The LIMITS SMTP Service Extension
draft-freed-smtp-limits-00
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 9422.
|
|
|---|---|---|---|
| Author | Ned Freed | ||
| Last updated | 2021-03-15 | ||
| RFC stream | (None) | ||
| Formats | |||
| Reviews |
GENART Last Call review
(of
-06)
by Paul Kyzivat
Ready w/issues
|
||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | Became RFC 9422 (Proposed Standard) | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-freed-smtp-limits-00
Network Working Group N. Freed
Internet-Draft Oracle
Intended status: Standards Track March 15, 2021
Expires: September 16, 2021
The LIMITS SMTP Service Extension
draft-freed-smtp-limits-00
Abstract
This document defines a "LIMITS" extension for the Simple Mail
Transfer Protocol (SMTP) and an associated limit registry. This
extension provides the means for an SMTP server to inform the SMTP
client of limits the server intends to apply to the protocol during
the current SMTP session. The client is then able adapt its behavior
in order to conform to those limits.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 16, 2021.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Freed Expires September 16, 2021 [Page 1]
Internet-Draft LIMITS Extension March 2021
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
1. Introduction
The Simple Mail Transfer Protocol [SMTP] provides the ability to
transfer multiple email messages from one host to another, each with
multiple recipients, using a single or multiple connections.
In order to conserve resources as well as protect themselves from
malicious clients, it is necessary for servers to enforce limits on
various aspects of the protocol, e.g., a limit on the number of
recipients that can be specified in a single transaction.
Additionally, servers may also wish to alter the limits they apply
depending on their assessment of the reputation of a particular
client.
The variability of the limits that may be in effect creates a
situation where clients may inadvertently exceed a particular
server's limits, causing servers to respond with temporary (or in
some cases, permanent) errors. This in turn can lead to delays or
even failures in message transfer.
The "LIMITS" extension provides the means for a server to inform a
client about specific limits in effect for a particular SMTP session.
This information, combined with the inherent flexibility of SMTP,
makes it possible for clients to avoid server errors and the problems
they cause.
Limits are registered with the IANA. Each registration includes the
limit name, value syntax, and a description of its semantics.
2. Terminology
In this document, the key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119
[KEYWORDS].
This specification uses the Augmented Backus-Naur Form [ABNF]
notation and its core rules to define the formal syntax of the
"LIMITS" extension.
This specification makes extensive use of the terminology specified
and used in [SMTP].
Freed Expires September 16, 2021 [Page 2]
Internet-Draft LIMITS Extension March 2021
3. The "LIMITS" SMTP Extension
Extensions to SMTP are defined in Section 2.2 of [SMTP].
The name of the extension is "LIMITS". Servers implementing this
extension advertise an additional EHLO keyword of "LIMITS". The
associated parameter is used by the server to communicate one or more
limits, each with an optional value, to the client. The syntax of
the parameter is:
limits-param = limit-name-value [";" limit-name-value]
limit-name-value = limit-name ["=" limit-value]
limit-name = 1*(ALPHA / DIGIT / "-" / "_")
limit-value = 1*(%x21-3A / %x3C-7E) ; Any VCHAR except ";"
This extension introduces no new SMTP commands, and does not alter
any existing command. However, it is possible for a LIMITS parameter
to be associated with another SMTP extension that does these things.
3.1. Limits
In order to achieve consistent behavior, all limits MUST be
registered with the IANA, as described below.
3.2. Limit Naming Conventions
Limit names MUST be comprehensible, but also should be kept as short
as possible. The use of commonly understood abbreviation, e.g.,
"MAX" for "maximum", is encouraged.
When a limit is associated with a particular SMTP, its name SHOULD
begin with the name of that command.
Limit names SHOULD end with one or more terms that describe the type
of limit.
3.3. Multiple EHLO Commands
SMTP requires that EHLO command be reissued Under certain
circumstances, e.g., after successful authentication [AUTH] or
negotiation of a security layer [STARTTLS].
Servers MAY update their limits any time the protocol requires
clients to reissue the EHLO command. Clients MUST discard any
previous limits in favor of those provided by the most recent EHLO.
This includes the case where the original EHLO provided a set of
Freed Expires September 16, 2021 [Page 3]
Internet-Draft LIMITS Extension March 2021
limits but the subsequent EHLO did not; in this case the client MUST
act as if no limits were communicated.
4. Initial Limits
An initial set of limits are specified in the following sections.
4.1. MAILMAX Limit
Name: MAILMAX
Value syntax: 1*DIGIT
Description: RCPTMAX specifies the maximum number of transactions
(MAIL FROM commands) the SMTP will accept in a single session.
Security Considerations: See Section 5
4.2. RCPTMAX Limit
Name: RCPTMAX
Value syntax: 1*DIGIT
Description: RCPTMAX specifies the maximum number of RCPT TO commands
the SMTP will accept in a single transaction.
Security Considerations: See Section 5
4.3. RCPTDOMAINMAX Limit
Name: RCPTDOMAINMAX
Value syntax: 1*DIGIT
Description: RCPTMAX specifies the maximum number of different
domains that can appear in a recipient (RCPT TO) address within a
single SMTP session. This limit is imposed by some servers that bind
to a specific internal delivery mechanism on receipt of the first
RCPT TO command.
Security Considerations: See Section 5
5. Security Considerations
A malicious server can use limits to overly constrain client
behavior, causing excessive use of client resources.
Freed Expires September 16, 2021 [Page 4]
Internet-Draft LIMITS Extension March 2021
A malicious client may use the limits a server advertises to optimize
the delivery of unwanted messages.
A man-in-the-middle attack on unprotected SMTP connections can be
used to cause clients to misbehave, which in turn could result in
delivery delays or failures. Loss of reputation for the client could
also occur.
6. IANA Considerations
6.1. SMTP Service Extension Registry
The IANA is requested to add "LIMITS" to the SMTP Service Extension
Registry:
Keywords: LIMITS
Description: Server limits
Reference: [RFCxxxx]
6.2. SMTP Server Limits Registry
The IANA is requested to create a new registry for SMTP server
limits. The policy for this registry is "Specification Required".
Registry entries consist of three required values:
1. The name of the limit
2. The syntax of the limit value, if the limit has one. Use of
[ABNF] is preferred but not required.
3. A description of the limit's semantics
4. Security considerations for the limit
The IANA is also requested to register the limits specified in this
document.
7. References
7.1. Normative References
[ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008,
<https://www.rfc-editor.org/info/rfc5234>.
Freed Expires September 16, 2021 [Page 5]
Internet-Draft LIMITS Extension March 2021
[KEYWORDS]
Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
DOI 10.17487/RFC5321, October 2008,
<https://www.rfc-editor.org/info/rfc5321>.
7.2. Informative References
[AUTH] Siemborski, R., Ed. and A. Melnikov, Ed., "SMTP Service
Extension for Authentication", RFC 4954,
DOI 10.17487/RFC4954, July 2007,
<https://www.rfc-editor.org/info/rfc4954>.
[STARTTLS]
Hoffman, P., "SMTP Service Extension for Secure SMTP over
Transport Layer Security", RFC 3207, DOI 10.17487/RFC3207,
February 2002, <https://www.rfc-editor.org/info/rfc3207>.
Author's Address
Ned Freed
Oracle
Email: ned.freed@mrochek.com
Freed Expires September 16, 2021 [Page 6]