Sieve Email Filtering: Extension for Processing Calendar Attachments
draft-ietf-extra-processimip-06
| Document | Type | Active Internet-Draft (extra WG) | |
|---|---|---|---|
| Authors | Kenneth Murchison , Ricardo Signes , Matthew Horsfall | ||
| Last updated | 2024-04-10 | ||
| Replaces | draft-murchison-sieve-processimip | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Intended RFC status | Proposed Standard | ||
| Formats | |||
| Additional resources | Mailing list discussion | ||
| Stream | WG state | In WG Last Call | |
| Associated WG milestone |
|
||
| Document shepherd | (None) | ||
| IESG | IESG state | I-D Exists | |
| Consensus boilerplate | Yes | ||
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-ietf-extra-processimip-06
Network Working Group K. Murchison
Internet-Draft R. Signes
Intended status: Standards Track M. Horsfall
Expires: 12 October 2024 Fastmail
10 April 2024
Sieve Email Filtering: Extension for Processing Calendar Attachments
draft-ietf-extra-processimip-06
Abstract
This document describes the "processcalendar" extension to the Sieve
email filtering language. The "processcalendar" extension gives
Sieve the ability to process machine-readable calendar data that is
encapsulated in an email message using Multipurpose Internet Mail
Extensions (MIME).
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 12 October 2024.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Murchison, et al. Expires 12 October 2024 [Page 1]
Internet-Draft Sieve Process iMIP April 2024
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Conventions Used in This Document . . . . . . . . . . . . . . 3
3. Capability Identifier . . . . . . . . . . . . . . . . . . . . 3
4. Process Calendar Action . . . . . . . . . . . . . . . . . . . 3
4.1. Allow Public Argument . . . . . . . . . . . . . . . . . . 4
4.2. Addresses Argument . . . . . . . . . . . . . . . . . . . 5
4.3. Updates Only Argument . . . . . . . . . . . . . . . . . . 5
4.4. Calendar ID Argument . . . . . . . . . . . . . . . . . . 5
4.5. Delete Cancelled Argument . . . . . . . . . . . . . . . . 6
4.6. Organizers Argument . . . . . . . . . . . . . . . . . . . 6
4.7. Outcome Argument . . . . . . . . . . . . . . . . . . . . 6
4.8. Reason Argument . . . . . . . . . . . . . . . . . . . . . 6
4.9. Interaction with Other Sieve Actions . . . . . . . . . . 7
4.10. Examples . . . . . . . . . . . . . . . . . . . . . . . . 7
5. Implementation Status . . . . . . . . . . . . . . . . . . . . 8
6. Security Considerations . . . . . . . . . . . . . . . . . . . 9
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 9
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
8.1. Registration of Sieve Extension . . . . . . . . . . . . . 10
8.2. Registration of Sieve Action . . . . . . . . . . . . . . 10
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 11
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
10.1. Normative References . . . . . . . . . . . . . . . . . . 11
10.2. Informative References . . . . . . . . . . . . . . . . . 11
Appendix A. Change History (To be removed by RFC Editor before
publication) . . . . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction
Users frequently receive invites, replies, and cancellations for
events, tasks, etc. via Internet mail messages. It is sometimes
desirable to have such messages automatically parsed and the enclosed
calendar data added to, updated on, or deleted from the user's
calendars.
Typically such messages are based on the iCalendar Message-Based
Interoperability Protocol (iMIP) [RFC6047]. However, sometimes the
enclosed iCalendar [RFC5545] data does not include an iTIP method
property (see [RFC5546], Section 1.4), or the enclosed data may be in
some other machine-readable format (E.g. JSCalendar [RFC8984]).
Murchison, et al. Expires 12 October 2024 [Page 2]
Internet-Draft Sieve Process iMIP April 2024
This document defines an extension to the Sieve language [RFC5228]
that enables scripts to process machine-readable calendar data that
is encapsulated in an email message using MIME [RFC2045].
Specifically, this extension provides the ability to alter items on a
user's calendars referenced in the encapsulated calendar data.
2. Conventions Used in This Document
Conventions for notations are as in Section 1.1 of [RFC5228],
including use of the "Usage:" label for the definition of action and
tagged arguments syntax.
This document uses terminology and concepts from iCalendar [RFC5545]
and iTIP [RFC5546] to describe the processing of calendar data, but
this extension can be used with any machine-readable calendar data
format that can express similar concepts.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Capability Identifier
Sieve interpreters that implement this extension MUST have an
identifier of "processcalendar" for use with the capability
mechanism.
4. Process Calendar Action
Usage: processcalendar [ :allowpublic ]
[ :addresses <string-list> ]
[ :updatesonly / :calendarid <string> ]
[ :deletecancelled ]
[ :organizers <ext-list-name: string> ]
[ :outcome <variablename: string> ]
[ :reason <variablename: string> ]
The "processcalendar" action is used to parse encapsulated calendar
data and perform the appropriate action based on the content. If the
calendar data is malformed in any way, it MUST be ignored and no
action is taken. Otherwise, based on the iTIP method (see
Section 1.4 of [RFC5546]) of the message, calendar objects are
created, updated, or deleted from a given calendar.
Murchison, et al. Expires 12 October 2024 [Page 3]
Internet-Draft Sieve Process iMIP April 2024
This action can be used with or without the "extlists" [RFC6134]
extension. When the "extlists" extension is enabled in a script
using <require "extlists">, the script can use the :organizers
(Section 4.6) argument to the "processcalendar" action as described
below. When the "extlists" extension is not enabled, the :organizers
argument MUST NOT be used and MUST cause an error according to
[RFC5228].
This action can be used with or without the "variables" [RFC5229]
extension. When the "variables" extension is enabled in a script
using <require "variables">, the script can use the :outcome
(Section 4.7) and :reason (Section 4.8) arguments to the
"processcalendar" action as described below. When the "variables"
extension is not enabled, the :outcome and :reason arguments MUST NOT
be used and MUST cause an error according to [RFC5228].
If a mail messages contains calendar data in multiple MIME [RFC2045]
parts, this action MUST verify that the calendar data in each part
are semantically equalivalent to one another. If the data is found
to be sematically different, the action MUST NOT process the message.
Otherwise, the action MUST only process one representation of the
data.
This action MUST NOT make any changes to the participant status of
the recipient when processing the calendar data. The mechanism for a
recipient to change their participant status to an event is out of
scope for this document.
This action SHOULD remove alarms from calendar data before applying
it to a calendar.
4.1. Allow Public Argument
The optional :allowpublic argument is used to tell the implementation
that it can process calendar data that is not an iTIP message (it
does not contain METHOD and/or ORGANIZER properties) or the METHOD is
PUBLISH.
If :allowpublic is omitted, the implementation MUST NOT process
calendar data unless is it is a well-formed iTIP message and one of
the recipient user's email addresses matches the Calendar User
Address (see Section 3.3.3 of [RFC5545]) of the intended target of
the message, as determined by the iTIP method (see Section 1.4 of
[RFC5546]) of the message:
"REPLY": Value of the "Organizer" property (see Section 3.8.4.1 of
[RFC5545])
Murchison, et al. Expires 12 October 2024 [Page 4]
Internet-Draft Sieve Process iMIP April 2024
"REQUEST", "CANCEL", "ADD": Value of one of the "Attendee"
properties (see Section 3.8.4.3 of [RFC5545])
The recipient user's email address matches the Calender User Address
of the target if the Calendar User Address is in the form of a mailto
URI and the email address matches the "addr-spec" of the URI.
An email address is considered to belong to the recipient if it is
one of:
1. an email address known by the implementation to be associated
with the recipient,
2. the final envelope recipient address if it's available to the
implementation, or
3. an address specified by the script writer via the :addresses
(Section 4.2) argument.
4.2. Addresses Argument
The optional :addresses argument is used to specify email addresses
that belong to the recipient in addition to the addresses known to
the implementation.
4.3. Updates Only Argument
The optional :updatesonly argument is used to limit the messages
processed to those targeting existing calendar objects only. If the
message contains a new calendar object (its UID does not exist on any
of the user's calendars), the implementation MUST NOT add the object
to a calendar.
If :updatesonly is omitted, new calendar objects may be added to one
of the user's calendars.
4.4. Calendar ID Argument
The optional :calendarid argument specifies the identifier of the
calendar onto which new calendar objects should be placed.
If :calendarid is omitted, new calendar objects will be placed on the
user's "default" calendar as determined by the implementation.
Murchison, et al. Expires 12 October 2024 [Page 5]
Internet-Draft Sieve Process iMIP April 2024
4.5. Delete Cancelled Argument
The optional :deletecancelled argument is used to tell the
implementation that if it receives a cancellation message, it should
remove the associated calendar object from the calendar.
If :deletecancelled is omitted, the status of the associated calendar
object will be set to cancelled and will remain on the calendar.
4.6. Organizers Argument
The optional :organizers argument is used to specify an external list
of email addresses from which the recipient is willing to accept
public events, invites, updates, and cancellations. Implementations
MUST NOT process calendar data unless is it is a well-formed iTIP
message and one of the addresses in the external list matches the
Calendar User Address of the "Organizer" property. An email address
in the external list matches the Calender User Address of the
"Organizer" property if it is in the form of a mailto URI and the
email address matches the "addr-spec" of the URI.
If :organizers is omitted, no validation of the "Organizer" property
is performed.
4.7. Outcome Argument
The optional :outcome argument specifies the name of a variable into
which one of the following strings specifying the outcome of the
action will be stored:
* "no_action": No action was performed (E.g., the message didn't
contain calendar data, or the set of provided options prevented
the message from being processed).
* "added": A new calendar object was added to a calendar
* "updated": A calendar resource was updated, cancelled, or removed
from the calendar.
* "error": The message would have been processed but encountered an
error in doing so.
4.8. Reason Argument
The optional :reason argument specifies the name of a variable into
which a string describing the reason for the outcome will be stored.
If no reason for the outcome is available, implementations MUST set
the variable to the empty string.
Murchison, et al. Expires 12 October 2024 [Page 6]
Internet-Draft Sieve Process iMIP April 2024
For example, an outcome of "no_action" may have a reason of "only
processing updates" or an outcome of "error" may have a reason of
"missing UID property".
4.9. Interaction with Other Sieve Actions
The "processcalendar" action does not cancel Sieve's implicit keep
action.
The "processcalendar" action can only be executed once per script. A
script MUST fail with an appropriate error if it attempts to execute
two or more "processcalendar" actions.
The "processcalendar" action is incompatible with the Sieve reject
and ereject [RFC5429] actions.
4.10. Examples
The following example specifies email addresses belonging to the user
and the identifier of the calendar onto which to place new calendar
objects:
require [ "processcalendar" ];
processcalendar :addresses [ "me@example.com", "alsome@example.com" ]
:calendarid "1ea6d86b-6c7f-48a2-bed3-2a4c40ec281a";
The following example tells the interpreter to process flight
itineraries from a particular airline:
require [ "processcalendar" ];
if allof (address ["from", "sender"] "airline@example.com",
header :contains "subject" "itinerary") {
processcalendar :allowpublic;
}
The following example adds headers to the message if calendar data
isn't processed :
Murchison, et al. Expires 12 October 2024 [Page 7]
Internet-Draft Sieve Process iMIP April 2024
require [ "processcalendar", "variables", "editheader" ];
set "processcal_outcome" "no_action";
set "processcal_error" "";
processcalendar :outcome "processcal_outcome"
:errstr "processcal_error";
if not string :is "${processcal_outcome}" ["added", "updated"] {
addheader "X-ProcessCal-Outcome" "${processcal_outcome}";
addheader "X-ProcessCal-Error" "${processcal_error}";
}
5. Implementation Status
< RFC Editor: before publication please remove this section and the
reference to [RFC7942] >
This section records the status of known implementations of the
protocol defined by this specification at the time of posting of this
Internet-Draft, and is based on a proposal described in [RFC7942].
The description of implementations in this section is intended to
assist the IETF in its decision processes in progressing drafts to
RFCs. Please note that the listing of any individual implementation
here does not imply endorsement by the IETF. Furthermore, no effort
has been spent to verify the information presented here that was
supplied by IETF contributors. This is not intended as, and must not
be construed to be, a catalog of available implementations or their
features. Readers are advised to note that other implementations may
exist.
According to [RFC7942], "this will allow reviewers and working groups
to assign due consideration to documents that have the benefit of
running code, which may serve as evidence of valuable experimentation
and feedback that have made the implemented protocols more mature.
It is up to the individual working groups to use this information as
they see fit".
5.1. Cyrus Server
The open source Cyrus Server (http://www.cyrusimap.org/) project is a
highly scalable enterprise mail system which supports Sieve email
filtering at the point of final delivery. This production level
Sieve implementation supports all of the requirements described in
this document. This implementation is freely distributable under a
BSD style license from Computing Services at Carnegie Mellon
University (http://www.cmu.edu/computing/).
Murchison, et al. Expires 12 October 2024 [Page 8]
Internet-Draft Sieve Process iMIP April 2024
6. Security Considerations
This document describes a method for altering an electronic calendar
without user interaction. As such, unless proper precautions are
undertaken, it can be used as a vector for calendar abuse.
It is critical that implementations correctly implement the behavior
and restrictions described throughout this document. Security issues
associated with processing unsolicited calendar data, and methods for
mitigating them are discussed in [CALSPAM]. Specifically:
* Processcalendar MUST NOT process any calendar data enclosed in a
message flagged as spam and/or malicious. The spamtest and
virustest [RFC5235] extensions (or the header [RFC5228] test if
messages are scanned outside of the Sieve interpreter) can be used
to make processcalendar conditional on "safe" content.
* Processcalendar SHOULD NOT process calendar data received from a
potentially malicious sender. The address and envelope [RFC5228]
tests (optionally along with the extlists [RFC6134] extension) can
be used to make processcalendar conditional on the sender not
being "untrustworthy".
* Similarly, processcalendar SHOULD only process calendar data
received from a known sender. The address and envelope [RFC5228]
tests (optionally along with the extlists [RFC6134] extension) can
be used to make processcalendar conditional on the sender being
"trustworthy".
Additionally, if the calendar data has embedded (a.k.a. inline)
attachments, implementations SHOULD:
* Decode the embedded attachment, if necessary.
* Scan the (decoded) attachment for malicious content.
If an attachment is found to be malicious, processcalendar MUST NOT
process the calendar data.
7. Privacy Considerations
It is believed that this extension doesn't introduce any privacy
considerations beyond those in [RFC5228].
8. IANA Considerations
Murchison, et al. Expires 12 October 2024 [Page 9]
Internet-Draft Sieve Process iMIP April 2024
8.1. Registration of Sieve Extension
This document defines the following new Sieve extension to be added
to the registry defined in Section 6.2 of [RFC5228] and located here:
https://www.iana.org/assignments/sieve-extensions/sieve-
extensions.xhtml#sieve-extensions
IANA are requested to add a capability to the Sieve Extensions
registry:
To: iana@iana.org
Subject: Registration of new Sieve extension
Capability name: processcalendar
Description: Adds the "processcalendar" action command to add and
update items on a user's calendars.
RFC number: RFC XXXX
Contact address: The Sieve discussion list <sieve@ietf.org>
8.2. Registration of Sieve Action
This document defines the following new Sieve action to be added to
the registry defined in Section 2.1 of [RFC9122] and located here:
https://www.iana.org/assignments/sieve-extensions/sieve-
extensions.xhtml#sieve-actions
IANA are requested to add a capability to the Sieve Actions registry:
To: iana@iana.org
Subject: Registration of new Sieve action
Name: processcalendar
Description: Add and update items on a user's calendars
References: RFC XXXX
Action Interactions: This action is incompatible with "reject" and
"ereject" actions
Cancels Implicit Keep? No
Can Use with IMAP Events? No
Murchison, et al. Expires 12 October 2024 [Page 10]
Internet-Draft Sieve Process iMIP April 2024
9. Acknowledgments
The authors would like to thank the following individuals for
contributing their ideas and support for writing this specification:
Ned Freed and Alexey Melnikov.
10. References
10.1. Normative References
[CALSPAM] The Calendaring and Scheduling Consortium, "Calendar
operator practices - Guidelines to protect against
calendar abuse", CC/R 18003, 2019,
<https://standards.calconnect.org/csd/cc-18003.html>.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
[RFC5228] Guenther, P., Ed. and T. Showalter, Ed., "Sieve: An Email
Filtering Language", RFC 5228, DOI 10.17487/RFC5228,
January 2008, <https://www.rfc-editor.org/info/rfc5228>.
[RFC5229] Homme, K., "Sieve Email Filtering: Variables Extension",
RFC 5229, DOI 10.17487/RFC5229, January 2008,
<https://www.rfc-editor.org/info/rfc5229>.
[RFC6047] Melnikov, A., Ed., "iCalendar Message-Based
Interoperability Protocol (iMIP)", RFC 6047,
DOI 10.17487/RFC6047, December 2010,
<https://www.rfc-editor.org/info/rfc6047>.
[RFC6134] Melnikov, A. and B. Leiba, "Sieve Extension: Externally
Stored Lists", RFC 6134, DOI 10.17487/RFC6134, July 2011,
<https://www.rfc-editor.org/info/rfc6134>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC9122] Melnikov, A. and K. Murchison, "IANA Registry for Sieve
Actions", RFC 9122, DOI 10.17487/RFC9122, June 2023,
<https://www.rfc-editor.org/info/rfc9122>.
10.2. Informative References
Murchison, et al. Expires 12 October 2024 [Page 11]
Internet-Draft Sieve Process iMIP April 2024
[RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message
Bodies", RFC 2045, DOI 10.17487/RFC2045, November 1996,
<https://www.rfc-editor.org/info/rfc2045>.
[RFC5235] Daboo, C., "Sieve Email Filtering: Spamtest and Virustest
Extensions", RFC 5235, DOI 10.17487/RFC5235, January 2008,
<https://www.rfc-editor.org/info/rfc5235>.
[RFC5429] Stone, A., Ed., "Sieve Email Filtering: Reject and
Extended Reject Extensions", RFC 5429,
DOI 10.17487/RFC5429, March 2009,
<https://www.rfc-editor.org/info/rfc5429>.
[RFC5545] Desruisseaux, B., Ed., "Internet Calendaring and
Scheduling Core Object Specification (iCalendar)",
RFC 5545, DOI 10.17487/RFC5545, September 2009,
<https://www.rfc-editor.org/info/rfc5545>.
[RFC5546] Daboo, C., Ed., "iCalendar Transport-Independent
Interoperability Protocol (iTIP)", RFC 5546,
DOI 10.17487/RFC5546, December 2009,
<https://www.rfc-editor.org/info/rfc5546>.
[RFC7942] Sheffer, Y. and A. Farrel, "Improving Awareness of Running
Code: The Implementation Status Section", BCP 205,
RFC 7942, DOI 10.17487/RFC7942, July 2016,
<https://www.rfc-editor.org/info/rfc7942>.
[RFC8984] Jenkins, N. and R. Stepanek, "JSCalendar: A JSON
Representation of Calendar Data", RFC 8984,
DOI 10.17487/RFC8984, July 2021,
<https://www.rfc-editor.org/info/rfc8984>.
Appendix A. Change History (To be removed by RFC Editor before
publication)
Changes since draft-ietf-sieve-processimip-05:
1. Renamed :errstr to :reason and added examples.
2. Miscellaneous editorial changes.
Changes since draft-ietf-sieve-processimip-04:
1. Miscellaneous editorial changes.
Changes since draft-ietf-sieve-processimip-03:
Murchison, et al. Expires 12 October 2024 [Page 12]
Internet-Draft Sieve Process iMIP April 2024
1. Added text about multiple MIME parts containing calendar data.
2. Added text about embedded attachments to Security Considerations.
3. Added :organizers option if "extlists" is supported.
4. Miscellaneous editorial changes.
Changes since draft-ietf-sieve-processimip-02:
1. Renamed :nonitip to :allowpublic to cover both non-iTIP and
METHOD:PUBLIC messages.
2. Renamed :deletecanceled to :deletecancelled to match RFC5545
language.
3. Specified that this action MUST NOT alter a recipient's
participation status.
4. :errstr MUST be set to the empty string if no reason for the
outcome is available.
5. Added the "Interaction with Other Sieve Actions" subsection.
6. Add Security Considerations.
7. Added action registration.
8. Added three issues for discussion.
9. Miscellaneous editorial changes.
Changes since draft-ietf-sieve-processimip-01:
1. Changed the name of the action from processimip to
processcalendar.
2. The action is now independent of iMIP and is calendar data format
agnostic.
3. Added examples.
Changes since draft-ietf-sieve-processimip-00:
1. No changes.
Changes since draft-murchison-sieve-processimip-00:
Murchison, et al. Expires 12 October 2024 [Page 13]
Internet-Draft Sieve Process iMIP April 2024
1. Document name change only.
Authors' Addresses
Kenneth Murchison
Fastmail US LLC
1429 Walnut Street - Suite 1201
Philadelphia, PA 19102
United States of America
Email: murch@fastmailteam.com
Ricardo Signes
Fastmail US LLC
1429 Walnut Street - Suite 1201
Philadelphia, PA 19102
United States of America
Email: rjbs@fastmailteam.com
Matthew Horsfall
Fastmail US LLC
1429 Walnut Street - Suite 1201
Philadelphia, PA 19102
United States of America
Email: alh@fastmailteam.com
Murchison, et al. Expires 12 October 2024 [Page 14]