the address was assigned to its current user. If the assignment was made later than the date-time indicated in the message, there is a good chance the current user of the address is not the correct recipient. The receiving system can then choose to prevent delivery and, possibly, to notify the original sender of the problem. The primary application is automatically generated messages rather than user-authored content, though it may be useful in other contexts. + One important point is that the protocols presented here provide a + way for a sending system to make a request to receiving systems with + respect to handling of a message. In the end, there is no guarantee + that the request will have the desired effect. + 2. Definitions For a description of the email architecture, consult [EMAIL-ARCH]. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORDS]. 3. Description To address the problem described above, a mail sending client needs to indicate to the server to which it is connecting that there is an expectation that the destination of the message has been under - continuous ownership (see Section 11) since some date-time, + continuous ownership (see Section 10) since some date-time, presumably the most recent time the message author had confirmed its understanding of who owned that mailbox. Two mechanisms are defined - here: an extension to the Simple Mail Transfer Protocol [SMTP], for - use between a client and server that both implement the extension, - and a header field that can be used when passing a message to a - server that appears not to implement this extension. + here: an extension to the Simple Mail Transfer Protocol [SMTP] and a + new message header field. The SMTP extension permits strong + assurance of enforcement by confirming support at each handling step + for a message. The header field does not provide the strong + assurance, but only requires adoption by the receiving Message + Delivery Agent (MDA). - The SMTP extenion is called "RRVS" (Require Recipient Valid Since), + The SMTP extension is called "RRVS" (Require Recipient Valid Since), and adds a parameter to the SMTP "RCPT" command that indicates the most recent date and time when the message author believed the destination mailbox to be under the continuous ownership of a specific party. Similarly, the Require-Recipient-Valid-Since header field includes an intended recipient coupled with a timestamp indicating the same thing. 3.1. The 'RRVS' SMTP Extension Extensions to SMTP are described in Section 2.2 of [SMTP]. The name of the extension is "RRVS", an abbreviation of "Require Recipient Valid Since". Servers implementing the SMTP extension advertise an additional EHLO keyword of "RRVS", which has no associated parameters, introduces no new SMTP verbs, and does not alter the MAIL verb. - An MTA implementing RRVS can transmit or accept a new parameter to - the RCPT command. The new parameter is "RRVS", which takes a value - that is a timestamp expressed as a "date-time" as defiend in + A Message Transfer Agent (MTA) implementing RRVS can transmit or + accept a new parameter to the RCPT command. An MDA can also accept + this new parameter. The new parameter is "RRVS", which takes a value + that is a timestamp expressed as a "date-time" as defined in [DATETIME], with the added restriction that a "time-secfrac" MUST NOT be used. Accordingly, this extension increases the maximum command length for the RCPT verb by 31 characters. The meaning of this extension, when used, is described in Section 5.1. 3.2. The 'Require-Recipient-Valid-Since' Header Field The general constraints on syntax and placement of header fields in a @@ -196,142 +207,183 @@ When a message is generated whose content is sufficiently sensitive that an author or author's Administrative Management Domain (ADMD; see [EMAIL-ARCH]) wishes to protect against misdelivery using this protocol, it determines for each recipient mailbox on the message a timestamp at which it last confirmed ownership of that mailbox. It then applies either the SMTP extension or the header field defined above when sending the message to its destination. Use of the SMTP extension provided here is preferable over the header - field method, since the additional detail about the relationship - between the message author and its intended recipient is at best a - property of the message transaction and not part of the message - itself. Further, SMTP parameters are not typically recorded in the - message upon delivery, so detail about the relationship between the - author or author's ADMD and the intended recipient are not recorded. + field method because of: + + 1. the positive confirmation of support at each handling node; + + 2. the fact that the protocol is focused on affecting delivery (that + is, the transaction) rather than on content; and + + 3. the fact that there is less risk of the timestamp parameter being + inadvertently forwarded (see Section 15.3). The header field mechanism is defined only to enable passage of the - request between and through systems that that do not implement the - SMTP extension. + request between and through systems that do not implement the SMTP + extension. 5. Handling By Receivers - If a receiver implements the RRVS SMTP extension, then there are two + If a receiver implements this specification, then there are two possible evaluation paths: 1. The sending client implements the extension, and so there was an - RRVS parameter on a RCPT TO command in the SMTP session; or + RRVS parameter on a RCPT TO command in the SMTP session and the + parameters of interest are taken only from there (and the header + field, if present, is disregarded); or 2. The sending client does not (or elected not to) implement the extension, so the RRVS parameter was not present on the RCPT TO - commands in the SMTP session. + commands in the SMTP session, but the corresponding header field + might be present in the message. 5.1. SMTP Extension Used - A receiving system that implements the SMTP extension declared above - and observes an RRVS parameter on a RCPT TO command checks whether - the current owner of the destination mailbox has held it - continuously, far enough back to inclue the given date-time, and - delivers it unless that check returns in the negative. Expressed as - a sequence of steps: + For an MTA supporting the SMTP extension, the requirement is to + continue enforcement of RRVS during the relaying process to the next + MTA or the MDA. - 1. Ignore the parameter if the named mailbox is a role account as - listed in Mailbox Names For Common Services, Roles And Functions - [ROLES]. (See Section 6.) + A receiving MDA that implements the SMTP extension declared above and + observes an RRVS parameter on a RCPT TO command checks whether the + current owner of the destination mailbox has held it continuously, + far enough back to include the given date-time, and delivers it + unless that check returns in the negative. Specifically, an MDA will + do the following before continuing with delivery: - 2. Determine if the named address is serviced for local delivery. - If so, and if that address has not been under continuous - ownership since the specified timestamp, return a 550 error to - the RCPT command. (See also Section 16.3.) + 1. Ignore the parameter if the named mailbox is known to be a role + account as listed in Mailbox Names For Common Services, Roles And + Functions [ROLES]. (See Section 6.) - 3. RECOMMENDED: If any Require-Recipient-Valid-Since header fields - are present and refer to the named address, remove them prior to - delivery or relaying. (See Section 5.2 for discussion.) + 2. If the address is not known to be a role account, and if that + address has not been under continuous ownership since the + timestamp specified in the extension, return a 550 error to the + RCPT command. (See also Section 16.3.) - Where a message arrives using the SMTP extension that also contains - the Require-Recipient-Valid-Since header field in its header, the - header field SHOULD be removed. (See Section 7.1 for further - discussion about removal of the header field.) + 3. If any Require-Recipient-Valid-Since header fields are present + and refer to the named address, they SHOULD be removed prior to + delivery or relaying. (See Section 5.2 and Section 7.1 for + discussion.) 5.1.1. Relays An MTA that does not make mailbox ownership checks, such as an MTA positioned to do SMTP ingress at an organizational boundary, SHOULD - relay the RRVS extension parameter to the next MTA so that it can be - processed there. + relay the RRVS extension parameter to the next MTA or MDA so that it + can be processed there. See Section 9.2 for additional discussion. 5.2. Header Field Used A receiving system that implements this specification, upon receiving a message bearing a Require-Recipient-Valid-Since header field when no corresponding RRVS SMTP extension was used, checks whether the destination mailbox owner has held it continuously, far enough back to include the given date-time, and delivers it unless that check returns in the negative. Expressed as a sequence of steps: - 1. Extract the set of Require-Recipient-Valid-Since fields from the - message for which no corresponding RRVS SMTP extension was used. + 1. Extract the set of Require-Recipient-Valid-Since fields from MDA + the message for which no corresponding RRVS SMTP extension was + used. 2. Discard any such fields that are syntactically invalid. 3. Discard any such fields that name a role account as listed in [ROLES] (see Section 6). 4. Discard any such fields for which the "addr-spec" portion does not match a current recipient, as listed in the RCPT TO commands in the SMTP session. 5. Discard any such fields for which the "addr-spec" portion does - not refer to a mailbox handled for local delivery by this MTA. + not refer to a mailbox handled for local delivery by this ADMD. 6. For each field remaining, determine if the named address has been under continuous ownership since the corresponding timestamp. If it has not, reject the message. 7. RECOMMENDED: If local delivery is being performed, remove all instances of this field prior to delivery to a mailbox; if the message is being forwarded, remove those instances of this header field that were not discarded by steps 1-4 above. Handling proceeds normally upon completion of the above steps if rejection has not been performed. The final step is not mandatory as not all mail handling agents are capable of stripping away header fields, and there are sometimes reasons to keep the field intact such as debugging or presence of - digital signatures that might be invalidated by such a change. + digital signatures that might be invalidated by such a change. See + Section 11 for additional discussion. If a message is to be rejected within the SMTP protocol itself (versus generating a rejection message separately), servers implementing this protocol SHOULD also implement the SMTP extension described in Enhanced Mail System Status Codes [ESC] and use the enhanced status codes described in Section 16.3 as appropriate. Implementation by this method is expected to be transparent to non- participants, since they would typically ignore this header field. This header field is not normally added to a message that is addressed to multiple recipients. The intended use of this field involves an author seeking to protect transactional or otherwise sensitive data intended for a single recipient, and thus generating independent messages for each individual recipient is normal practice. See Section 8 for further discussion. +5.2.1. Design Choices + + The presence of the intended address in the field content supports + the case where a message bearing this header field is forwarded. The + specific use case is as follows: + + 1. A user subscribes to a service "S" on date "D" and confirms an + email address at the user's current location, "A"; + + 2. At some later date, the user intends to leave the current + location, and thus creates a new mailbox elsewhere, at "B"; + + 3. The user replaces address "A" with forwarding to "B"; + + 4. "S" constructs a message to "A" claiming that address was valid + at date "D" and sends it to "A"; + + 5. The receiving MTA at "A" determines that the forwarding in effect + was created by the same party that owned the mailbox there, and + thus concludes the continuous ownership test has been satisfied; + + 6. If possible, "A" removes this header field from the message, and + in either case, forwards it to "B"; + + 7. On receipt at "B", either the header field has been removed, or + the header field does not refer to a current envelope recipient, + and in either case delivers the message. + + SMTP has never required any correspondence between addresses in the + RFC5321.MailFrom and RFC5321.RcptTo parameters and header fields of a + message, which is why the header field defined here contains the + recipient address to which the timestamp applies. + 6. Role Accounts It is necessary not to interfere with delivery of messages to role - mailboxes (see [ROLES]), but it could be useful to indicate to users - handling those mailboxes that a change of ownership might have taken - place where doing so is possible. + mailboxes (see [ROLES]), but it could be useful to notify users + sending to those mailboxes that a change of ownership might have + taken place, if such notification is possible. 7. Relaying Without RRVS Support When a message is received using the SMTP extension defined here but will not be delivered locally (that is, it needs to be relayed further), the MTA to which the relay will take place might not be compliant with this specification. Where the MTA in possession of the message observes it is going to relay the message to an MTA that does not advertise this extension, it needs to choose one of the following actions: @@ -410,27 +462,29 @@ is a mailing list. This extension has similar concerns which are covered here following that document as a model. 9.1. Mailing Lists Delivery to a mailing list service is considered a final delivery. Where this protocol is in use, it is evaluated as per any normal delivery: If the same mailing list has been operating in place of the specified recipient mailbox since at least the timestamp given as the RRVS parameter, the message is delivered to the list service - normally, and is otherwise not delivered. However, the MTA passing - the message to the list service does not convey the RRVS parameter in - either form (SMTP extension or header field) to the list service. - The emission of a message from the list service to its subscribers + normally, and is otherwise not delivered. + + It is important, however, that the participating MDA passing the + message to the list service needs to omit the RRVS parameter in + either form (SMTP extension or header field) when doing so. The + emission of a message from the list service to its subscribers constitutes a new message not covered by the previous transaction. -9.2. Single-Recipient Alaises +9.2. Single-Recipient Aliases Upon delivery of an RRVS-protected message to an alias (acting in place of a mailbox) that results in relaying of the message to a single other destination, the usual RRVS check is performed. The continuous ownership test here might succeed if a conventional user inbox was replaced with an alias on behalf of that same user, and this information is recorded someplace. If the message is thus accepted, the relaying MTA can choose to do one of the following: 1. Do not include an RRVS parameter or header field when relaying to @@ -480,60 +534,21 @@ now in possession of an address under which the original subscriber was added to the list. Upon receiving a rejection caused by this specification, the list service can remove that address from further distribution. A mailing list service that receives a message containing the header field defined here needs to remove it from the message prior to redistributing it, limiting exposure of information regarding the relationship between the message's author and the mailing list. -10. Discussion - - To further obscure account details on the receiving system, the - receiver SHOULD ignore the SMTP extension or the header field if the - address specified has had one continuous owner since it was created, - regardless of the purported confirmation date of the address. This - is further discussed in Section 14. - - The presence of the intended address in the field content supports - the case where a message bearing this header field is forwarded. The - specific use case is as follows: - - 1. A user subscribes to a service "S" on date "D" and confirms an - email address at the user's current location, "A"; - - 2. At some later date, the user intends to leave the current - location, and thus creates a new mailbox elsewhere, at "B"; - - 3. The user replaces address "A" with forwarding to "B"; - - 4. "S" constructs a message to "A" claiming that address was valid - at date "D" and sends it to "A"; - - 5. The receiving MTA at "A" determines that the forwarding in effect - was created by the same party that owned the mailbox there, and - thus concludes the continuous ownership test has been satisfied; - - 6. If possible, "A" removes this header field from the message, and - in either case, forwards it to "B"; - - 7. On receipt at "B", either the header field has been removed, or - the header field does not refer to a current envelope recipient, - and in either case delivers the message. - - SMTP has never required any correspondence between addresses in the - RFC5321.MailFrom and RFC5321.RcptTo parameters and header fields of a - message, which is why the header field defined here contains the - recipient address to which the timestamp applies. - -11. Continuous Ownership +10. Continuous Ownership For the purposes of this specification, an address is defined as having been under continuous ownership since a given date-time if a message sent to the address at any point since the given date would not go to anyone except the owner at that given date-time. That is, while an address may have been suspended or otherwise disabled for some period, any mail actually delivered would have been delivered exclusively to the same owner. It is is presumed that some sort of relationship exists between the message sender and the intended recipient. Presumably there has been some confirmation process @@ -552,20 +567,44 @@ For example, when control of a domain name is transferred, the new domain owner might be unable to determine whether the owner of the subject address has been under continuous ownership since the stated date if the mailbox history is not also transferred (or was not previously maintained). It will also be "unknown" if whatever database contains mailbox ownership data is temporarily unavailable at the time a message arrives for delivery. In this latter case, typical SMTP temporary failure handling is appropriate. + To further obscure account details on the receiving system, the + receiver SHOULD ignore the SMTP extension or the header field if the + address specified has had one continuous owner since it was created, + regardless of the purported confirmation date of the address. This + is further discussed in Section 14. + +11. Digital Signatures + + This protocol mandates removal of the header field (when used) upon + delivery in all but iexceptional circumstances. Altering a message + in this way will invalidate a digital signature intended to guard + against message modification in transit, which can interfere with + delivery. + + Section 5.4.1 of DomainKeys Identified Mail [DKIM] proposes a + strategy for selecting header fields to sign. Specifically, it + advises including in the signed portion of the message only those + header fields that comprise part of the core content of the message. + As the header field version of this protocol is ephemeral, it cannot + be considered core content. + + Accordingly, applying digital signatures that attempt to protect the + content of this header field is NOT RECOMMENDED. + 12. Authentication-Results Definitions [AUTHRES] defines a mechanism for indicating, via a header field, the results of message authentication checks. Section 16 registers RRVS as a new method that can be reported in this way, and corresponding result names. The possible result names and their meanings are as follows: none: The message had no recipient mailbox timestamp associated with it, either via the SMTP extension or header field method; this @@ -604,26 +643,25 @@ 13.1. SMTP Extension Example C: [connection established] S: 220 server.example.com ESMTP ready C: EHLO client.example.net S: 250-server.example.com S: 250 RRVS C: MAIL FROM: S: 250 OK C: RCPT TO: RRVS=1381993177 - S: 550 5.7.15 receiver@example.com is no longer valid + S: 550 5.7.17 receiver@example.com is no longer valid C: QUIT S: 221 So long! 13.2. Header Field Example - C: [connection established] S: 220 server.example.com ESMTP ready C: HELO client.example.net S: 250 server.example.com C: MAIL FROM: S: 250 OK C: RCPT TO: S: 250 OK C: DATA S: 354 Ready for message content @@ -629,30 +667,36 @@ S: 354 Ready for message content C: From: Mister Sender To: Miss Receiver Subject: Are you still there? Date: Fri, 28 Jun 2013 18:01:01 +0200 Require-Recipient-Valid-Since: receiver@example.com; Sat, 1 Jun 2013 09:23:01 -0700 Are you still there? . - S: 550 5.7.15 receiver@example.com is no longer valid + S: 550 5.7.17 receiver@example.com is no longer valid C: QUIT S: 221 So long! - If an authentication scheme is applied to claim the added header - field is valid, but the scheme fails, a receiver might reject the - message with an SMTP reply such as: +13.3. Authentication-Results Example - S: 550-5.7.7 Use of Require-Recipient-Valid-Since header - S: 550 field requires a valid signature + An example use of the Authentication-Results header field used to + yield the results of an RRVS evaluation: + + Authentication-Results: mx.example.com; rrvs=pass + smtp.rcptto=user@example.com + + This indicates that the message arrived addressed to the mailbox + user@example.com, the continuous ownership test was applied with the + provided timestamp, and the check revealed that test was satisfied. + The timestamp is not revealed. 14. Security Considerations 14.1. Abuse Countermeasures The response of a server implementing this protocol can disclose information about the age of existing email mailbox. Implementation of countermeasures against probing attacks is advised. For example, an operator could track appearance of this field with respect to a particular mailbox and observe the timestamps being submitted for @@ -675,20 +719,36 @@ to implement this specification, in order to reduce the possibility of revealing information about the relationship between the author and the mailbox. If ownership of an entire domain is transferred, the new owner may not know what addresses were assigned in the past by the prior owner. Hence, no address can be known not to have had a single owner, or to have existed (or not) at all. In this case, the "unknown" result is likely appropriate. +14.3. False Sense of Security + + Senders implementing this protocol likely believe their content is + being protected by doing so. It has to be considered, however, that + receiving systems might not implement this protocol correctly, or at + all. Furthermore, use of RRVS by a sending system constitutes + nothing more than a request to the receiving system; that system + could choose not to prevent delivery for some local policy or + operational reason, which compromises the security the sending system + believed was a benefit to using RRVS. This could mean the timestamp + information involved in the protocol becomes inadvertently revealed. + + This concern lends further support to the notion that senders would + do well to avoid using this protocol other than when sending to + known, trusted receivers. + 15. Privacy Considerations 15.1. Probing Attacks As described above, use of this extension or header field in probing attacks can disclose information about the history of the mailbox. The harm that can be done by leaking any kind of private information is difficult to predict, so it is prudent to be sensitive to this sort of disclosure, either inadvertently or in response to probing by an attacker. It bears restating, then, that implementing @@ -720,67 +780,72 @@ actionable. As such, use of this specification can reveal some or all of the original intended recipient set to any party that can see the message in transit or upon delivery. For a message destined to a single recipient, this is unlikely to be a concern, which is one of the reasons use of this specification on multi-recipient messages is discouraged. 15.3. Risks with Use of Header Field - MTAs might not implement the recommendation to remove the header - field defined here, either out of ignorance or due to error. Since - user agents often do not render all of the header fields present, the - message could be forwarded to another party that would then - inadvertently have the content of this header field. + MDAs might not implement the recommendation to remove the header + field defined here when messages are delivered, either out of + ignorance or due to error. Since user agents often do not render all + of the header fields present, the message could be forwarded to + another party that would then inadvertently have the content of this + header field. + + A bad actor may detect use of either form of the RRVS protocol and + interpret it as an indication of high value content. 16. IANA Considerations 16.1. SMTP Extension Registration Section 2.2.2 of [MAIL] sets out the procedure for registering a new SMTP extension. IANA is requested to register the SMTP extension using the details provided in Section 3.1 of this document. 16.2. Header Field Registration IANA is requested to add the following entry to the Permanent Message - Header Field registry, as per the procedure found in [IANA-HEADERS]: + Header Field Names registry, as per the procedure found in + [IANA-HEADERS]: Header field name: Require-Recipient-Valid-Since Applicable protocol: mail ([MAIL]) Status: Standard Author/Change controller: IETF Specification document(s): [this document] Related information: Requesting review of any proposed changes and additions to this field is recommended. 16.3. Enhanced Status Code Registration - IANA is requested to register the following in the SMTP Enhanced - Status Codes registry: + IANA is requested to register the following in the Enumerated Status + Codes table of the Simple Mail Transfer Protocol (SMTP) Enhanced + Status Codes Registry: - Code: X.7.15 + Code: X.7.17 Sample Text: Mailbox owner has changed Associated basic status code: 5 Description: This status code is returned when a message is received with a Require-Recipient-Valid-Since field or RRVS extension and the receiving system is able to determine that the intended recipient mailbox has not been under continuous ownership since the specified date. Reference: [this document] Submitter: M. Kucherawy Change controller: IESG - - Code: X.7.16 + Code: X.7.18 Sample Text: Domain owner has changed Associated basic status code: 5 Description: This status code is returned when a message is received with a Require-Recipient-Valid-Since field or RRVS extension and the receiving system wishes to disclose that the owner of the domain name of the recipient has changed since the specified date. Reference: [this document] Submitter: M. Kucherawy @@ -842,41 +907,46 @@ [SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321, October 2008. 17.2. Informative References [AUTHRES] Kucherawy, M., "Message Header Field for Indicating Message Authentication Status", RFC 7001, September 2013. + [DKIM] Crocker, D., Ed., Hansen, T., Ed., and M. Kucherawy, + Ed., "DomainKeys Identified Mail (DKIM) Signatures", + RFC 6376, September 2011. + [DSN] Moore, K. and G. Vaudreuil, "An Extensible Message Format for Delivery Status Notifications", RFC 3464, January 2003. [DSN-SMTP] Moore, K., "Simple Mail Transfer Protocol (SMTP) Service Extension for Delivery Status Notifications (DSNs)", RFC 3461, January 2003. [EMAIL-ARCH] Crocker, D., "Internet Mail Architecture", RFC 5598, July 2009. [ESC] Vaudreuil, G., "Enhanced Mail System Status Codes", RFC 3463, January 2003. Appendix A. Acknowledgments Erling Ellingsen proposed the idea. Reviews and comments were provided by Michael Adkins, Kurt Andersen, - Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed, John Levine, - Alexey Melnikov, Hector Santos, Gregg Stefancik, Ed Zayas, (others) + Eric Burger, Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed, + John Levine, Alexey Melnikov, Hector Santos, Gregg Stefancik, Ed + Zayas, (others) Authors' Addresses William J. Mills Yahoo! Inc. EMail: wmills_92105@yahoo.com Murray S. Kucherawy Facebook, Inc.