Network Working Group W. Mills
Internet-Draft Yahoo! Inc.
Intended status: Standards Track M. Kucherawy
Expires: June 14, 2014 Facebook, Inc.
December 11, 2013
The Require-Recipient-Valid-Since Header Field and SMTP Service
Extension
draft-ietf-appsawg-rrvs-header-field-05
Abstract
This document defines an extension for the Simple Mail Transfer
Protocol called RRVS, and a header field called Require-Recipient-
Valid-Since, to provide a method for senders to indicate to receivers
the time when the sender last confirmed the ownership of the target
mailbox. This can be used to detect changes of mailbox ownership,
and thus prevent mail from being delivered to the wrong party.
The intended use of these facilities is on automatically generated
messages that might contain sensitive information, though it may also
be useful in other applications.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 14, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
Mills & Kucherawy Expires June 14, 2014 [Page 1]
Internet-Draft Require-Recipient-Valid-Since December 2013
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Mills & Kucherawy Expires June 14, 2014 [Page 2]
Internet-Draft Require-Recipient-Valid-Since December 2013
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. The 'RRVS' SMTP Extension . . . . . . . . . . . . . . . . 5
3.2. The 'Require-Recipient-Valid-Since' Header Field . . . . . 5
4. Use By Generators . . . . . . . . . . . . . . . . . . . . . . 6
5. Handling By Receivers . . . . . . . . . . . . . . . . . . . . 6
5.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 6
5.1.1. Relays . . . . . . . . . . . . . . . . . . . . . . . . 7
5.2. Header Field Used . . . . . . . . . . . . . . . . . . . . 7
6. Role Accounts . . . . . . . . . . . . . . . . . . . . . . . . 8
7. Relaying Without RRVS Support . . . . . . . . . . . . . . . . 8
7.1. Header Field Conversion . . . . . . . . . . . . . . . . . 9
8. Header Field with Multiple Recipients . . . . . . . . . . . . 9
9. Special Use Addresses . . . . . . . . . . . . . . . . . . . . 10
9.1. Mailing Lists . . . . . . . . . . . . . . . . . . . . . . 10
9.2. Single-Recipient Alaises . . . . . . . . . . . . . . . . . 10
9.3. Multiple-Recipient Aliases . . . . . . . . . . . . . . . . 11
9.4. Confidential Forwarding Addresses . . . . . . . . . . . . 11
9.5. Suggested Mailing List Enhancements . . . . . . . . . . . 11
10. Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . 12
11. Continuous Ownership . . . . . . . . . . . . . . . . . . . . . 13
12. Authentication-Results Definitions . . . . . . . . . . . . . . 13
13. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
13.1. SMTP Extension Example . . . . . . . . . . . . . . . . . . 14
13.2. Header Field Example . . . . . . . . . . . . . . . . . . . 15
14. Security Considerations . . . . . . . . . . . . . . . . . . . 15
14.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . . 15
14.2. Suggested Use Restrictions . . . . . . . . . . . . . . . . 16
15. Privacy Considerations . . . . . . . . . . . . . . . . . . . . 16
15.1. Probing Attacks . . . . . . . . . . . . . . . . . . . . . 16
15.2. Envelope Recipients . . . . . . . . . . . . . . . . . . . 17
15.3. Risks with Use of Header Field . . . . . . . . . . . . . . 17
16. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17
16.1. SMTP Extension Registration . . . . . . . . . . . . . . . 17
16.2. Header Field Registration . . . . . . . . . . . . . . . . 17
16.3. Enhanced Status Code Registration . . . . . . . . . . . . 18
16.4. Authentication Results Registration . . . . . . . . . . . 18
17. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19
17.1. Normative References . . . . . . . . . . . . . . . . . . . 19
17.2. Informative References . . . . . . . . . . . . . . . . . . 20
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . . 20
Mills & Kucherawy Expires June 14, 2014 [Page 3]
Internet-Draft Require-Recipient-Valid-Since December 2013
1. Introduction
Email addresses sometimes get reassigned to a different person. For
example, employment changes at a company can cause an address used
for an ex-employee to be assigned to a new employee, or a mail
service provider (MSP) might expire an account and then let someone
else register for the local-part that was previously used. Those who
sent mail to the previous owner of an address might not know that it
has been reassigned. This can lead to the sending of email to the
correct address, but the wrong recipient.
What is needed is a way to indicate an attribute of the recipient
that will distinguish between the previous owner of an address and
its current owner, if they are different. Further, this needs to be
done in a way that respects privacy.
The mechanisms specified here allow the sender of the mail to
indicate how "old" the address assignment is expected to be. In
effect, the sender is saying, "The person to whom I am sending to had
this address assigned to as far back as this date-time." A receiving
system can then compare this information against the date and time
the address was assigned to its current user. If the assignment was
made later than the date-time indicated in the message, there is a
good chance the current user of the address is not the correct
recipient. The receiving system can then choose to prevent delivery
and, possibly, to notify the original sender of the problem.
The primary application is automatically generated messages rather
than user-authored content, though it may be useful in other
contexts.
2. Definitions
For a description of the email architecture, consult [EMAIL-ARCH].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [KEYWORDS].
3. Description
To address the problem described above, a mail sending client needs
to indicate to the server to which it is connecting that there is an
expectation that the destination of the message has been under
continuous ownership (see Section 11) since some date-time,
presumably the most recent time the message author had confirmed its
understanding of who owned that mailbox. Two mechanisms are defined
here: an extension to the Simple Mail Transfer Protocol [SMTP], for
Mills & Kucherawy Expires June 14, 2014 [Page 4]
Internet-Draft Require-Recipient-Valid-Since December 2013
use between a client and server that both implement the extension,
and a header field that can be used when passing a message to a
server that appears not to implement this extension.
The SMTP extenion is called "RRVS" (Require Recipient Valid Since),
and adds a parameter to the SMTP "RCPT" command that indicates the
most recent date and time when the message author believed the
destination mailbox to be under the continuous ownership of a
specific party. Similarly, the Require-Recipient-Valid-Since header
field includes an intended recipient coupled with a timestamp
indicating the same thing.
3.1. The 'RRVS' SMTP Extension
Extensions to SMTP are described in Section 2.2 of [SMTP].
The name of the extension is "RRVS", an abbreviation of "Require
Recipient Valid Since". Servers implementing the SMTP extension
advertise an additional EHLO keyword of "RRVS", which has no
associated parameters, introduces no new SMTP verbs, and does not
alter the MAIL verb.
An MTA implementing RRVS can transmit or accept a new parameter to
the RCPT command. The new parameter is "RRVS", which takes a value
that is a timestamp expressed as a "date-time" as defiend in
[DATETIME], with the added restriction that a "time-secfrac" MUST NOT
be used. Accordingly, this extension increases the maximum command
length for the RCPT verb by 31 characters.
The meaning of this extension, when used, is described in
Section 5.1.
3.2. The 'Require-Recipient-Valid-Since' Header Field
The general constraints on syntax and placement of header fields in a
message are defined in Internet Message Format [MAIL].
Using Augmented Backus-Naur Form [ABNF], the syntax for the field is:
rrvs = "Require-Recipient-Valid-Since:" addr-spec ";" date-time
CRLF
"date-time" is defined in Section 3.3, and "addr-spec" is defined in
Section 3.4.1, of [MAIL].
Mills & Kucherawy Expires June 14, 2014 [Page 5]
Internet-Draft Require-Recipient-Valid-Since December 2013
4. Use By Generators
When a message is generated whose content is sufficiently sensitive
that an author or author's Administrative Management Domain (ADMD;
see [EMAIL-ARCH]) wishes to protect against misdelivery using this
protocol, it determines for each recipient mailbox on the message a
timestamp at which it last confirmed ownership of that mailbox. It
then applies either the SMTP extension or the header field defined
above when sending the message to its destination.
Use of the SMTP extension provided here is preferable over the header
field method, since the additional detail about the relationship
between the message author and its intended recipient is at best a
property of the message transaction and not part of the message
itself. Further, SMTP parameters are not typically recorded in the
message upon delivery, so detail about the relationship between the
author or author's ADMD and the intended recipient are not recorded.
The header field mechanism is defined only to enable passage of the
request between and through systems that that do not implement the
SMTP extension.
5. Handling By Receivers
If a receiver implements the RRVS SMTP extension, then there are two
possible evaluation paths:
1. The sending client implements the extension, and so there was an
RRVS parameter on a RCPT TO command in the SMTP session; or
2. The sending client does not (or elected not to) implement the
extension, so the RRVS parameter was not present on the RCPT TO
commands in the SMTP session.
5.1. SMTP Extension Used
A receiving system that implements the SMTP extension declared above
and observes an RRVS parameter on a RCPT TO command checks whether
the current owner of the destination mailbox has held it
continuously, far enough back to inclue the given date-time, and
delivers it unless that check returns in the negative. Expressed as
a sequence of steps:
1. Ignore the parameter if the named mailbox is a role account as
listed in Mailbox Names For Common Services, Roles And Functions
[ROLES]. (See Section 6.)
Mills & Kucherawy Expires June 14, 2014 [Page 6]
Internet-Draft Require-Recipient-Valid-Since December 2013
2. Determine if the named address is serviced for local delivery.
If so, and if that address has not been under continuous
ownership since the specified timestamp, return a 550 error to
the RCPT command. (See also Section 16.3.)
3. RECOMMENDED: If any Require-Recipient-Valid-Since header fields
are present and refer to the named address, remove them prior to
delivery or relaying. (See Section 5.2 for discussion.)
Where a message arrives using the SMTP extension that also contains
the Require-Recipient-Valid-Since header field in its header, the
header field SHOULD be removed. (See Section 7.1 for further
discussion about removal of the header field.)
5.1.1. Relays
An MTA that does not make mailbox ownership checks, such as an MTA
positioned to do SMTP ingress at an organizational boundary, SHOULD
relay the RRVS extension parameter to the next MTA so that it can be
processed there.
See Section 9.2 for additional discussion.
5.2. Header Field Used
A receiving system that implements this specification, upon receiving
a message bearing a Require-Recipient-Valid-Since header field when
no corresponding RRVS SMTP extension was used, checks whether the
destination mailbox owner has held it continuously, far enough back
to include the given date-time, and delivers it unless that check
returns in the negative. Expressed as a sequence of steps:
1. Extract the set of Require-Recipient-Valid-Since fields from the
message for which no corresponding RRVS SMTP extension was used.
2. Discard any such fields that are syntactically invalid.
3. Discard any such fields that name a role account as listed in
[ROLES] (see Section 6).
4. Discard any such fields for which the "addr-spec" portion does
not match a current recipient, as listed in the RCPT TO commands
in the SMTP session.
5. Discard any such fields for which the "addr-spec" portion does
not refer to a mailbox handled for local delivery by this MTA.
Mills & Kucherawy Expires June 14, 2014 [Page 7]
Internet-Draft Require-Recipient-Valid-Since December 2013
6. For each field remaining, determine if the named address has been
under continuous ownership since the corresponding timestamp. If
it has not, reject the message.
7. RECOMMENDED: If local delivery is being performed, remove all
instances of this field prior to delivery to a mailbox; if the
message is being forwarded, remove those instances of this header
field that were not discarded by steps 1-4 above.
Handling proceeds normally upon completion of the above steps if
rejection has not been performed.
The final step is not mandatory as not all mail handling agents are
capable of stripping away header fields, and there are sometimes
reasons to keep the field intact such as debugging or presence of
digital signatures that might be invalidated by such a change.
If a message is to be rejected within the SMTP protocol itself
(versus generating a rejection message separately), servers
implementing this protocol SHOULD also implement the SMTP extension
described in Enhanced Mail System Status Codes [ESC] and use the
enhanced status codes described in Section 16.3 as appropriate.
Implementation by this method is expected to be transparent to non-
participants, since they would typically ignore this header field.
This header field is not normally added to a message that is
addressed to multiple recipients. The intended use of this field
involves an author seeking to protect transactional or otherwise
sensitive data intended for a single recipient, and thus generating
independent messages for each individual recipient is normal
practice. See Section 8 for further discussion.
6. Role Accounts
It is necessary not to interfere with delivery of messages to role
mailboxes (see [ROLES]), but it could be useful to indicate to users
handling those mailboxes that a change of ownership might have taken
place where doing so is possible.
7. Relaying Without RRVS Support
When a message is received using the SMTP extension defined here but
will not be delivered locally (that is, it needs to be relayed
further), the MTA to which the relay will take place might not be
compliant with this specification. Where the MTA in possession of
the message observes it is going to relay the message to an MTA that
does not advertise this extension, it needs to choose one of the
Mills & Kucherawy Expires June 14, 2014 [Page 8]
Internet-Draft Require-Recipient-Valid-Since December 2013
following actions:
1. Decline to relay the message further, preferably generating a
Delivery Status Notification [DSN] to indicate failure
(RECOMMENDED);
2. Downgrade the data thus provided in the SMTP extension to a
header field, as described in Section 7.1 below (RECOMMENDED when
the previous option is not available); or
3. Silently continue with delivery, dropping the protection offered
by this protocol.
Using other than the first option needs to be avoided unless there is
specific knowledge that further relaying with the degraded
protections thus provided does not introduce undue risk.
7.1. Header Field Conversion
If an SMTP server ("B") that has received mailbox timestamps from a
client ("A") using this extension but then needs to relay the
corresponding message on to another server ("C") (thereby becoming a
client), but "C" does not advertise the SMTP extension and "B" elects
not to reject the message, "B" SHOULD add Require-Recipient-Valid-
Since header fields matching each mailbox to which relaying is being
done, and the corresponding valid-since timestamp for each.
Similarly, if "B" receives a message bearing one or more Require-
Recipient-Valid-Since header fields from "A" for which it must now
relay the message, and "C" advertises support for the SMTP extension,
"B" SHOULD delete the header field(s) and instead relay this
information by making use of the SMTP extension. Note that such
modification of the header might affect later validation of the
header upon delivery; for example, a hash of the header would produce
a different result. This might be a valid cause for some operators
to skip this delete operation.
8. Header Field with Multiple Recipients
Numerous issues arise when using the header field form of this
extension, particularly when multiple recipients are specified for a
single message resulting in one multiple fields each with a distinct
address and timestamp.
Because of the nature of SMTP, a message bearing a multiplicity of
Require-Recipient-Valid-Since header fields could result in a single
delivery attempt for multiple recipients (in particular, if two of
the recipients are handled by the same server), and if any one of
Mills & Kucherawy Expires June 14, 2014 [Page 9]
Internet-Draft Require-Recipient-Valid-Since December 2013
them fails the test, the delivery fails to all of them; it then
becomes necessary to do one of the following:
o reject the message on completion of the DATA phase of the SMTP
session, which is a rejection of delivery to all recipients; or
o accept the message on completion of DATA, and then generate a
Delivery Status Notification [DSN] message for each of the failed
recipients
Additional complexity arises when a message is sent to two
recipients, "A" and "B", presumably with different timestamps, both
of which are then redirected to a common address "C". The author is
not necessarily aware of the current or past ownership of mailbox
"C", or indeed that "A" and/or "B" have been redirected. This might
result in either or both of the two deliveries failing at "C", which
is likely to confuse the message author, who (as far as the author is
aware) never sent a message to "C" in the first place.
9. Special Use Addresses
In [DSN-SMTP], an SMTP extension was defined to allow SMTP clients to
request generation of DSNs, and related information to allow such
reports to be maximally useful. Section 5.2.7 of that document
explored the issue of the use of that extension where the recipient
is a mailing list. This extension has similar concerns which are
covered here following that document as a model.
9.1. Mailing Lists
Delivery to a mailing list service is considered a final delivery.
Where this protocol is in use, it is evaluated as per any normal
delivery: If the same mailing list has been operating in place of the
specified recipient mailbox since at least the timestamp given as the
RRVS parameter, the message is delivered to the list service
normally, and is otherwise not delivered. However, the MTA passing
the message to the list service does not convey the RRVS parameter in
either form (SMTP extension or header field) to the list service.
The emission of a message from the list service to its subscribers
constitutes a new message not covered by the previous transaction.
9.2. Single-Recipient Alaises
Upon delivery of an RRVS-protected message to an alias (acting in
place of a mailbox) that results in relaying of the message to a
single other destination, the usual RRVS check is performed. The
continuous ownership test here might succeed if a conventional user
inbox was replaced with an alias on behalf of that same user, and
Mills & Kucherawy Expires June 14, 2014 [Page 10]
Internet-Draft Require-Recipient-Valid-Since December 2013
this information is recorded someplace. If the message is thus
accepted, the relaying MTA can choose to do one of the following:
1. Do not include an RRVS parameter or header field when relaying to
the new address. (RECOMMENDED)
2. If the relaying system records the time when the alias was
established, independent of confirming the validity of the new
destination address, it MAY add an RRVS parameter for the new
target address that includes that time.
3. If an explicit confirmation of the new destination was done, it
MAY add an RRVS parameter for the new target address that
includes that time.
There is risk and additional administrative burden associated with
all but the first option in that list which are believed to make them
not worth pursuing.
9.3. Multiple-Recipient Aliases
Upon delivery of an RRVS-protected message to an alias (acting in
place of a mailbox) that results in relaying of the message to
multiple other destinations, the usual RRVS check is performed as in
Section 9.2. The MTA expanding such an alias then decides which of
the options enumerated in that section is to be applied for each new
recipient.
9.4. Confidential Forwarding Addresses
In the above cases, the original author could receive message
rejections, such as DSNs, from the ultimate destination, where the
RRVS check (or indeed, any other) fails and rejection is warranted.
This can reveal the existence of a forwarding relationship between
the original intended recipient and the actual final recipient.
Where this is a concern, the initial delivery attempt is to be
treated like a mailing list delivery, with RRVS evaluation done and
then all RRVS information removed from the message prior to relaying
it to its true destination.
9.5. Suggested Mailing List Enhancements
Mailing list services could store the timestamp at which a subscriber
was added to a mailing list. This specification could then be used
in conjunction with that information in order to restrict list
traffic to the original subscriber, rather than a different person
now in possession of an address under which the original subscriber
Mills & Kucherawy Expires June 14, 2014 [Page 11]
Internet-Draft Require-Recipient-Valid-Since December 2013
was added to the list. Upon receiving a rejection caused by this
specification, the list service can remove that address from further
distribution.
A mailing list service that receives a message containing the header
field defined here needs to remove it from the message prior to
redistributing it, limiting exposure of information regarding the
relationship between the message's author and the mailing list.
10. Discussion
To further obscure account details on the receiving system, the
receiver SHOULD ignore the SMTP extension or the header field if the
address specified has had one continuous owner since it was created,
regardless of the purported confirmation date of the address. This
is further discussed in Section 14.
The presence of the intended address in the field content supports
the case where a message bearing this header field is forwarded. The
specific use case is as follows:
1. A user subscribes to a service "S" on date "D" and confirms an
email address at the user's current location, "A";
2. At some later date, the user intends to leave the current
location, and thus creates a new mailbox elsewhere, at "B";
3. The user replaces address "A" with forwarding to "B";
4. "S" constructs a message to "A" claiming that address was valid
at date "D" and sends it to "A";
5. The receiving MTA at "A" determines that the forwarding in effect
was created by the same party that owned the mailbox there, and
thus concludes the continuous ownership test has been satisfied;
6. If possible, "A" removes this header field from the message, and
in either case, forwards it to "B";
7. On receipt at "B", either the header field has been removed, or
the header field does not refer to a current envelope recipient,
and in either case delivers the message.
SMTP has never required any correspondence between addresses in the
RFC5321.MailFrom and RFC5321.RcptTo parameters and header fields of a
message, which is why the header field defined here contains the
recipient address to which the timestamp applies.
Mills & Kucherawy Expires June 14, 2014 [Page 12]
Internet-Draft Require-Recipient-Valid-Since December 2013
11. Continuous Ownership
For the purposes of this specification, an address is defined as
having been under continuous ownership since a given date-time if a
message sent to the address at any point since the given date would
not go to anyone except the owner at that given date-time. That is,
while an address may have been suspended or otherwise disabled for
some period, any mail actually delivered would have been delivered
exclusively to the same owner. It is is presumed that some sort of
relationship exists between the message sender and the intended
recipient. Presumably there has been some confirmation process
applied to establish this ownership of the receiver's mailbox;
however, the method of making such determinations is a local matter
and outside the scope of this document.
Evaluating the notion of continuous ownership is accomplished by
doing any query that establishes whether the above condition holds
for a given mailbox.
Determining continuous ownership of a mailbox is a local matter at
the receiving site. The only possible answers to the continuous-
ownership-since question are "yes", "no", and "unknown"; the action
to be taken in the "unknown" case is a matter of local policy.
For example, when control of a domain name is transferred, the new
domain owner might be unable to determine whether the owner of the
subject address has been under continuous ownership since the stated
date if the mailbox history is not also transferred (or was not
previously maintained). It will also be "unknown" if whatever
database contains mailbox ownership data is temporarily unavailable
at the time a message arrives for delivery. In this latter case,
typical SMTP temporary failure handling is appropriate.
12. Authentication-Results Definitions
[AUTHRES] defines a mechanism for indicating, via a header field, the
results of message authentication checks. Section 16 registers RRVS
as a new method that can be reported in this way, and corresponding
result names. The possible result names and their meanings are as
follows:
none: The message had no recipient mailbox timestamp associated with
it, either via the SMTP extension or header field method; this
protocol was not in use.
Mills & Kucherawy Expires June 14, 2014 [Page 13]
Internet-Draft Require-Recipient-Valid-Since December 2013
unknown: At least one form of this protocol was in use, but
continuous ownership of the recipient mailbox could not be
determined.
temperror: At least one form of this protocol was in use, but some
kind of error occurred during evaluation that was transient in
nature; a later retry will likely produce a final result.
permerror: At least one form of this protocol was in use, but some
kind of error occurred during evaluation that was not recoverable;
a later retry will not likely produce a final result.
pass: At least one form of this protocol was in use, and the
destination mailbox was confirmed to have been under constant
ownership since the timestamp thus provided.
fail: At least one form of this protocol was in use, and the
destination mailbox was confirmed not to have been under constant
ownership since the timestamp thus provided.
Where multiple recipients are present on a message, multiple results
can be reported using the mechanism described in [AUTHRES].
13. Examples
In the following examples, "C:" indicates data sent by an SMTP
client, and "S:" indicates responses by the SMTP server. Message
content is CRLF terminated, though these are omitted here for ease of
reading.
13.1. SMTP Extension Example
C: [connection established]
S: 220 server.example.com ESMTP ready
C: EHLO client.example.net
S: 250-server.example.com
S: 250 RRVS
C: MAIL FROM:<sender@example.net>
S: 250 OK
C: RCPT TO:<receiver@example.com> RRVS=1381993177
S: 550 5.7.15 receiver@example.com is no longer valid
C: QUIT
S: 221 So long!
Mills & Kucherawy Expires June 14, 2014 [Page 14]
Internet-Draft Require-Recipient-Valid-Since December 2013
13.2. Header Field Example
C: [connection established]
S: 220 server.example.com ESMTP ready
C: HELO client.example.net
S: 250 server.example.com
C: MAIL FROM:<sender@example.net>
S: 250 OK
C: RCPT TO:<receiver@example.com>
S: 250 OK
C: DATA
S: 354 Ready for message content
C: From: Mister Sender <sender@example.net>
To: Miss Receiver <receiver@example.com>
Subject: Are you still there?
Date: Fri, 28 Jun 2013 18:01:01 +0200
Require-Recipient-Valid-Since: receiver@example.com;
Sat, 1 Jun 2013 09:23:01 -0700
Are you still there?
.
S: 550 5.7.15 receiver@example.com is no longer valid
C: QUIT
S: 221 So long!
If an authentication scheme is applied to claim the added header
field is valid, but the scheme fails, a receiver might reject the
message with an SMTP reply such as:
S: 550-5.7.7 Use of Require-Recipient-Valid-Since header
S: 550 field requires a valid signature
14. Security Considerations
14.1. Abuse Countermeasures
The response of a server implementing this protocol can disclose
information about the age of existing email mailbox. Implementation
of countermeasures against probing attacks is advised. For example,
an operator could track appearance of this field with respect to a
particular mailbox and observe the timestamps being submitted for
testing; if it appears a variety of timestamps is being tried against
a single mailbox in short order, the field could be ignored and the
message silently discarded. This concern is discussed further in
Section 15.
Mills & Kucherawy Expires June 14, 2014 [Page 15]
Internet-Draft Require-Recipient-Valid-Since December 2013
14.2. Suggested Use Restrictions
If the mailbox named in the field is known to have had only a single
continuous owner since creation, or not to have existed at all (under
any owner) prior to the date specified in the field, then the field
can be silently ignored and normal message handling applied so that
this information is not disclosed. Such fields are likely the
product of either gross error or an attack.
A message author using this specification might restrict inclusion of
the header field such that it is only done for recipients known also
to implement this specification, in order to reduce the possibility
of revealing information about the relationship between the author
and the mailbox.
If ownership of an entire domain is transferred, the new owner may
not know what addresses were assigned in the past by the prior owner.
Hence, no address can be known not to have had a single owner, or to
have existed (or not) at all. In this case, the "unknown" result is
likely appropriate.
15. Privacy Considerations
15.1. Probing Attacks
As described above, use of this extension or header field in probing
attacks can disclose information about the history of the mailbox.
The harm that can be done by leaking any kind of private information
is difficult to predict, so it is prudent to be sensitive to this
sort of disclosure, either inadvertently or in response to probing by
an attacker. It bears restating, then, that implementing
countermeasures to abuse of this capability needs strong
consideration.
That some MSPs allow for expiration of account names when they have
been unused for a protracted period forces a choice between two
potential types of privacy vulnerabilities, one of which presents
significantly greater threats to users than the other. Automatically
generated mail is often used to convey authentication credentials
that can potentially provide access to extremely sensitive
information. Supplying such credentials to the wrong party after a
mailbox ownership change could allow the previous owner's data to be
exposed without his or her authorization or knowledge. In contrast,
the information that may be exposed to a third party via the proposal
in this document is limited to information about the mailbox history.
Given that MSPs have chosen to allow transfers of mailbox ownership
without the prior owner's involvement, the information leakage from
the extensions specified here creates far fewer risks than the
Mills & Kucherawy Expires June 14, 2014 [Page 16]
Internet-Draft Require-Recipient-Valid-Since December 2013
potential for delivering mail to the wrong party.
15.2. Envelope Recipients
The email To and Cc header fields are not required to be populated
with addresses that match the envelope recipient set, and Cc may even
be absent. However, the algorithm in Section 3 requires that this
header field contain a match for an envelope recipient in order to be
actionable. As such, use of this specification can reveal some or
all of the original intended recipient set to any party that can see
the message in transit or upon delivery.
For a message destined to a single recipient, this is unlikely to be
a concern, which is one of the reasons use of this specification on
multi-recipient messages is discouraged.
15.3. Risks with Use of Header Field
MTAs might not implement the recommendation to remove the header
field defined here, either out of ignorance or due to error. Since
user agents often do not render all of the header fields present, the
message could be forwarded to another party that would then
inadvertently have the content of this header field.
16. IANA Considerations
16.1. SMTP Extension Registration
Section 2.2.2 of [MAIL] sets out the procedure for registering a new
SMTP extension. IANA is requested to register the SMTP extension
using the details provided in Section 3.1 of this document.
16.2. Header Field Registration
IANA is requested to add the following entry to the Permanent Message
Header Field registry, as per the procedure found in [IANA-HEADERS]:
Header field name: Require-Recipient-Valid-Since
Applicable protocol: mail ([MAIL])
Status: Standard
Author/Change controller: IETF
Specification document(s): [this document]
Related information:
Requesting review of any proposed changes and additions to
this field is recommended.
Mills & Kucherawy Expires June 14, 2014 [Page 17]
Internet-Draft Require-Recipient-Valid-Since December 2013
16.3. Enhanced Status Code Registration
IANA is requested to register the following in the SMTP Enhanced
Status Codes registry:
Code: X.7.15
Sample Text: Mailbox owner has changed
Associated basic status code: 5
Description: This status code is returned when a message is
received with a Require-Recipient-Valid-Since
field or RRVS extension and the receiving
system is able to determine that the intended
recipient mailbox has not been under
continuous ownership since the specified date.
Reference: [this document]
Submitter: M. Kucherawy
Change controller: IESG
Code: X.7.16
Sample Text: Domain owner has changed
Associated basic status code: 5
Description: This status code is returned when a message is
received with a Require-Recipient-Valid-Since
field or RRVS extension and the receiving
system wishes to disclose that the owner of
the domain name of the recipient has changed
since the specified date.
Reference: [this document]
Submitter: M. Kucherawy
Change controller: IESG
16.4. Authentication Results Registration
IANA is requested to register the following in the "Email
Authentication Methods" Registry:
Method: rrvs
Specifying Document: [this document]
ptype: smtp
Property: rcptto
Mills & Kucherawy Expires June 14, 2014 [Page 18]
Internet-Draft Require-Recipient-Valid-Since December 2013
Value: envelope recipient
Status: active
Version: 1
IANA is also requested to register the following in the "Email
Authentication Result Names" Registry:
Codes: none, unknown, temperror, permerror, pass, fail
Defined: [this document]
Auth Method(s): rrvs
Meaning: Section 12 of [this document]
Status: active
17. References
17.1. Normative References
[ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for
Syntax Specifications: ABNF", RFC 5234, January 2008.
[DATETIME] Klyne, G. and C. Newman, "Date and Time on the
Internet: Timestamps", RFC 3339, July 2002.
[] Klyne, G., Nottingham, M., and J. Mogul,
"Registration Procedures for Message Header Fields",
BCP 90, RFC 3864, September 2004.
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[MAIL] Resnick, P., "Internet Message Format", RFC 5322,
October 2008.
[ROLES] Crocker, D., "Mailbox Names For Common Services,
Roles And Functions", RFC 2142, May 1997.
[SMTP] Klensin, J., "Simple Mail Transfer Protocol",
RFC 5321, October 2008.
Mills & Kucherawy Expires June 14, 2014 [Page 19]
Internet-Draft Require-Recipient-Valid-Since December 2013
17.2. Informative References
[AUTHRES] Kucherawy, M., "Message Header Field for Indicating
Message Authentication Status", RFC 7001,
September 2013.
[DSN] Moore, K. and G. Vaudreuil, "An Extensible Message
Format for Delivery Status Notifications", RFC 3464,
January 2003.
[DSN-SMTP] Moore, K., "Simple Mail Transfer Protocol (SMTP)
Service Extension for Delivery Status Notifications
(DSNs)", RFC 3461, January 2003.
[EMAIL-ARCH] Crocker, D., "Internet Mail Architecture", RFC 5598,
July 2009.
[ESC] Vaudreuil, G., "Enhanced Mail System Status Codes",
RFC 3463, January 2003.
Appendix A. Acknowledgments
Erling Ellingsen proposed the idea.
Reviews and comments were provided by Michael Adkins, Kurt Andersen,
Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed, John Levine,
Alexey Melnikov, Hector Santos, Gregg Stefancik, Ed Zayas, (others)
Authors' Addresses
William J. Mills
Yahoo! Inc.
EMail: wmills_92105@yahoo.com
Murray S. Kucherawy
Facebook, Inc.
1 Hacker Way
Menlo Park, CA 94025
USA
EMail: msk@fb.com
Mills & Kucherawy Expires June 14, 2014 [Page 20]