Email Submission Operations: Access and Accountability Requirements
draft-hutzler-spamops-08
The information below is for an old version of the document that is already published as an RFC.
| Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 5068.
|
|
|---|---|---|---|
| Authors | Carl Hutzler , Dave Crocker , Eric P. Allman , Pete Resnick , Tony Finch | ||
| Last updated | 2018-12-20 (Latest revision 2007-07-10) | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Intended RFC status | Best Current Practice | ||
| Formats | |||
| Reviews | |||
| Stream | WG state | (None) | |
| Document shepherd | (None) | ||
| IESG | IESG state | Became RFC 5068 (Best Current Practice) | |
| Action Holders |
(None)
|
||
| Consensus boilerplate | Unknown | ||
| Telechat date | (None) | ||
| Responsible AD | Dan Romascanu | ||
| Send notices to | sah@428cobrajet.net, hardie@qualcomm.com, sandersr@corp.earthlink.net |
draft-hutzler-spamops-08
SMTP C. Hutzler
Internet-Draft
Intended status: Best Current D. Crocker
Practice Brandenburg InternetWorking
Expires: January 9, 2008 P. Resnick
QUALCOMM Incorporated
E. Allman
Sendmail, Inc.
T. Finch
University of Cambridge Computing
Service
July 8, 2007
Email Submission Operations: Access and Accountability Requirements
draft-hutzler-spamops-08
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 9, 2008.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Hutzler, et al. Expires January 9, 2008 [Page 1]
Internet-Draft Email Submission July 2007
Abstract
Email has become a popular distribution service for a variety of
socially unacceptable, mass-effect purposes. The most obvious ones
include spam and worms. This note recommends conventions for the
operation of email submission and transport services between
independent operators, such as enterprises and Internet Service
Providers. Its goal is to improve lines of accountability for
controlling abusive uses of the Internet mail service. To this end
the document offers recommendations for constructive operational
policies between independent operators of email submission and
transmission services.
Email authentication technologies are aimed at providing assurances
and traceability between internetworked networks. In many email
services, the weakest link in the chain of assurances is initial
submission of a message. This document offers recommendations for
constructive operational policies for this first step of email
sending, the submission (or posting) of email into the transmission
network. Relaying and delivery entail policies that occur subsequent
to submission and are outside the scope of this document.
The document seeks BCP status. Comments and discussion of this
document should be addressed to the ietf-smtp@imc.org mailing list.
Hutzler, et al. Expires January 9, 2008 [Page 2]
Internet-Draft Email Submission July 2007
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Submission, Relaying, Delivery . . . . . . . . . . . . . . . . 5
3.1. Best Practices for Submission Operation . . . . . . . . . 6
3.2. Transitioning to Submission Port . . . . . . . . . . . . . 7
4. External Submission . . . . . . . . . . . . . . . . . . . . . 8
4.1. Best Practices for Support of External Submissions . . . . 8
5. Message Submission Authentication/Authorization
Technologies . . . . . . . . . . . . . . . . . . . . . . . . . 10
6. Consideration . . . . . . . . . . . . . . . . . . . . . . . . 10
6.1. Security Considerations . . . . . . . . . . . . . . . . . 10
6.2. IANA Considerations . . . . . . . . . . . . . . . . . . . 10
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
7.1. References -- Normative . . . . . . . . . . . . . . . . . 10
7.2. References -- Informative . . . . . . . . . . . . . . . . 11
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 11
Intellectual Property and Copyright Statements . . . . . . . . . . 13
Hutzler, et al. Expires January 9, 2008 [Page 3]
Internet-Draft Email Submission July 2007
1. Introduction
The very characteristics that make email such a convenient
communications medium -- its near ubiquity, rapid delivery, low cost
and support for exchanges without prior arrangement -- have made it a
fertile ground for the distribution of unwanted or malicious content.
Spam, fraud and worms have become a serious problem, threatening the
viability of email and costing end users and providers millions of
dollars in damages and lost productivity. In recent years,
independent operators including enterprises and ISPs have turned to a
number of different technologies and procedures, in an attempt to
combat these problems. They have had varying effect and vastly
different impacts on users and on the Internet mail infrastructure.
En route to its final destination, email will often travel between
multiple independent providers of email transmission services. These
services will generally have no prior arrangement with one another
and may employ different rules on the transmission. It is therefore
difficult both to debug problems that occur in mail transmission and
to assign accountability if undesired or malicious mail is injected
into the Internet mail infrastructure.
Many email authentication technologies exist. They provide some
accountability and traceability between disparate networks. This
document aims to build upon the availability of these technologies by
exploring best practices for authenticating and authorizing the first
step of an email's delivery, from a Mail User Agent (MUA) to a Mail
Submission Agent (MSA), known as submission. Without strong
practices on email submission, the use of authentication technologies
elsewhere in the service provides limited benefit.
This document specifies operational policies to be used for the first
step of email sending, the submission -- or posting from an MUA to an
MSA as defined below -- of email into the transmission service.
These policies will permit continued, smooth operation of Internet
email, with controls added to improve accountability. Relaying and
delivering employ policies that occur after submission and are
outside the scope of this document. The policies listed here are
appropriate for operators of all sizes of networks and may be
implemented by operators independently, without regard for whether
the other side of an email exchange has implemented them.
It is important to note that the adoption of these policies alone
will not solve the problems of spam and other undesirable email.
However they provide a useful step in clarifying lines of
accountability and interoperability between operators. This helps
raise the bar against abusers, and provides a foundation for
additional tools to preserve the utility of the Internet email
Hutzler, et al. Expires January 9, 2008 [Page 4]
Internet-Draft Email Submission July 2007
infrastructure.
NOTE: This document does not delve into other anti-spam operational
issues such as standards for rejection of email. The authors note
that this could be a valuable effort to undertake and encourage
its pursuit.
2. Terminology
The Internet email architecture distinguishes four message-handling
components:
o Mail User Agents (MUAs)
o Mail Submission Agents (MSAs)
o Mail Transfer Agents (MTAs)
o Mail Delivery Agents (MDAs)
At the origination end, an MUA works on behalf of end users to create
a message and perform initial "submission" into the transmission
infrastructure, via an MSA. An MSA accepts the message submission,
performs any necessary preprocessing on the message and relays the
message to an MTA for transmission. MTAs "relay" messages to other
MTAs, in a sequence reaching a destination MDA that, in turn,
"delivers" the email to the recipient's inbox. The inbox is part of
the recipient-side MUA that works on behalf of the end-user to
process received mail.
These architectural components are often compressed, such as having
the same software do MSA, MTA and MDA functions. However the
requirements for each of these components of the architecture are
becoming more extensive, so that their software and even physical
platform separation is increasingly common.
Normative Terms: The key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in [RFC2119].
3. Submission, Relaying, Delivery
Originally the MSA, MTA and MDA architectural components were
considered to be a single unit. This was reflected the practice of
having MSA, MTA and MDA transfers all be performed with SMTP
Hutzler, et al. Expires January 9, 2008 [Page 5]
Internet-Draft Email Submission July 2007
[RFC2821] [RFC0821], over TCP Port 25. Internet mail permits email
to be exchanged without prior arrangement and without sender
authentication. That is, the confirmed identity of the originator of
the message is not necessarily known by the relaying MTAs or the MDA.
It is important to distinguish MUA-to-MSA email submission, versus
MTA relaying, versus the final MTA-to-MDA transition. Submission
typically does entail a pre-established relationship between the user
of the client and operator of the server; equally, the MDA is
performing final delivery and can determine that it has an existing
relationship with the recipient. That is, MSAs and MDAs can take
advantage of having prior relationships with users, in order to
constrain their transfer activities.
Specifically, an MSA can choose to reject all postings from MUAs for
which it has no existing relationship. Similarly, an MDA can choose
to reject all mail to recipients for which that MDA has no
arrangement to perform delivery. Indeed, both of these policies are
already in common practice.
3.1. Best Practices for Submission Operation
Submission Port Availability:
If external submissions are supported -- that is, from outside
a site's administrative domain -- then the domain's MSAs MUST
support the SUBMISSION port 587 [RFC4409]. Operators MAY
standardize on the SUBMISSION port for both external AND LOCAL
users; this can significantly simplify submission operations.
Submission Port Use:
MUAs SHOULD use the SUBMISSION port for message submission.
Submission Authentication:
MSAs MUST perform authentication on the identity asserted
during all mail transactions on the SUBMISSION port, even for a
message having a RCPT TO address that would not cause the
message to be relayed outside of the local administrative
environment.
Hutzler, et al. Expires January 9, 2008 [Page 6]
Internet-Draft Email Submission July 2007
Submission Authorization:
An operator of an MSA MUST ensure that the authenticated
identity is authorized to submit email, based on an existing
relationship between the submitting entity and the operator.
This requirement applies to all mail submission mechanisms (MUA
to MSA).
Submission Accountability after Submission:
For a reasonable period of time after submission, the message
SHOULD be traceable by the MSA operator to the authenticated
identity of the user who sent the message. Such tracing MAY be
based on transactional identifiers stored in the headers
(received lines, etc) or other fields in the message, on audit
data stored elsewhere, or on any other mechanism that supports
sufficient post-submission accountability. The specific length
of time, after message submission, that traceability is
supported is not specified here. However issues regarding
transit often occur as much as one week after submission.
Note that [RFC3848] defines a means of recording submission-
time information in Received header fields. This component
mechanism can be useful for accountability assessment by
receive-side analysis software to identify senders' MSAs and
therefore apply appropriate policies to the various hops of a
message transmission.
3.2. Transitioning to Submission Port
In order to promote transition of initial message submission from
port 25 to port 587, MSAs MUST listen on port 587 by default and
SHOULD have the ability to listen on other ports. MSAs MUST require
authentication on port 587 and SHOULD require authentication on any
other port used for submission. MSAs MAY also listen on other ports.
Regardless of the ports on which messages are accepted, MSAs MUST NOT
permit relaying of unauthenticated messages to other domains. That
is, they must not be open relays.
As a default, MUAs SHOULD attempt to find the best possible
submission port from a list of alternatives. The ordering of that
list SHOULD try the SUBMISSION port 587 first. Since most MUAs
available today do not permit falling back to alternate ports, sites
SHOULD pre-configure or encourage their users to connect on the
Hutzler, et al. Expires January 9, 2008 [Page 7]
Internet-Draft Email Submission July 2007
SUBMISSION port 587, assuming that site supports that port.
4. External Submission
An MUA might need to submit mail across the Internet, rather than to
a local MSA, in order to obtain particular services from its home
site. Examples include active privacy protection against third-party
content monitoring, timely processing, and being subject to the most
appropriate authentication and accountability protocols. Further the
privacy requirement might reasonably include protection against
monitoring by the operator of the MUA's access network. This
requirement creates a challenge for the provider operating the IP
network through which the MUA gains access. It makes that provider
an involuntary recruit to the task of solving mass-effect email
problems: When the MUA participates in a problem that affects large
numbers of Internet users, the provider is expected to effect
remedies and is often expected to prevent such occurrences.
A proactive technique used by some providers is to block all use of
Port 25 SMTP for mail that is being sent outbound, or to
automatically redirect this traffic through a local SMTP proxy,
except for hosts that are explicitly authorized. This can be
problematic for some users, notably legitimate mobile users
attempting to use their "home" MSA, even though those users might
already employ legitimate, Port 25-based authentication.
This document offers no recommendation concerning the blocking of
SMTP Port 25 or similar practices for controlling abuse of the
standard anonymous mail transfer port. Rather, it pursues the
mutually constructive benefit of using the official SUBMISSION Port
587 [RFC4409].
NOTE: Many established practices for controlling abuse of port 25,
for mail that is being sent outbound, currently do exist. These
include the proxy of smtp traffic to local hosts for screening
combined with various forms of rate limits. The authors suggest
that a separate document on this topic would benefit the email
operations community.
4.1. Best Practices for Support of External Submissions
Open Submission Port:
Access Providers MUST NOT block users from accessing the
external Internet using the SUBMISSION port 587 [RFC4409].
Hutzler, et al. Expires January 9, 2008 [Page 8]
Internet-Draft Email Submission July 2007
Traffic Identification -- External Posting (MSA) Versus Relaying
(MX):
When receiving email from outside their local operational
environment, email service providers MUST distinguish between
unauthenticated email addressed to local domains (MX traffic)
versus submission-related authenticated email that can be
addressed anywhere (MSA traffic). This allows the MTA to
restrict relaying operations, and thereby prevent "open"
relays. Note that there are situations where this may not
apply, such as secondary MXs and related implementations
internal to an operator's network and within their control.
Figure 1 depicts a local user (MUA.l) submitting a message to an MSA
(MSA). It also shows a remote user (MUA.r), such as might be in a
coffee shop offering "hotspot" wireless access, submitting a message
to their "home" MSA via an Authenticated Port 587 transaction.
HOME NETWORK DESTINATION
+-------+
| MUA.l |
+---+---+
port | port port port
587/25 V 25 25 -------- 25
+-----+ +-----+ ****** / \ ****** +-----+ +-----+
| MSA |->| MTA |->* AP *->| |->* AP *->| MTA |->| MDA |
+--^--+ +-----+ ****** | INTERNET | ****** +-----+ +-----+
| | |
+-------<--------------|----+ |
\ | /
---^----
|
******
AP = Access Provider * AP *
******
| Port 587
+---+----+
| MUA.r |
+--------+
HOTSPOT
Within the MSA's network, the alternative of using Port 587 or Port
25 is shown. This document makes no recommendations about the use of
Port 25 for submission. The diagram merely seeks to note that it is
in common use and to acknowledge that this can be accomplished with
sufficient accountability within an organization's network.
Hutzler, et al. Expires January 9, 2008 [Page 9]
Internet-Draft Email Submission July 2007
Figure 1: Example of Port 587 Usage Via Internet
5. Message Submission Authentication/Authorization Technologies
There are many competent technologies and standards for
authenticating message submissions. Two component mechanisms that
have been standardized include SMTP AUTH [RFC2554] and TLS [RFC3207].
Depending upon the environment, different mechanisms can be more or
less effective and convenient. Mechanisms might also have to be used
in combination with each other to make a secure system.
Organizations SHOULD choose the most secure approaches that are
practical.
This document does not provide recommendations on specific security
implementations. It simply provides a warning that transmitting user
credentials in clear text over insecure networks SHOULD be avoided in
all scenarios as this could allow attackers to listen for this
traffic and steal account data. In these cases, it is strongly
suggested that an appropriate security technology MUST be used.
6. Consideration
6.1. Security Considerations
Email transfer between independent administrations can be the source
of large volumes of unwanted email and email containing malicious
content designed to attack the recipient's system. This document
addresses the requirements and procedures to permit such exchanges
while reducing the likelihood that malicious mail will be
transmitted.
6.2. IANA Considerations
This document has no actions for IANA.
7. References
7.1. References -- Normative
[RFC2821] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
April 2001.
[RFC4409] Gellens, R. and J. Klensin, "Message Submission for Mail",
RFC 4409, April 2006.
Hutzler, et al. Expires January 9, 2008 [Page 10]
Internet-Draft Email Submission July 2007
7.2. References -- Informative
[RFC0821] Postel, J., "Simple Mail Transfer Protocol", STD 10,
RFC 821, August 1982.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2554] Myers, J., "SMTP Service Extension for Authentication",
March .
[RFC3207] Hoffman, P., "SMTP Service Extension for Secure SMTP over
Transport Layer Security", February 2002.
[RFC3848] Sun Microsystems, "ESMTP and LMTP Transmission Types
Registration", RFC 3848, July 2005.
Appendix A. Acknowledgments
These recommendations were first formulated during informal
discussions among members of Anti-Spam Technical Alliance (ASTA) and
some participants from the Internet Research Task Force's Anti-Spam
Research Group (ASRG).
Later reviews and suggestions were provided by: M. Allman, L.H.
Aestrand, N. Borenstein, S. Bortzmeyer, K. Chon, R. Clayton, B. Cole,
W. Dnes, V. Duchovni, E. Edelstein, F. Ellermann, M. Elvey, J.D.
Falk, N. Freed, J. Glube, A. Herzberg, J. Klensin, J. Levine, S.
Moonesamy, K. Moore, R. Nelson, C. Newman, C. O'Malley, S.
Ramasubramanian, R. Rognlie, J. St. Sauver, W. Schlitt, B. Shein, B.
Sullivan.
Authors' Addresses
C. Hutzler
2512 Freetown Drive
Reston, VA 20191
Phone: 703-915-6862
Email: cdhutzler@aol.com
URI: http://carlhutzler.com/blog/
Hutzler, et al. Expires January 9, 2008 [Page 11]
Internet-Draft Email Submission July 2007
D. Crocker
Brandenburg InternetWorking
675 Spruce Dr.
Sunnyvale, CA 94086
USA
Phone: +1.408.246.8253
Email: dcrocker@bbiw.net
URI: http://bbiw.net
P. Resnick
QUALCOMM Incorporated
5775 Morehouse Drive
San Diego, CA 92121-1714
USA
Phone: +1 858 651 4478
Email: presnick@qualcomm.com
URI: http://www.qualcomm.com/~presnick/
E. Allman
Sendmail, Inc.
Emeryville, CA
USA
Phone: +1 510 594 5501
Email: eric+ietf-smtp@sendmail.org
T. Finch
University of Cambridge Computing Service
New Museums Site
Pembroke Street
Cambridge CB2 3QH
ENGLAND
Phone: +44 797 040 1426
Email: dot@dotat.at
URI: http://dotat.at/
Hutzler, et al. Expires January 9, 2008 [Page 12]
Internet-Draft Email Submission July 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Hutzler, et al. Expires January 9, 2008 [Page 13]