idnits 2.17.1 draft-ietf-appsawg-rrvs-header-field-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 11, 2013) is 3789 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Obsolete informational reference (is this intentional?): RFC 7001 (ref. 'AUTHRES') (Obsoleted by RFC 7601) Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group W. Mills 3 Internet-Draft Yahoo! Inc. 4 Intended status: Standards Track M. Kucherawy 5 Expires: June 14, 2014 Facebook, Inc. 6 December 11, 2013 8 The Require-Recipient-Valid-Since Header Field and SMTP Service 9 Extension 10 draft-ietf-appsawg-rrvs-header-field-05 12 Abstract 14 This document defines an extension for the Simple Mail Transfer 15 Protocol called RRVS, and a header field called Require-Recipient- 16 Valid-Since, to provide a method for senders to indicate to receivers 17 the time when the sender last confirmed the ownership of the target 18 mailbox. This can be used to detect changes of mailbox ownership, 19 and thus prevent mail from being delivered to the wrong party. 21 The intended use of these facilities is on automatically generated 22 messages that might contain sensitive information, though it may also 23 be useful in other applications. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at http://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on June 14, 2014. 42 Copyright Notice 44 Copyright (c) 2013 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (http://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4 61 3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 4 62 3.1. The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . 5 63 3.2. The 'Require-Recipient-Valid-Since' Header Field . . . . . 5 64 4. Use By Generators . . . . . . . . . . . . . . . . . . . . . . 6 65 5. Handling By Receivers . . . . . . . . . . . . . . . . . . . . 6 66 5.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 6 67 5.1.1. Relays . . . . . . . . . . . . . . . . . . . . . . . . 7 68 5.2. Header Field Used . . . . . . . . . . . . . . . . . . . . 7 69 6. Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . 8 70 7. Relaying Without RRVS Support . . . . . . . . . . . . . . . . 8 71 7.1. Header Field Conversion . . . . . . . . . . . . . . . . . 9 72 8. Header Field with Multiple Recipients . . . . . . . . . . . . 9 73 9. Special Use Addresses . . . . . . . . . . . . . . . . . . . . 10 74 9.1. Mailing Lists . . . . . . . . . . . . . . . . . . . . . . 10 75 9.2. Single-Recipient Alaises . . . . . . . . . . . . . . . . . 10 76 9.3. Multiple-Recipient Aliases . . . . . . . . . . . . . . . . 11 77 9.4. Confidential Forwarding Addresses . . . . . . . . . . . . 11 78 9.5. Suggested Mailing List Enhancements . . . . . . . . . . . 11 79 10. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 12 80 11. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 13 81 12. Authentication-Results Definitions . . . . . . . . . . . . . . 13 82 13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 83 13.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 14 84 13.2. Header Field Example . . . . . . . . . . . . . . . . . . . 15 85 14. Security Considerations . . . . . . . . . . . . . . . . . . . 15 86 14.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . 15 87 14.2. Suggested Use Restrictions . . . . . . . . . . . . . . . . 16 88 15. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 16 89 15.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . 16 90 15.2. Envelope Recipients . . . . . . . . . . . . . . . . . . . 17 91 15.3. Risks with Use of Header Field . . . . . . . . . . . . . . 17 92 16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 93 16.1. SMTP Extension Registration . . . . . . . . . . . . . . . 17 94 16.2. Header Field Registration . . . . . . . . . . . . . . . . 17 95 16.3. Enhanced Status Code Registration . . . . . . . . . . . . 18 96 16.4. Authentication Results Registration . . . . . . . . . . . 18 97 17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 98 17.1. Normative References . . . . . . . . . . . . . . . . . . . 19 99 17.2. Informative References . . . . . . . . . . . . . . . . . . 20 100 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 20 102 1. Introduction 104 Email addresses sometimes get reassigned to a different person. For 105 example, employment changes at a company can cause an address used 106 for an ex-employee to be assigned to a new employee, or a mail 107 service provider (MSP) might expire an account and then let someone 108 else register for the local-part that was previously used. Those who 109 sent mail to the previous owner of an address might not know that it 110 has been reassigned. This can lead to the sending of email to the 111 correct address, but the wrong recipient. 113 What is needed is a way to indicate an attribute of the recipient 114 that will distinguish between the previous owner of an address and 115 its current owner, if they are different. Further, this needs to be 116 done in a way that respects privacy. 118 The mechanisms specified here allow the sender of the mail to 119 indicate how "old" the address assignment is expected to be. In 120 effect, the sender is saying, "The person to whom I am sending to had 121 this address assigned to as far back as this date-time." A receiving 122 system can then compare this information against the date and time 123 the address was assigned to its current user. If the assignment was 124 made later than the date-time indicated in the message, there is a 125 good chance the current user of the address is not the correct 126 recipient. The receiving system can then choose to prevent delivery 127 and, possibly, to notify the original sender of the problem. 129 The primary application is automatically generated messages rather 130 than user-authored content, though it may be useful in other 131 contexts. 133 2. Definitions 135 For a description of the email architecture, consult [EMAIL-ARCH]. 137 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 138 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 139 document are to be interpreted as described in [KEYWORDS]. 141 3. Description 143 To address the problem described above, a mail sending client needs 144 to indicate to the server to which it is connecting that there is an 145 expectation that the destination of the message has been under 146 continuous ownership (see Section 11) since some date-time, 147 presumably the most recent time the message author had confirmed its 148 understanding of who owned that mailbox. Two mechanisms are defined 149 here: an extension to the Simple Mail Transfer Protocol [SMTP], for 150 use between a client and server that both implement the extension, 151 and a header field that can be used when passing a message to a 152 server that appears not to implement this extension. 154 The SMTP extenion is called "RRVS" (Require Recipient Valid Since), 155 and adds a parameter to the SMTP "RCPT" command that indicates the 156 most recent date and time when the message author believed the 157 destination mailbox to be under the continuous ownership of a 158 specific party. Similarly, the Require-Recipient-Valid-Since header 159 field includes an intended recipient coupled with a timestamp 160 indicating the same thing. 162 3.1. The 'RRVS' SMTP Extension 164 Extensions to SMTP are described in Section 2.2 of [SMTP]. 166 The name of the extension is "RRVS", an abbreviation of "Require 167 Recipient Valid Since". Servers implementing the SMTP extension 168 advertise an additional EHLO keyword of "RRVS", which has no 169 associated parameters, introduces no new SMTP verbs, and does not 170 alter the MAIL verb. 172 An MTA implementing RRVS can transmit or accept a new parameter to 173 the RCPT command. The new parameter is "RRVS", which takes a value 174 that is a timestamp expressed as a "date-time" as defiend in 175 [DATETIME], with the added restriction that a "time-secfrac" MUST NOT 176 be used. Accordingly, this extension increases the maximum command 177 length for the RCPT verb by 31 characters. 179 The meaning of this extension, when used, is described in 180 Section 5.1. 182 3.2. The 'Require-Recipient-Valid-Since' Header Field 184 The general constraints on syntax and placement of header fields in a 185 message are defined in Internet Message Format [MAIL]. 187 Using Augmented Backus-Naur Form [ABNF], the syntax for the field is: 189 rrvs = "Require-Recipient-Valid-Since:" addr-spec ";" date-time 190 CRLF 192 "date-time" is defined in Section 3.3, and "addr-spec" is defined in 193 Section 3.4.1, of [MAIL]. 195 4. Use By Generators 197 When a message is generated whose content is sufficiently sensitive 198 that an author or author's Administrative Management Domain (ADMD; 199 see [EMAIL-ARCH]) wishes to protect against misdelivery using this 200 protocol, it determines for each recipient mailbox on the message a 201 timestamp at which it last confirmed ownership of that mailbox. It 202 then applies either the SMTP extension or the header field defined 203 above when sending the message to its destination. 205 Use of the SMTP extension provided here is preferable over the header 206 field method, since the additional detail about the relationship 207 between the message author and its intended recipient is at best a 208 property of the message transaction and not part of the message 209 itself. Further, SMTP parameters are not typically recorded in the 210 message upon delivery, so detail about the relationship between the 211 author or author's ADMD and the intended recipient are not recorded. 213 The header field mechanism is defined only to enable passage of the 214 request between and through systems that that do not implement the 215 SMTP extension. 217 5. Handling By Receivers 219 If a receiver implements the RRVS SMTP extension, then there are two 220 possible evaluation paths: 222 1. The sending client implements the extension, and so there was an 223 RRVS parameter on a RCPT TO command in the SMTP session; or 225 2. The sending client does not (or elected not to) implement the 226 extension, so the RRVS parameter was not present on the RCPT TO 227 commands in the SMTP session. 229 5.1. SMTP Extension Used 231 A receiving system that implements the SMTP extension declared above 232 and observes an RRVS parameter on a RCPT TO command checks whether 233 the current owner of the destination mailbox has held it 234 continuously, far enough back to inclue the given date-time, and 235 delivers it unless that check returns in the negative. Expressed as 236 a sequence of steps: 238 1. Ignore the parameter if the named mailbox is a role account as 239 listed in Mailbox Names For Common Services, Roles And Functions 240 [ROLES]. (See Section 6.) 242 2. Determine if the named address is serviced for local delivery. 243 If so, and if that address has not been under continuous 244 ownership since the specified timestamp, return a 550 error to 245 the RCPT command. (See also Section 16.3.) 247 3. RECOMMENDED: If any Require-Recipient-Valid-Since header fields 248 are present and refer to the named address, remove them prior to 249 delivery or relaying. (See Section 5.2 for discussion.) 251 Where a message arrives using the SMTP extension that also contains 252 the Require-Recipient-Valid-Since header field in its header, the 253 header field SHOULD be removed. (See Section 7.1 for further 254 discussion about removal of the header field.) 256 5.1.1. Relays 258 An MTA that does not make mailbox ownership checks, such as an MTA 259 positioned to do SMTP ingress at an organizational boundary, SHOULD 260 relay the RRVS extension parameter to the next MTA so that it can be 261 processed there. 263 See Section 9.2 for additional discussion. 265 5.2. Header Field Used 267 A receiving system that implements this specification, upon receiving 268 a message bearing a Require-Recipient-Valid-Since header field when 269 no corresponding RRVS SMTP extension was used, checks whether the 270 destination mailbox owner has held it continuously, far enough back 271 to include the given date-time, and delivers it unless that check 272 returns in the negative. Expressed as a sequence of steps: 274 1. Extract the set of Require-Recipient-Valid-Since fields from the 275 message for which no corresponding RRVS SMTP extension was used. 277 2. Discard any such fields that are syntactically invalid. 279 3. Discard any such fields that name a role account as listed in 280 [ROLES] (see Section 6). 282 4. Discard any such fields for which the "addr-spec" portion does 283 not match a current recipient, as listed in the RCPT TO commands 284 in the SMTP session. 286 5. Discard any such fields for which the "addr-spec" portion does 287 not refer to a mailbox handled for local delivery by this MTA. 289 6. For each field remaining, determine if the named address has been 290 under continuous ownership since the corresponding timestamp. If 291 it has not, reject the message. 293 7. RECOMMENDED: If local delivery is being performed, remove all 294 instances of this field prior to delivery to a mailbox; if the 295 message is being forwarded, remove those instances of this header 296 field that were not discarded by steps 1-4 above. 298 Handling proceeds normally upon completion of the above steps if 299 rejection has not been performed. 301 The final step is not mandatory as not all mail handling agents are 302 capable of stripping away header fields, and there are sometimes 303 reasons to keep the field intact such as debugging or presence of 304 digital signatures that might be invalidated by such a change. 306 If a message is to be rejected within the SMTP protocol itself 307 (versus generating a rejection message separately), servers 308 implementing this protocol SHOULD also implement the SMTP extension 309 described in Enhanced Mail System Status Codes [ESC] and use the 310 enhanced status codes described in Section 16.3 as appropriate. 312 Implementation by this method is expected to be transparent to non- 313 participants, since they would typically ignore this header field. 315 This header field is not normally added to a message that is 316 addressed to multiple recipients. The intended use of this field 317 involves an author seeking to protect transactional or otherwise 318 sensitive data intended for a single recipient, and thus generating 319 independent messages for each individual recipient is normal 320 practice. See Section 8 for further discussion. 322 6. Role Accounts 324 It is necessary not to interfere with delivery of messages to role 325 mailboxes (see [ROLES]), but it could be useful to indicate to users 326 handling those mailboxes that a change of ownership might have taken 327 place where doing so is possible. 329 7. Relaying Without RRVS Support 331 When a message is received using the SMTP extension defined here but 332 will not be delivered locally (that is, it needs to be relayed 333 further), the MTA to which the relay will take place might not be 334 compliant with this specification. Where the MTA in possession of 335 the message observes it is going to relay the message to an MTA that 336 does not advertise this extension, it needs to choose one of the 337 following actions: 339 1. Decline to relay the message further, preferably generating a 340 Delivery Status Notification [DSN] to indicate failure 341 (RECOMMENDED); 343 2. Downgrade the data thus provided in the SMTP extension to a 344 header field, as described in Section 7.1 below (RECOMMENDED when 345 the previous option is not available); or 347 3. Silently continue with delivery, dropping the protection offered 348 by this protocol. 350 Using other than the first option needs to be avoided unless there is 351 specific knowledge that further relaying with the degraded 352 protections thus provided does not introduce undue risk. 354 7.1. Header Field Conversion 356 If an SMTP server ("B") that has received mailbox timestamps from a 357 client ("A") using this extension but then needs to relay the 358 corresponding message on to another server ("C") (thereby becoming a 359 client), but "C" does not advertise the SMTP extension and "B" elects 360 not to reject the message, "B" SHOULD add Require-Recipient-Valid- 361 Since header fields matching each mailbox to which relaying is being 362 done, and the corresponding valid-since timestamp for each. 364 Similarly, if "B" receives a message bearing one or more Require- 365 Recipient-Valid-Since header fields from "A" for which it must now 366 relay the message, and "C" advertises support for the SMTP extension, 367 "B" SHOULD delete the header field(s) and instead relay this 368 information by making use of the SMTP extension. Note that such 369 modification of the header might affect later validation of the 370 header upon delivery; for example, a hash of the header would produce 371 a different result. This might be a valid cause for some operators 372 to skip this delete operation. 374 8. Header Field with Multiple Recipients 376 Numerous issues arise when using the header field form of this 377 extension, particularly when multiple recipients are specified for a 378 single message resulting in one multiple fields each with a distinct 379 address and timestamp. 381 Because of the nature of SMTP, a message bearing a multiplicity of 382 Require-Recipient-Valid-Since header fields could result in a single 383 delivery attempt for multiple recipients (in particular, if two of 384 the recipients are handled by the same server), and if any one of 385 them fails the test, the delivery fails to all of them; it then 386 becomes necessary to do one of the following: 388 o reject the message on completion of the DATA phase of the SMTP 389 session, which is a rejection of delivery to all recipients; or 391 o accept the message on completion of DATA, and then generate a 392 Delivery Status Notification [DSN] message for each of the failed 393 recipients 395 Additional complexity arises when a message is sent to two 396 recipients, "A" and "B", presumably with different timestamps, both 397 of which are then redirected to a common address "C". The author is 398 not necessarily aware of the current or past ownership of mailbox 399 "C", or indeed that "A" and/or "B" have been redirected. This might 400 result in either or both of the two deliveries failing at "C", which 401 is likely to confuse the message author, who (as far as the author is 402 aware) never sent a message to "C" in the first place. 404 9. Special Use Addresses 406 In [DSN-SMTP], an SMTP extension was defined to allow SMTP clients to 407 request generation of DSNs, and related information to allow such 408 reports to be maximally useful. Section 5.2.7 of that document 409 explored the issue of the use of that extension where the recipient 410 is a mailing list. This extension has similar concerns which are 411 covered here following that document as a model. 413 9.1. Mailing Lists 415 Delivery to a mailing list service is considered a final delivery. 416 Where this protocol is in use, it is evaluated as per any normal 417 delivery: If the same mailing list has been operating in place of the 418 specified recipient mailbox since at least the timestamp given as the 419 RRVS parameter, the message is delivered to the list service 420 normally, and is otherwise not delivered. However, the MTA passing 421 the message to the list service does not convey the RRVS parameter in 422 either form (SMTP extension or header field) to the list service. 423 The emission of a message from the list service to its subscribers 424 constitutes a new message not covered by the previous transaction. 426 9.2. Single-Recipient Alaises 428 Upon delivery of an RRVS-protected message to an alias (acting in 429 place of a mailbox) that results in relaying of the message to a 430 single other destination, the usual RRVS check is performed. The 431 continuous ownership test here might succeed if a conventional user 432 inbox was replaced with an alias on behalf of that same user, and 433 this information is recorded someplace. If the message is thus 434 accepted, the relaying MTA can choose to do one of the following: 436 1. Do not include an RRVS parameter or header field when relaying to 437 the new address. (RECOMMENDED) 439 2. If the relaying system records the time when the alias was 440 established, independent of confirming the validity of the new 441 destination address, it MAY add an RRVS parameter for the new 442 target address that includes that time. 444 3. If an explicit confirmation of the new destination was done, it 445 MAY add an RRVS parameter for the new target address that 446 includes that time. 448 There is risk and additional administrative burden associated with 449 all but the first option in that list which are believed to make them 450 not worth pursuing. 452 9.3. Multiple-Recipient Aliases 454 Upon delivery of an RRVS-protected message to an alias (acting in 455 place of a mailbox) that results in relaying of the message to 456 multiple other destinations, the usual RRVS check is performed as in 457 Section 9.2. The MTA expanding such an alias then decides which of 458 the options enumerated in that section is to be applied for each new 459 recipient. 461 9.4. Confidential Forwarding Addresses 463 In the above cases, the original author could receive message 464 rejections, such as DSNs, from the ultimate destination, where the 465 RRVS check (or indeed, any other) fails and rejection is warranted. 466 This can reveal the existence of a forwarding relationship between 467 the original intended recipient and the actual final recipient. 469 Where this is a concern, the initial delivery attempt is to be 470 treated like a mailing list delivery, with RRVS evaluation done and 471 then all RRVS information removed from the message prior to relaying 472 it to its true destination. 474 9.5. Suggested Mailing List Enhancements 476 Mailing list services could store the timestamp at which a subscriber 477 was added to a mailing list. This specification could then be used 478 in conjunction with that information in order to restrict list 479 traffic to the original subscriber, rather than a different person 480 now in possession of an address under which the original subscriber 481 was added to the list. Upon receiving a rejection caused by this 482 specification, the list service can remove that address from further 483 distribution. 485 A mailing list service that receives a message containing the header 486 field defined here needs to remove it from the message prior to 487 redistributing it, limiting exposure of information regarding the 488 relationship between the message's author and the mailing list. 490 10. Discussion 492 To further obscure account details on the receiving system, the 493 receiver SHOULD ignore the SMTP extension or the header field if the 494 address specified has had one continuous owner since it was created, 495 regardless of the purported confirmation date of the address. This 496 is further discussed in Section 14. 498 The presence of the intended address in the field content supports 499 the case where a message bearing this header field is forwarded. The 500 specific use case is as follows: 502 1. A user subscribes to a service "S" on date "D" and confirms an 503 email address at the user's current location, "A"; 505 2. At some later date, the user intends to leave the current 506 location, and thus creates a new mailbox elsewhere, at "B"; 508 3. The user replaces address "A" with forwarding to "B"; 510 4. "S" constructs a message to "A" claiming that address was valid 511 at date "D" and sends it to "A"; 513 5. The receiving MTA at "A" determines that the forwarding in effect 514 was created by the same party that owned the mailbox there, and 515 thus concludes the continuous ownership test has been satisfied; 517 6. If possible, "A" removes this header field from the message, and 518 in either case, forwards it to "B"; 520 7. On receipt at "B", either the header field has been removed, or 521 the header field does not refer to a current envelope recipient, 522 and in either case delivers the message. 524 SMTP has never required any correspondence between addresses in the 525 RFC5321.MailFrom and RFC5321.RcptTo parameters and header fields of a 526 message, which is why the header field defined here contains the 527 recipient address to which the timestamp applies. 529 11. Continuous Ownership 531 For the purposes of this specification, an address is defined as 532 having been under continuous ownership since a given date-time if a 533 message sent to the address at any point since the given date would 534 not go to anyone except the owner at that given date-time. That is, 535 while an address may have been suspended or otherwise disabled for 536 some period, any mail actually delivered would have been delivered 537 exclusively to the same owner. It is is presumed that some sort of 538 relationship exists between the message sender and the intended 539 recipient. Presumably there has been some confirmation process 540 applied to establish this ownership of the receiver's mailbox; 541 however, the method of making such determinations is a local matter 542 and outside the scope of this document. 544 Evaluating the notion of continuous ownership is accomplished by 545 doing any query that establishes whether the above condition holds 546 for a given mailbox. 548 Determining continuous ownership of a mailbox is a local matter at 549 the receiving site. The only possible answers to the continuous- 550 ownership-since question are "yes", "no", and "unknown"; the action 551 to be taken in the "unknown" case is a matter of local policy. 553 For example, when control of a domain name is transferred, the new 554 domain owner might be unable to determine whether the owner of the 555 subject address has been under continuous ownership since the stated 556 date if the mailbox history is not also transferred (or was not 557 previously maintained). It will also be "unknown" if whatever 558 database contains mailbox ownership data is temporarily unavailable 559 at the time a message arrives for delivery. In this latter case, 560 typical SMTP temporary failure handling is appropriate. 562 12. Authentication-Results Definitions 564 [AUTHRES] defines a mechanism for indicating, via a header field, the 565 results of message authentication checks. Section 16 registers RRVS 566 as a new method that can be reported in this way, and corresponding 567 result names. The possible result names and their meanings are as 568 follows: 570 none: The message had no recipient mailbox timestamp associated with 571 it, either via the SMTP extension or header field method; this 572 protocol was not in use. 574 unknown: At least one form of this protocol was in use, but 575 continuous ownership of the recipient mailbox could not be 576 determined. 578 temperror: At least one form of this protocol was in use, but some 579 kind of error occurred during evaluation that was transient in 580 nature; a later retry will likely produce a final result. 582 permerror: At least one form of this protocol was in use, but some 583 kind of error occurred during evaluation that was not recoverable; 584 a later retry will not likely produce a final result. 586 pass: At least one form of this protocol was in use, and the 587 destination mailbox was confirmed to have been under constant 588 ownership since the timestamp thus provided. 590 fail: At least one form of this protocol was in use, and the 591 destination mailbox was confirmed not to have been under constant 592 ownership since the timestamp thus provided. 594 Where multiple recipients are present on a message, multiple results 595 can be reported using the mechanism described in [AUTHRES]. 597 13. Examples 599 In the following examples, "C:" indicates data sent by an SMTP 600 client, and "S:" indicates responses by the SMTP server. Message 601 content is CRLF terminated, though these are omitted here for ease of 602 reading. 604 13.1. SMTP Extension Example 606 C: [connection established] 607 S: 220 server.example.com ESMTP ready 608 C: EHLO client.example.net 609 S: 250-server.example.com 610 S: 250 RRVS 611 C: MAIL FROM: 612 S: 250 OK 613 C: RCPT TO: RRVS=1381993177 614 S: 550 5.7.15 receiver@example.com is no longer valid 615 C: QUIT 616 S: 221 So long! 618 13.2. Header Field Example 620 C: [connection established] 621 S: 220 server.example.com ESMTP ready 622 C: HELO client.example.net 623 S: 250 server.example.com 624 C: MAIL FROM: 625 S: 250 OK 626 C: RCPT TO: 627 S: 250 OK 628 C: DATA 629 S: 354 Ready for message content 630 C: From: Mister Sender 631 To: Miss Receiver 632 Subject: Are you still there? 633 Date: Fri, 28 Jun 2013 18:01:01 +0200 634 Require-Recipient-Valid-Since: receiver@example.com; 635 Sat, 1 Jun 2013 09:23:01 -0700 637 Are you still there? 638 . 639 S: 550 5.7.15 receiver@example.com is no longer valid 640 C: QUIT 641 S: 221 So long! 643 If an authentication scheme is applied to claim the added header 644 field is valid, but the scheme fails, a receiver might reject the 645 message with an SMTP reply such as: 647 S: 550-5.7.7 Use of Require-Recipient-Valid-Since header 648 S: 550 field requires a valid signature 650 14. Security Considerations 652 14.1. Abuse Countermeasures 654 The response of a server implementing this protocol can disclose 655 information about the age of existing email mailbox. Implementation 656 of countermeasures against probing attacks is advised. For example, 657 an operator could track appearance of this field with respect to a 658 particular mailbox and observe the timestamps being submitted for 659 testing; if it appears a variety of timestamps is being tried against 660 a single mailbox in short order, the field could be ignored and the 661 message silently discarded. This concern is discussed further in 662 Section 15. 664 14.2. Suggested Use Restrictions 666 If the mailbox named in the field is known to have had only a single 667 continuous owner since creation, or not to have existed at all (under 668 any owner) prior to the date specified in the field, then the field 669 can be silently ignored and normal message handling applied so that 670 this information is not disclosed. Such fields are likely the 671 product of either gross error or an attack. 673 A message author using this specification might restrict inclusion of 674 the header field such that it is only done for recipients known also 675 to implement this specification, in order to reduce the possibility 676 of revealing information about the relationship between the author 677 and the mailbox. 679 If ownership of an entire domain is transferred, the new owner may 680 not know what addresses were assigned in the past by the prior owner. 681 Hence, no address can be known not to have had a single owner, or to 682 have existed (or not) at all. In this case, the "unknown" result is 683 likely appropriate. 685 15. Privacy Considerations 687 15.1. Probing Attacks 689 As described above, use of this extension or header field in probing 690 attacks can disclose information about the history of the mailbox. 691 The harm that can be done by leaking any kind of private information 692 is difficult to predict, so it is prudent to be sensitive to this 693 sort of disclosure, either inadvertently or in response to probing by 694 an attacker. It bears restating, then, that implementing 695 countermeasures to abuse of this capability needs strong 696 consideration. 698 That some MSPs allow for expiration of account names when they have 699 been unused for a protracted period forces a choice between two 700 potential types of privacy vulnerabilities, one of which presents 701 significantly greater threats to users than the other. Automatically 702 generated mail is often used to convey authentication credentials 703 that can potentially provide access to extremely sensitive 704 information. Supplying such credentials to the wrong party after a 705 mailbox ownership change could allow the previous owner's data to be 706 exposed without his or her authorization or knowledge. In contrast, 707 the information that may be exposed to a third party via the proposal 708 in this document is limited to information about the mailbox history. 709 Given that MSPs have chosen to allow transfers of mailbox ownership 710 without the prior owner's involvement, the information leakage from 711 the extensions specified here creates far fewer risks than the 712 potential for delivering mail to the wrong party. 714 15.2. Envelope Recipients 716 The email To and Cc header fields are not required to be populated 717 with addresses that match the envelope recipient set, and Cc may even 718 be absent. However, the algorithm in Section 3 requires that this 719 header field contain a match for an envelope recipient in order to be 720 actionable. As such, use of this specification can reveal some or 721 all of the original intended recipient set to any party that can see 722 the message in transit or upon delivery. 724 For a message destined to a single recipient, this is unlikely to be 725 a concern, which is one of the reasons use of this specification on 726 multi-recipient messages is discouraged. 728 15.3. Risks with Use of Header Field 730 MTAs might not implement the recommendation to remove the header 731 field defined here, either out of ignorance or due to error. Since 732 user agents often do not render all of the header fields present, the 733 message could be forwarded to another party that would then 734 inadvertently have the content of this header field. 736 16. IANA Considerations 738 16.1. SMTP Extension Registration 740 Section 2.2.2 of [MAIL] sets out the procedure for registering a new 741 SMTP extension. IANA is requested to register the SMTP extension 742 using the details provided in Section 3.1 of this document. 744 16.2. Header Field Registration 746 IANA is requested to add the following entry to the Permanent Message 747 Header Field registry, as per the procedure found in [IANA-HEADERS]: 749 Header field name: Require-Recipient-Valid-Since 750 Applicable protocol: mail ([MAIL]) 751 Status: Standard 752 Author/Change controller: IETF 753 Specification document(s): [this document] 754 Related information: 755 Requesting review of any proposed changes and additions to 756 this field is recommended. 758 16.3. Enhanced Status Code Registration 760 IANA is requested to register the following in the SMTP Enhanced 761 Status Codes registry: 763 Code: X.7.15 764 Sample Text: Mailbox owner has changed 765 Associated basic status code: 5 766 Description: This status code is returned when a message is 767 received with a Require-Recipient-Valid-Since 768 field or RRVS extension and the receiving 769 system is able to determine that the intended 770 recipient mailbox has not been under 771 continuous ownership since the specified date. 772 Reference: [this document] 773 Submitter: M. Kucherawy 774 Change controller: IESG 776 Code: X.7.16 777 Sample Text: Domain owner has changed 778 Associated basic status code: 5 779 Description: This status code is returned when a message is 780 received with a Require-Recipient-Valid-Since 781 field or RRVS extension and the receiving 782 system wishes to disclose that the owner of 783 the domain name of the recipient has changed 784 since the specified date. 785 Reference: [this document] 786 Submitter: M. Kucherawy 787 Change controller: IESG 789 16.4. Authentication Results Registration 791 IANA is requested to register the following in the "Email 792 Authentication Methods" Registry: 794 Method: rrvs 796 Specifying Document: [this document] 798 ptype: smtp 800 Property: rcptto 801 Value: envelope recipient 803 Status: active 805 Version: 1 807 IANA is also requested to register the following in the "Email 808 Authentication Result Names" Registry: 810 Codes: none, unknown, temperror, permerror, pass, fail 812 Defined: [this document] 814 Auth Method(s): rrvs 816 Meaning: Section 12 of [this document] 818 Status: active 820 17. References 822 17.1. Normative References 824 [ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for 825 Syntax Specifications: ABNF", RFC 5234, January 2008. 827 [DATETIME] Klyne, G. and C. Newman, "Date and Time on the 828 Internet: Timestamps", RFC 3339, July 2002. 830 [IANA-HEADERS] Klyne, G., Nottingham, M., and J. Mogul, 831 "Registration Procedures for Message Header Fields", 832 BCP 90, RFC 3864, September 2004. 834 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate 835 Requirement Levels", BCP 14, RFC 2119, March 1997. 837 [MAIL] Resnick, P., "Internet Message Format", RFC 5322, 838 October 2008. 840 [ROLES] Crocker, D., "Mailbox Names For Common Services, 841 Roles And Functions", RFC 2142, May 1997. 843 [SMTP] Klensin, J., "Simple Mail Transfer Protocol", 844 RFC 5321, October 2008. 846 17.2. Informative References 848 [AUTHRES] Kucherawy, M., "Message Header Field for Indicating 849 Message Authentication Status", RFC 7001, 850 September 2013. 852 [DSN] Moore, K. and G. Vaudreuil, "An Extensible Message 853 Format for Delivery Status Notifications", RFC 3464, 854 January 2003. 856 [DSN-SMTP] Moore, K., "Simple Mail Transfer Protocol (SMTP) 857 Service Extension for Delivery Status Notifications 858 (DSNs)", RFC 3461, January 2003. 860 [EMAIL-ARCH] Crocker, D., "Internet Mail Architecture", RFC 5598, 861 July 2009. 863 [ESC] Vaudreuil, G., "Enhanced Mail System Status Codes", 864 RFC 3463, January 2003. 866 Appendix A. Acknowledgments 868 Erling Ellingsen proposed the idea. 870 Reviews and comments were provided by Michael Adkins, Kurt Andersen, 871 Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed, John Levine, 872 Alexey Melnikov, Hector Santos, Gregg Stefancik, Ed Zayas, (others) 874 Authors' Addresses 876 William J. Mills 877 Yahoo! Inc. 879 EMail: wmills_92105@yahoo.com 881 Murray S. Kucherawy 882 Facebook, Inc. 883 1 Hacker Way 884 Menlo Park, CA 94025 885 USA 887 EMail: msk@fb.com