1
2
3
4
5
6
7Internet Engineering Task Force (IETF) W. Mills
8Request for Comments: 7293 Yahoo! Inc.
9Category: Standards Track M. Kucherawy
10ISSN: 2070-1721 Facebook, Inc.
11 July 2014
12
13
14 The Require-Recipient-Valid-Since Header Field
15 and SMTP Service Extension
16
17Abstract
18
19 This document defines an extension for the Simple Mail Transfer
20 Protocol (SMTP) called "RRVS" to provide a method for senders to
21 indicate to receivers a point in time when the ownership of the
22 target mailbox was known to the sender. This can be used to detect
23 changes of mailbox ownership and thus prevent mail from being
24 delivered to the wrong party. This document also defines a header
25 field called "Require-Recipient-Valid-Since" that can be used to
26 tunnel the request through servers that do not support the extension.
27
28 The intended use of these facilities is on automatically generated
29 messages, such as account statements or password change instructions,
30 that might contain sensitive information, though it may also be
31 useful in other applications.
32
33Status of This Memo
34
35 This is an Internet Standards Track document.
36
37 This document is a product of the Internet Engineering Task Force
38 (IETF). It represents the consensus of the IETF community. It has
39 received public review and has been approved for publication by the
40 Internet Engineering Steering Group (IESG). Further information on
41 Internet Standards is available in Section 2 of RFC 5741.
42
43 Information about the current status of this document, any errata,
44 and how to provide feedback on it may be obtained at
45 http://www.rfc-editor.org/info/rfc7293.
46
47
48
49
50
51
52
53
54
55
56
57
58Mills & Kucherawy Standards Track [Page 1]
59
60RFC 7293 Require-Recipient-Valid-Since July 2014
61
62
63Copyright Notice
64
65 Copyright (c) 2014 IETF Trust and the persons identified as the
66 document authors. All rights reserved.
67
68 This document is subject to BCP 78 and the IETF Trust's Legal
69 Provisions Relating to IETF Documents
70 (http://trustee.ietf.org/license-info) in effect on the date of
71 publication of this document. Please review these documents
72 carefully, as they describe your rights and restrictions with respect
73 to this document. Code Components extracted from this document must
74 include Simplified BSD License text as described in Section 4.e of
75 the Trust Legal Provisions and are provided without warranty as
76 described in the Simplified BSD License.
77
78Table of Contents
79
80 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
81 2. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . 4
82 3. Description . . . . . . . . . . . . . . . . . . . . . . . . . 4
83 3.1. The "RRVS" SMTP Extension . . . . . . . . . . . . . . . . 5
84 3.2. The "Require-Recipient-Valid-Since" Header Field . . . . 5
85 3.3. Timestamps . . . . . . . . . . . . . . . . . . . . . . . 6
86 4. Use By Generators . . . . . . . . . . . . . . . . . . . . . . 6
87 5. Handling By Receivers . . . . . . . . . . . . . . . . . . . . 7
88 5.1. SMTP Extension Used . . . . . . . . . . . . . . . . . . . 7
89 5.1.1. Relays . . . . . . . . . . . . . . . . . . . . . . . 8
90 5.2. Header Field Used . . . . . . . . . . . . . . . . . . . . 9
91 5.2.1. Design Choices . . . . . . . . . . . . . . . . . . . 10
92 5.3. Clock Synchronization . . . . . . . . . . . . . . . . . . 11
93 6. Relaying without RRVS Support . . . . . . . . . . . . . . . . 11
94 6.1. Header Field Conversion . . . . . . . . . . . . . . . . . 11
95 7. Header Field with Multiple Recipients . . . . . . . . . . . . 12
96 8. Special Use Addresses . . . . . . . . . . . . . . . . . . . . 13
97 8.1. Mailing Lists . . . . . . . . . . . . . . . . . . . . . . 13
98 8.2. Single-Recipient Aliases . . . . . . . . . . . . . . . . 13
99 8.3. Multiple-Recipient Aliases . . . . . . . . . . . . . . . 14
100 8.4. Confidential Forwarding Addresses . . . . . . . . . . . . 14
101 8.5. Suggested Mailing List Enhancements . . . . . . . . . . . 14
102 9. Continuous Ownership . . . . . . . . . . . . . . . . . . . . 15
103 10. Digital Signatures . . . . . . . . . . . . . . . . . . . . . 15
104 11. Authentication-Results Definitions . . . . . . . . . . . . . 16
105 12. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 16
106 12.1. SMTP Extension Example . . . . . . . . . . . . . . . . . 17
107 12.2. Header Field Example . . . . . . . . . . . . . . . . . . 17
108 12.3. Authentication-Results Example . . . . . . . . . . . . . 17
109
110
111
112
113
114Mills & Kucherawy Standards Track [Page 2]
115
116RFC 7293 Require-Recipient-Valid-Since July 2014
117
118
119 13. Security Considerations . . . . . . . . . . . . . . . . . . . 18
120 13.1. Abuse Countermeasures . . . . . . . . . . . . . . . . . 18
121 13.2. Suggested Use Restrictions . . . . . . . . . . . . . . . 18
122 13.3. False Sense of Security . . . . . . . . . . . . . . . . 18
123 13.4. Reassignment of Mailboxes . . . . . . . . . . . . . . . 19
124 14. Privacy Considerations . . . . . . . . . . . . . . . . . . . 19
125 14.1. The Tradeoff . . . . . . . . . . . . . . . . . . . . . . 19
126 14.2. Probing Attacks . . . . . . . . . . . . . . . . . . . . 19
127 14.3. Envelope Recipients . . . . . . . . . . . . . . . . . . 20
128 14.4. Risks with Use . . . . . . . . . . . . . . . . . . . . . 20
129 15. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 20
130 15.1. SMTP Extension Registration . . . . . . . . . . . . . . 20
131 15.2. Header Field Registration . . . . . . . . . . . . . . . 20
132 15.3. Enhanced Status Code Registration . . . . . . . . . . . 21
133 15.4. Authentication Results Registration . . . . . . . . . . 22
134 16. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 22
135 17. References . . . . . . . . . . . . . . . . . . . . . . . . . 23
136 17.1. Normative References . . . . . . . . . . . . . . . . . . 23
137 17.2. Informative References . . . . . . . . . . . . . . . . . 23
138
1391. Introduction
140
141 Email addresses sometimes get reassigned to a different person. For
142 example, employment changes at a company can cause an address used
143 for an ex-employee to be assigned to a new employee, or a mail
144 service provider (MSP) might expire an account and then let someone
145 else register for the local-part that was previously used. Those who
146 sent mail to the previous owner of an address might not know that it
147 has been reassigned. This can lead to the sending of email to the
148 correct address but the wrong recipient. This situation is of
149 particular concern with transactional mail related to purchases,
150 online accounts, and the like.
151
152 What is needed is a way to indicate an attribute of the recipient
153 that will distinguish between the previous owner of an address and
154 its current owner, if they are different. Further, this needs to be
155 done in a way that respects privacy.
156
157 The mechanisms specified here allow the sender of the mail to
158 indicate how "old" the address assignment is expected to be. In
159 effect, the sender is saying, "I know that the intended recipient was
160 using this address at this point in time. I don't want this message
161 delivered to anyone else". A receiving system can then compare this
162 information against the point in time at which the address was
163 assigned to its current user. If the assignment was made later than
164 the point in time indicated in the message, there is a good chance
165
166
167
168
169
170Mills & Kucherawy Standards Track [Page 3]
171
172RFC 7293 Require-Recipient-Valid-Since July 2014
173
174
175 the current user of the address is not the correct recipient. The
176 receiving system can then prevent delivery and, preferably, notify
177 the original sender of the problem.
178
179 The primary application is transactional mail (such as account
180 information, password change requests, and other automatically
181 generated messages) rather than user-authored content. However, it
182 may be useful in other contexts; for example, a personal address book
183 could record the time an email address was added to it, and thus use
184 that time with this extension.
185
186 Because the use cases for this extension are strongly tied to privacy
187 issues, attention to the Security Considerations (Section 13) and the
188 Privacy Considerations (Section 14) is particularly important. Note,
189 especially, the limitation described in Section 13.3.
190
1912. Definitions
192
193 For a description of the email architecture, consult [EMAIL-ARCH].
194
195 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
196 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
197 document are to be interpreted as described in [KEYWORDS].
198
1993. Description
200
201 To address the problem described in Section 1, a mail-sending client
202 (usually an automated agent) needs to indicate to the server to which
203 it is connecting that it expects the destination address of the
204 message to have been under continuous ownership (see Section 9) since
205 a specified point time. That specified time would be the time when
206 the intended recipient gave the address to the message author, or
207 perhaps a more recent time when the intended recipient reconfirmed
208 ownership of the address with the sender.
209
210 Two mechanisms are defined here: an extension to the Simple Mail
211 Transfer Protocol [SMTP] and a new message header field. The SMTP
212 extension permits strong assurance of enforcement by confirming
213 support at each handling step for a message and the option to demand
214 support at all nodes in the handling path of the message (and
215 returning of the message to the originator otherwise). The header
216 field can be used when the Message Delivery Agent (MDA) supports this
217 function, but an intermediary system between the sending system and
218 the MDA does not. However, the header field does not provide the
219 same strong assurance described above and is more prone to exposure
220 of private information (see Section 14.1).
221
222
223
224
225
226Mills & Kucherawy Standards Track [Page 4]
227
228RFC 7293 Require-Recipient-Valid-Since July 2014
229
230
231 The SMTP extension is called "RRVS" and adds a parameter to the SMTP
232 "RCPT" command that indicates the most recent point in time when the
233 message author believed the destination mailbox to be under the
234 continuous ownership of a specific party. Similarly, the "Require-
235 Recipient-Valid-Since" header field includes an intended recipient
236 coupled with a timestamp indicating the same thing.
237
2383.1. The "RRVS" SMTP Extension
239
240 Extensions to SMTP are described in Section 2.2 of [SMTP].
241
242 The name of the extension is "RRVS", an abbreviation of "Require
243 Recipient Valid Since". Servers implementing the SMTP extension
244 advertise an additional EHLO keyword of "RRVS", which has no
245 associated parameters, introduces no new SMTP commands, and does not
246 alter the MAIL command.
247
248 A Message Transfer Agent (MTA) implementing RRVS can transmit or
249 accept one new parameter to the RCPT command. An MDA can also accept
250 this new parameter. The parameter is "RRVS", and the value is a
251 timestamp expressed as "date-time" as defined in [DATETIME], with the
252 added restriction that a "time-secfrac" MUST NOT be used. The
253 timestamp MAY optionally be followed by a semicolon character and a
254 letter (known as the "no-support action"), indicating the action to
255 be taken when a downstream MTA is discovered that does not support
256 the extension. Valid actions are "R" (reject; the default) and "C"
257 (continue).
258
259 Formally, the new parameter and its value are defined as follows:
260
261 rrvs-param = "RRVS=" date-time [ ";" ( "C" / "R" ) ]
262
263 Accordingly, this extension increases the maximum command length for
264 the RCPT command by 33 characters.
265
266 The meaning of this extension, when used, is described in
267 Section 5.1.
268
2693.2. The "Require-Recipient-Valid-Since" Header Field
270
271 The general constraints on syntax and placement of header fields in a
272 message are defined in "Internet Message Format" [MAIL].
273
274 Using Augmented Backus-Naur Form [ABNF], the syntax for the field is:
275
276 rrvs = "Require-Recipient-Valid-Since:" addr-spec ";" date-time
277 CRLF
278
279
280
281
282Mills & Kucherawy Standards Track [Page 5]
283
284RFC 7293 Require-Recipient-Valid-Since July 2014
285
286
287 "date-time" is defined in Section 3.3, and "addr-spec" is defined in
288 Section 3.4.1 of [MAIL].
289
2903.3. Timestamps
291
292 The header field version of this protocol has a different format for
293 the date and time expression than the SMTP extension does. This is
294 because message header fields use a format to express date and time
295 that is specific to message header fields, and this is consistent
296 with that usage.
297
298 Use of both date and time is done to be consistent with how current
299 implementations typically store the timestamp and to make it easy to
300 include the time zone. In practice, granularity beyond the date may
301 or may not be useful.
302
3034. Use By Generators
304
305 When a message is generated whose content is sufficiently sensitive
306 that an author or author's ADministrative Management Domain (ADMD),
307 see [EMAIL-ARCH], wishes to protect against misdelivery using this
308 protocol, it determines for each recipient mailbox on the message a
309 timestamp at which it last confirmed ownership of that mailbox. It
310 then applies the SMTP extension when sending the message to its
311 destination.
312
313 In cases where the outgoing MTA does not support the extension, the
314 header field defined above can be used to pass the request through
315 that system. However, use of the header field is only a "best-
316 effort" approach to solving the stated goals, and it has some
317 shortcomings:
318
319 1. The positive confirmation of support at each handling node, with
320 the option to return the message to the originator when
321 end-to-end support cannot be confirmed, will be unavailable;
322
323 2. The protocol is focused on affecting delivery (that is, the
324 transaction) rather than content, and therefore use of a header
325 field in the content is generally inappropriate;
326
327 3. The mechanism cannot be used with multiple recipients without
328 unintentionally exposing information about one recipient to the
329 others (see Section 7); and
330
331 4. There is a risk of the timestamp parameter being inadvertently
332 forwarded, automatically or intentionally by the user (since user
333 agents might not reveal the presence of the header field), and
334 therefore exposed to unintended recipients. (See Section 14.4.)
335
336
337
338Mills & Kucherawy Standards Track [Page 6]
339
340RFC 7293 Require-Recipient-Valid-Since July 2014
341
342
343 Thus, the header field format MUST NOT be used unless the originator
344 or relay has specific knowledge that the receiving MDA or an
345 intermediary MTA will apply it properly. In any case, it SHOULD NOT
346 be used for the multi-recipient case.
347
348 Use of the header field mechanism is further restricted by the
349 practices described in Section 7.2 of [SMTP], Section 3.6.3 of
350 [MAIL], and Section 7 of this document.
351
3525. Handling By Receivers
353
354 If a receiver implements this specification, then there are two
355 possible evaluation paths:
356
357 1. The sending client uses the extension, and so there is an RRVS
358 parameter on a RCPT TO command in the SMTP session, and the
359 parameters of interest are taken only from there (and the header
360 field, if present, is disregarded); or
361
362 2. The sending client does not use the extension, so the RRVS
363 parameter is not present on the RCPT TO commands in the SMTP
364 session, but the corresponding header field might be present in
365 the message.
366
367 When the continuous ownership test fails for transient reasons (such
368 as an unavailable database or other condition that is likely
369 temporary), normal transient failure handling for the message is
370 applied.
371
372 If the continuous ownership test cannot be completed because the
373 necessary datum (the mailbox creation or reassignment date and time)
374 was not recorded, the MDA doing the evaluation selects a date and
375 time to use that is the latest possible point in time at which the
376 mailbox could have been created or reassigned. For example, this
377 might be the earliest of all recorded mailbox creation/reassignment
378 timestamps, or the time when the host was first installed. If no
379 reasonable substitute for the timestamp can be selected, the MDA
380 rejects the message using an SMTP reply code, preferably with an
381 enhanced mail system status code (see Section 15.3), that indicates
382 the test cannot be completed. A message originator can then decide
383 whether to reissue the message without RRVS protection or find
384 another way to reach the mailbox owner.
385
3865.1. SMTP Extension Used
387
388 For an MTA supporting the SMTP extension, the requirement is to
389 continue enforcement of RRVS during the relaying process to the next
390 MTA or the MDA.
391
392
393
394Mills & Kucherawy Standards Track [Page 7]
395
396RFC 7293 Require-Recipient-Valid-Since July 2014
397
398
399 A receiving MTA or MDA that implements the SMTP extension declared
400 above and observes an RRVS parameter on a RCPT TO command checks
401 whether the current owner of the destination mailbox has held it
402 continuously, far enough back to include the given point in time, and
403 delivers it unless that check returns in the negative. Specifically,
404 an MDA will do the following before continuing with delivery:
405
406 1. Ignore the parameter if the named mailbox is known to be a role
407 account as listed in "Mailbox Names for Common Services, Roles
408 and Functions" [ROLES].
409
410 2. If the address is not known to be a role account, and if that
411 address has not been under continuous ownership since the
412 timestamp specified in the extension, return a 550 error to the
413 RCPT command. (See also Section 15.3.)
414
4155.1.1. Relays
416
417 An MTA that does not make mailbox ownership checks, such as an MTA
418 positioned to do SMTP ingress at an organizational boundary, SHOULD
419 relay the RRVS extension parameter to the next MTA or MDA so that it
420 can be processed there.
421
422 For the SMTP extension, the optional RRVS parameter defined in
423 Section 5.1 indicates the action to be taken when relaying a message
424 to another MTA that does not advertise support for this extension.
425 When this is the case and the no-support action was not specified or
426 is "R" (reject), the MTA handling the message MUST reject the message
427 by:
428
429 1. returning a 550 error to the DATA command, if synchronous service
430 is being provided to the SMTP client that introduced the message,
431 or
432
433 2. generating a Delivery Status Notification [DSN] to indicate to
434 the originator of the message that the non-delivery occurred and
435 terminating further relay attempts.
436
437 An enhanced mail system status code is defined for such rejections in
438 Section 15.3.
439
440 See Section 8.2 for additional discussion.
441
442 When relaying, an MTA MUST preserve the no-support action if it was
443 used by the SMTP client.
444
445
446
447
448
449
450Mills & Kucherawy Standards Track [Page 8]
451
452RFC 7293 Require-Recipient-Valid-Since July 2014
453
454
4555.2. Header Field Used
456
457 A receiving system that implements this specification, upon receiving
458 a message bearing a "Require-Recipient-Valid-Since" header field when
459 no corresponding RRVS SMTP extension was used, checks whether the
460 destination mailbox owner has held it continuously, far enough back
461 to include the given date-time, and delivers it unless that check
462 returns in the negative. Expressed as a sequence of steps:
463
464 1. Extract those Require-Recipient-Valid-Since fields from the
465 message that contain a recipient for which no corresponding RRVS
466 SMTP extension was used.
467
468 2. Discard any such fields that match any of these criteria:
469
470 * are syntactically invalid;
471
472 * name a role account as listed in [ROLES];
473
474 * the "addr-spec" portion does not match a current recipient, as
475 listed in the RCPT TO commands in the SMTP session; or
476
477 * the "addr-spec" portion does not refer to a mailbox handled
478 for local delivery by this ADMD.
479
480 3. For each field remaining, determine if the named address has been
481 under continuous ownership since the corresponding timestamp. If
482 it has not, reject the message.
483
484 4. RECOMMENDED: If local delivery is being performed, remove all
485 instances of this field prior to delivery to a mailbox; if the
486 message is being forwarded, remove those instances of this header
487 field that were not discarded by step 2 above.
488
489 Handling proceeds normally upon completion of the above steps if
490 rejection has not been performed.
491
492 The final step is not mandatory as not all mail handling agents are
493 capable of stripping away header fields, and there are sometimes
494 reasons to keep the field intact such as debugging or presence of
495 digital signatures that might be invalidated by such a change. See
496 Section 10 for additional discussion.
497
498 If a message is to be rejected within the SMTP protocol itself
499 (versus generating a rejection message separately), servers
500 implementing this protocol SHOULD also implement the SMTP extension
501 described in "Enhanced Mail System Status Codes" [ESC] and use the
502 enhanced status codes described in Section 15.3 as appropriate.
503
504
505
506Mills & Kucherawy Standards Track [Page 9]
507
508RFC 7293 Require-Recipient-Valid-Since July 2014
509
510
511 Implementation by this method is expected to be transparent to non-
512 participants, since they would typically ignore this header field.
513
514 This header field is not normally added to a message that is
515 addressed to multiple recipients. The intended use of this field
516 involves an author seeking to protect transactional or otherwise
517 sensitive data intended for a single recipient, and thus generating
518 independent messages for each individual recipient is normal
519 practice. See Section 7 for further discussion and restrictions.
520
5215.2.1. Design Choices
522
523 The presence of the address in the field content supports the case
524 where a message bearing this header field is forwarded. The specific
525 use case is as follows:
526
527 1. A user subscribes to a service "S" at date-time "D" and confirms
528 an email address at the user's current location, "A";
529
530 2. At some later date, the user intends to leave the current
531 location and thus creates a new mailbox elsewhere, at "B";
532
533 3. The user configures address "A" to forward to "B";
534
535 4. "S" constructs a message to "A" claiming that the address was
536 valid at date-time "D" and sends it to "A";
537
538 5. The receiving MTA for "A" determines that the forwarding in
539 effect was created by the same party that owned the mailbox there
540 and thus concludes that the continuous ownership test has been
541 satisfied;
542
543 6. If possible, the MTA for "A" removes this header field from the
544 message, and in either case, forwards it to "B"; and
545
546 7. On receipt at "B", either the header field has been removed or
547 the header field does not refer to a current envelope recipient,
548 and in either case the MTA delivers the message.
549
550 Section 8 discusses some interesting use cases, such as the case
551 where "B" above results in further forwarding of the message.
552
553 SMTP has never required any correspondence between addresses in the
554 RFC5321.MailFrom and RFC5321.RcptTo parameters and header fields of a
555 message, which is why the header field defined here contains the
556 recipient address to which the timestamp applies.
557
558
559
560
561
562Mills & Kucherawy Standards Track [Page 10]
563
564RFC 7293 Require-Recipient-Valid-Since July 2014
565
566
5675.3. Clock Synchronization
568
569 The timestamp portion of this specification supports a precision at
570 the seconds level. Although uncommon, it is not impossible for a
571 clock at either a generator or a receiver to be incorrect, leading to
572 an incorrect result in the RRVS evaluation.
573
574 To minimize the risk of such incorrect results, both generators and
575 receivers implementing this specification MUST use a standard clock
576 synchronization protocol such as [NTP] to synchronize to a common
577 clock.
578
5796. Relaying without RRVS Support
580
581 When a message is received using the SMTP extension defined here but
582 will not be delivered locally (that is, it needs to be relayed
583 further), the MTA to which the relay will take place might not be
584 compliant with this specification. Where the MTA in possession of
585 the message observes it is going to relay the message to an MTA that
586 does not advertise this extension, it needs to choose one of the
587 following actions:
588
589 1. Decline to relay the message further, preferably generating a
590 Delivery Status Notification [DSN] to indicate failure
591 (RECOMMENDED);
592
593 2. Downgrade the data thus provided in the SMTP extension to a
594 header field, as described in Section 6.1 below (SHOULD NOT
595 unless the conditions in that section are satisfied, and only
596 when the previous option is not available); or
597
598 3. Silently continue with delivery, dropping the protection offered
599 by this protocol.
600
601 Using options other than the first option needs to be avoided unless
602 there is specific knowledge that further relaying with the degraded
603 protections thus provided does not introduce undue risk.
604
6056.1. Header Field Conversion
606
607 If an SMTP server ("B") receives a message bearing one or more
608 "Require-Recipient-Valid-Since" header fields from a client ("A"),
609 presumably because "A" does not support the SMTP extension, and needs
610 to relay the corresponding message on to another server ("C")
611 (thereby becoming a client), and "C" advertises support for the SMTP
612 extension, "B" SHOULD delete the header field(s) and instead relay
613 this information by making use of the SMTP extension. Note that such
614 modification of the header might affect later validation of the
615
616
617
618Mills & Kucherawy Standards Track [Page 11]
619
620RFC 7293 Require-Recipient-Valid-Since July 2014
621
622
623 header upon delivery; for example, a hash of the modified header
624 would produce a different result. This might be a valid cause for
625 some operators to skip this delete operation.
626
627 Conversely, if "B" has received a mailbox timestamp from "A" using
628 the SMTP extension for which it must now relay the message on to "C",
629 but "C" does not advertise the SMTP extension, and "B" does not
630 reject the message because rejection was specifically declined by the
631 client (see Section 5.1.1), "B" SHOULD add a Require-Recipient-Valid-
632 Since header field matching the mailbox to which relaying is being
633 done, and the corresponding valid-since timestamp for it, if it has
634 prior information that the eventual MDA or another intermediate MTA
635 supports this mechanism and will be able to process the header field
636 as described in this specification.
637
638 The admonitions about very cautious use of the header field described
639 in Section 4 apply to this relaying mechanism as well. If multiple
640 mailbox timestamps are received from "A", the admonitions in
641 Section 7 also apply.
642
6437. Header Field with Multiple Recipients
644
645 Numerous issues arise when using the header field form of this
646 extension, particularly when multiple recipients are specified for a
647 single message resulting in multiple fields each with a distinct
648 address and timestamp.
649
650 Because of the nature of SMTP, a message bearing a multiplicity of
651 Require-Recipient-Valid-Since header fields could result in a single
652 delivery attempt for multiple recipients (in particular, if two of
653 the recipients are handled by the same server), and if any one of
654 them fails the test, the delivery fails to all of them; it then
655 becomes necessary to do one of the following:
656
657 o reject the message on completion of the DATA phase of the SMTP
658 session, which is a rejection of delivery to all recipients, or
659
660 o accept the message on completion of DATA, and then generate a
661 Delivery Status Notification [DSN] message for each of the failed
662 recipients.
663
664 Additional complexity arises when a message is sent to two
665 recipients, "A" and "B", presumably with different timestamps, both
666 of which are then redirected to a common address "C". The author is
667 not necessarily aware of the current or past ownership of mailbox
668 "C", or indeed that "A" and/or "B" have been redirected. This might
669
670
671
672
673
674Mills & Kucherawy Standards Track [Page 12]
675
676RFC 7293 Require-Recipient-Valid-Since July 2014
677
678
679 result in either or both of the two deliveries failing at "C", which
680 is likely to confuse the message author, who (as far as the author is
681 aware) never sent a message to "C" in the first place.
682
683 Finally, there is an obvious concern with the fan-out of a message
684 bearing the timestamps of multiple users; tight control over the
685 handling of the timestamp information is very difficult to assure as
686 the number of handling agents increases.
687
6888. Special Use Addresses
689
690 In [DSN-SMTP], an SMTP extension was defined to allow SMTP clients to
691 request generation of DSNs and related information to allow such
692 reports to be maximally useful. Section 5.2.7 of that document
693 explored the issue of the use of that extension where the recipient
694 is a mailing list. This extension has similar concerns, which are
695 covered here following that document as a model.
696
697 For all cases described below, a receiving MTA SHOULD NOT introduce
698 RRVS in either form (SMTP extension or header field) if the message
699 did not arrive with RRVS in use. This would amount to second
700 guessing the message originator's intention and might lead to an
701 undesirable outcome.
702
7038.1. Mailing Lists
704
705 Delivery to a mailing list service is considered a final delivery.
706 Where this protocol is in use, it is evaluated as per any normal
707 delivery: if the same mailing list has been operating in place of the
708 specified recipient mailbox since at least the timestamp given as the
709 RRVS parameter, the message is delivered to the list service
710 normally, and is otherwise not delivered.
711
712 It is important, however, that the participating MDA passing the
713 message to the list service needs to omit the RRVS parameter in
714 either form (SMTP extension or header field) when doing so. The
715 emission of a message from the list service to its subscribers
716 constitutes a new message not covered by the previous transaction.
717
7188.2. Single-Recipient Aliases
719
720 Upon delivery of an RRVS-protected message to an alias (acting in
721 place of a mailbox) that results in relaying of the message to a
722 single other destination, the usual RRVS check is performed. The
723 continuous ownership test here might succeed if, for example, a
724 conventional user inbox was replaced with an alias on behalf of that
725 same user, and the time when this was done is recorded in a way that
726 can be queried by the relaying MTA.
727
728
729
730Mills & Kucherawy Standards Track [Page 13]
731
732RFC 7293 Require-Recipient-Valid-Since July 2014
733
734
735 If the relaying system also performs some kind of step where
736 ownership of the new destination address is confirmed, it SHOULD
737 apply RRVS using the later of that timestamp and the one that was
738 used inbound. This also allows for changes to the alias without
739 disrupting the protection offered by RRVS.
740
741 If the relaying system has no such time records related to the new
742 destination address, the RRVS SMTP extension is not used on the
743 relaying SMTP session, and the header field relative to the local
744 alias is removed, in accordance with Section 5.
745
7468.3. Multiple-Recipient Aliases
747
748 Upon delivery of an RRVS-protected message to an alias (acting in
749 place of a mailbox) that results in relaying of the message to
750 multiple other destinations, the usual RRVS check is performed as in
751 Section 8.2. The MTA expanding such an alias then decides which of
752 the options enumerated in that section is to be applied for each new
753 recipient.
754
7558.4. Confidential Forwarding Addresses
756
757 In the above cases, the original author could receive message
758 rejections, such as DSNs, from the ultimate destination, where the
759 RRVS check (or indeed, any other) fails and rejection is warranted.
760 This can reveal the existence of a forwarding relationship between
761 the original intended recipient and the actual final recipient.
762
763 Where this is a concern, the initial delivery attempt is to be
764 treated like a mailing list delivery, with RRVS evaluation done and
765 then all RRVS information removed from the message prior to relaying
766 it to its true destination.
767
7688.5. Suggested Mailing List Enhancements
769
770 Mailing list services could store the timestamp at which a subscriber
771 was added to a mailing list. This specification could then be used
772 in conjunction with that information in order to restrict list
773 traffic to the original subscriber, rather than a different person
774 now in possession of an address under which the original subscriber
775 was added to the list. Upon receiving a rejection caused by this
776 specification, the list service can remove that address from further
777 distribution.
778
779 A mailing list service that receives a message containing the header
780 field defined here needs to remove it from the message prior to
781 redistributing it, limiting exposure of information regarding the
782 relationship between the message's author and the mailing list.
783
784
785
786Mills & Kucherawy Standards Track [Page 14]
787
788RFC 7293 Require-Recipient-Valid-Since July 2014
789
790
7919. Continuous Ownership
792
793 For the purposes of this specification, an address is defined as
794 having been under continuous ownership since a given date-time if a
795 message sent to the address at any point since the given date-time
796 would not go to anyone except the owner at that given date-time.
797 That is, while an address may have been suspended or otherwise
798 disabled for some period, any mail actually delivered would have been
799 delivered exclusively to the same owner. It is presumed that some
800 sort of relationship exists between the message sender and the
801 intended recipient. Presumably, there has been some confirmation
802 process applied to establish this ownership of the receiver's
803 mailbox; however, the method of making such determinations is a local
804 matter and outside the scope of this document.
805
806 Evaluating the notion of continuous ownership is accomplished by
807 doing any query that establishes whether the above condition holds
808 for a given mailbox.
809
810 Determining continuous ownership of a mailbox is a local matter at
811 the receiving site. The only possible answers to the continuous-
812 ownership-since question are "yes", "no", and "unknown"; the action
813 to be taken in the "unknown" case is a matter of local policy.
814
815 For example, when control of a domain name is transferred, the new
816 domain owner might be unable to determine whether the owner of the
817 subject address has been under continuous ownership since the stated
818 date-time if the mailbox history is not also transferred (or was not
819 previously maintained). It will also be "unknown" if whatever
820 database contains mailbox ownership data is temporarily unavailable
821 at the time a message arrives for delivery. In this latter case,
822 typical SMTP temporary failure handling is appropriate.
823
824 To avoid exposing account details unnecessarily, if the address
825 specified has had one continuous owner since it was created, any
826 confirmation date-time SHOULD be considered to pass the test, even if
827 that date-time is earlier than the account creation date and time.
828 This is further discussed in Section 13.
829
83010. Digital Signatures
831
832 This protocol mandates removal of the header field (when used) upon
833 delivery in all but exceptional circumstances. If a message with the
834 header field were digitally signed in a way that included the header
835 field, altering a message in this way would invalidate the signature.
836 However, the header field is strictly for tunneling purposes and
837 should be regarded by the rest of the transport system as purely
838 trace information.
839
840
841
842Mills & Kucherawy Standards Track [Page 15]
843
844RFC 7293 Require-Recipient-Valid-Since July 2014
845
846
847 Accordingly, the header field MUST NOT be included in the content
848 covered by digital signatures.
849
85011. Authentication-Results Definitions
851
852 [AUTHRES] defines a mechanism for indicating, via a header field, the
853 results of message authentication checks. Section 15 registers RRVS
854 as a new method that can be reported in this way, as well as
855 corresponding result names. The possible result names and their
856 meanings are as follows:
857
858 none: The message had no recipient mailbox timestamp associated with
859 it, either via the SMTP extension or header field method; this
860 protocol was not in use.
861
862 unknown: At least one form of this protocol was in use, but
863 continuous ownership of the recipient mailbox could not be
864 determined.
865
866 temperror: At least one form of this protocol was in use, but some
867 kind of error occurred during evaluation that was transient in
868 nature; a later retry will likely produce a final result.
869
870 permerror: At least one form of this protocol was in use, but some
871 kind of error occurred during evaluation that was not recoverable;
872 a later retry will not likely produce a final result.
873
874 pass: At least one form of this protocol was in use, and the
875 destination mailbox was confirmed to have been under continuous
876 ownership since the timestamp thus provided.
877
878 fail: At least one form of this protocol was in use, and the
879 destination mailbox was confirmed not to have been under
880 continuous ownership since the timestamp thus provided.
881
882 Where multiple recipients are present on a message, multiple results
883 can be reported using the mechanism described in [AUTHRES].
884
88512. Examples
886
887 In the following examples, "C:" indicates data sent by an SMTP
888 client, and "S:" indicates responses by the SMTP server. Message
889 content is CRLF terminated, though these are omitted here for ease of
890 reading.
891
892
893
894
895
896
897
898Mills & Kucherawy Standards Track [Page 16]
899
900RFC 7293 Require-Recipient-Valid-Since July 2014
901
902
90312.1. SMTP Extension Example
904
905 C: [connection established]
906 S: 220 server.example.com ESMTP ready
907 C: EHLO client.example.net
908 S: 250-server.example.com
909 S: 250 RRVS
910 C: MAIL FROM:<sender@example.net>
911 S: 250 OK
912 C: RCPT TO:<receiver@example.com> RRVS=2014-04-03T23:01:00Z
913 S: 550 5.7.17 receiver@example.com is no longer valid
914 C: QUIT
915 S: 221 So long!
916
91712.2. Header Field Example
918
919 C: [connection established]
920 S: 220 server.example.com ESMTP ready
921 C: HELO client.example.net
922 S: 250 server.example.com
923 C: MAIL FROM:<sender@example.net>
924 S: 250 OK
925 C: RCPT TO:<receiver@example.com>
926 S: 250 OK
927 C: DATA
928 S: 354 Ready for message content
929 C: From: Mister Sender <sender@example.net>
930 To: Miss Receiver <receiver@example.com>
931 Subject: Are you still there?
932 Date: Fri, 28 Jun 2013 18:01:01 +0200
933 Require-Recipient-Valid-Since: receiver@example.com;
934 Sat, 1 Jun 2013 09:23:01 -0700
935
936 Are you still there?
937 .
938 S: 550 5.7.17 receiver@example.com is no longer valid
939 C: QUIT
940 S: 221 So long!
941
94212.3. Authentication-Results Example
943
944 Here is an example use of the Authentication-Results header field
945 used to yield the results of an RRVS evaluation:
946
947 Authentication-Results: mx.example.com; rrvs=pass
948 smtp.rcptto=user@example.com
949
950
951
952
953
954Mills & Kucherawy Standards Track [Page 17]
955
956RFC 7293 Require-Recipient-Valid-Since July 2014
957
958
959 This indicates that the message arrived addressed to the mailbox
960 user@example.com, the continuous ownership test was applied with the
961 provided timestamp, and the check revealed that the test was
962 satisfied. The timestamp is not revealed.
963
96413. Security Considerations
965
96613.1. Abuse Countermeasures
967
968 The response of a server implementing this protocol can disclose
969 information about the age of an existing email mailbox.
970 Implementation of countermeasures against probing attacks is
971 RECOMMENDED. For example, an operator could track appearance of this
972 field with respect to a particular mailbox and observe the timestamps
973 being submitted for testing; if it appears that a variety of
974 timestamps are being tried against a single mailbox in short order,
975 the field could be ignored and the message silently discarded. This
976 concern is discussed further in Section 14.
977
97813.2. Suggested Use Restrictions
979
980 If the mailbox named in the field is known to have had only a single
981 continuous owner since creation, or not to have existed at all (under
982 any owner) prior to the date-time specified in the field, then the
983 field SHOULD be silently ignored and normal message handling applied
984 so that this information is not disclosed. Such fields are likely
985 the product of either gross error or an attack.
986
987 A message author using this specification might restrict inclusion of
988 the header field such that it is only done for recipients known also
989 to implement this specification, in order to reduce the possibility
990 of revealing information about the relationship between the author
991 and the mailbox.
992
993 If ownership of an entire domain is transferred, the new owner may
994 not know what addresses were assigned in the past by the prior owner.
995 Hence, no address can be known not to have had a single owner, or to
996 have existed (or not) at all. In this case, the "unknown" result is
997 likely appropriate.
998
99913.3. False Sense of Security
1000
1001 Senders implementing this protocol likely believe their content is
1002 being protected by doing so. It has to be considered, however, that
1003 receiving systems might not implement this protocol correctly, or at
1004 all. Furthermore, use of RRVS by a sending system constitutes
1005 nothing more than a request to the receiving system; that system
1006 could choose not to prevent delivery for some local policy, for legal
1007
1008
1009
1010Mills & Kucherawy Standards Track [Page 18]
1011
1012RFC 7293 Require-Recipient-Valid-Since July 2014
1013
1014
1015 or operational reasons, which compromises the security the sending
1016 system believed was a benefit to using RRVS. This could mean the
1017 timestamp information involved in the protocol becomes inadvertently
1018 revealed.
1019
1020 This concern lends further support to the notion that senders would
1021 do well to avoid using this protocol other than when sending to
1022 known, trusted receivers.
1023
102413.4. Reassignment of Mailboxes
1025
1026 This specification is a direct response to the risks involved with
1027 reassignment or recycling of email addresses, an inherently dangerous
1028 practice. It is typically expected that email addresses will not
1029 have a high rate of turnover or ownership change.
1030
1031 It is RECOMMENDED to have a substantial period of time between
1032 mailbox owners during which the mailbox accepts no mail, giving
1033 message generators an opportunity to detect that the previous owner
1034 is no longer at that address.
1035
103614. Privacy Considerations
1037
103814.1. The Tradeoff
1039
1040 That some MSPs allow for expiration of account names when they have
1041 been unused for a protracted period forces a choice between two
1042 potential types of privacy vulnerabilities, one of which presents
1043 significantly greater threats to users than the other. Automatically
1044 generated mail is often used to convey authentication credentials
1045 that can potentially provide access to extremely sensitive
1046 information. Supplying such credentials to the wrong party after a
1047 mailbox ownership change could allow the previous owner's data to be
1048 exposed without his or her authorization or knowledge. In contrast,
1049 the information that may be exposed to a third party via the proposal
1050 in this document is limited to information about the mailbox history.
1051 Given that MSPs have chosen to allow transfers of mailbox ownership
1052 without the prior owner's involvement, the information leakage from
1053 the extensions specified here creates far lower overall risk than the
1054 potential for delivering mail to the wrong party.
1055
105614.2. Probing Attacks
1057
1058 As described above, use of this extension or header field in probing
1059 attacks can disclose information about the history of the mailbox.
1060 The harm that can be done by leaking any kind of private information
1061 is difficult to predict, so it is prudent to be sensitive to this
1062 sort of disclosure, either inadvertently or in response to probing by
1063
1064
1065
1066Mills & Kucherawy Standards Track [Page 19]
1067
1068RFC 7293 Require-Recipient-Valid-Since July 2014
1069
1070
1071 an attacker. It bears restating, then, that implementing
1072 countermeasures against abuse of this capability needs strong
1073 consideration.
1074
107514.3. Envelope Recipients
1076
1077 The email To and Cc header fields are not required to be populated
1078 with addresses that match the envelope recipient set, and Cc may even
1079 be absent. However, the algorithm in Section 3 requires that this
1080 header field contain a match for an envelope recipient in order to be
1081 actionable. As such, use of this specification can reveal some or
1082 all of the original intended recipient set to any party that can see
1083 the message in transit or upon delivery.
1084
1085 For a message destined to a single recipient, this is unlikely to be
1086 a concern, which is one of the reasons use of this specification on
1087 multi-recipient messages is discouraged.
1088
108914.4. Risks with Use
1090
1091 MDAs might not implement the recommendation to remove the header
1092 field defined here when messages are delivered, either out of
1093 ignorance or due to error. Since user agents often do not render all
1094 of the header fields present, the message could be forwarded to
1095 another party that would then inadvertently have the content of this
1096 header field.
1097
1098 A bad actor may detect use of either form of the RRVS protocol and
1099 interpret it as an indication of high-value content.
1100
110115. IANA Considerations
1102
110315.1. SMTP Extension Registration
1104
1105 Section 2.2.2 of [SMTP] sets out the procedure for registering a new
1106 SMTP extension. IANA has registered the SMTP extension using the
1107 details provided in Section 3.1 of this document.
1108
110915.2. Header Field Registration
1110
1111 IANA has added the following entry to the "Permanent Message Header
1112 Field Names" registry, as per the procedure found in [IANA-HEADERS]:
1113
1114 Header field name: Require-Recipient-Valid-Since
1115 Applicable protocol: mail ([MAIL])
1116 Status: standard
1117 Author/Change controller: IETF
1118 Specification document(s): RFC 7293
1119
1120
1121
1122Mills & Kucherawy Standards Track [Page 20]
1123
1124RFC 7293 Require-Recipient-Valid-Since July 2014
1125
1126
1127 Related information:
1128 Requesting review of any proposed changes and additions to
1129 this field is recommended.
1130
113115.3. Enhanced Status Code Registration
1132
1133 IANA has registered the following in the Enumerated Status Codes
1134 table of the "Simple Mail Transfer Protocol (SMTP) Enhanced Status
1135 Codes Registry":
1136
1137 Code: X.7.17 4865:418 todo spec: ../smtp/codes.go:136
1138 Sample Text: Mailbox owner has changed
1139 Associated basic status code: 5XX
1140 Description: This status code is returned when a message is
1141 received with a Require-Recipient-Valid-Since
1142 field or RRVS extension and the receiving
1143 system is able to determine that the intended
1144 recipient mailbox has not been under continuous
1145 ownership since the specified date-time.
1146 Reference: RFC 7293
1147 Submitter: M. Kucherawy
1148 Change controller: IESG
1149
1150 Code: X.7.18
1151 Sample Text: Domain owner has changed
1152 Associated basic status code: 5XX
1153 Description: This status code is returned when a message is
1154 received with a Require-Recipient-Valid-Since
1155 field or RRVS extension and the receiving
1156 system wishes to disclose that the owner of
1157 the domain name of the recipient has changed
1158 since the specified date-time.
1159 Reference: RFC 7293
1160 Submitter: M. Kucherawy
1161 Change controller: IESG
1162
1163 Code: X.7.19
1164 Sample Text: RRVS test cannot be completed
1165 Associated basic status code: 5XX
1166 Description: This status code is returned when a message is
1167 received with a Require-Recipient-Valid-Since
1168 field or RRVS extension and the receiving
1169 system cannot complete the requested
1170 evaluation because the required timestamp was
1171 not recorded. The message originator needs to
1172 decide whether to reissue the message without
1173 RRVS protection.
1174 Reference: RFC 7293
1175
1176
1177
1178Mills & Kucherawy Standards Track [Page 21]
1179
1180RFC 7293 Require-Recipient-Valid-Since July 2014
1181
1182
1183 Submitter: M. Kucherawy
1184 Change controller: IESG
1185
118615.4. Authentication Results Registration
1187
1188 IANA has registered the following in the "Email Authentication
1189 Methods" registry:
1190
1191 Method: rrvs
1192
1193 Specifying Document: RFC 7293
1194
1195 ptype: smtp
1196
1197 Property: rcptto
1198
1199 Value: envelope recipient
1200
1201 Status: active
1202
1203 Version: 1
1204
1205 IANA has also registered the following in the "Email Authentication
1206 Result Names" registry:
1207
1208 Codes: none, unknown, temperror, permerror, pass, fail
1209
1210 Defined: RFC 7293
1211
1212 Auth Method(s): rrvs
1213
1214 Meaning: Section 11 of RFC 7293
1215
1216 Status: active
1217
121816. Acknowledgments
1219
1220 Erling Ellingsen proposed the idea.
1221
1222 Reviews and comments were provided by Michael Adkins, Kurt Andersen,
1223 Eric Burger, Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed,
1224 John Levine, Alexey Melnikov, Jay Nancarrow, Hector Santos, Gregg
1225 Stefancik, and Ed Zayas.
1226
1227
1228
1229
1230
1231
1232
1233
1234Mills & Kucherawy Standards Track [Page 22]
1235
1236RFC 7293 Require-Recipient-Valid-Since July 2014
1237
1238
123917. References
1240
124117.1. Normative References
1242
1243 [ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax
1244 Specifications: ABNF", STD 68, RFC 5234, January 2008.
1245
1246 [DATETIME] Klyne, G., Ed. and C. Newman, "Date and Time on the
1247 Internet: Timestamps", RFC 3339, July 2002.
1248
1249 [IANA-HEADERS]
1250 Klyne, G., Nottingham, M., and J. Mogul, "Registration
1251 Procedures for Message Header Fields", BCP 90, RFC 3864,
1252 September 2004.
1253
1254 [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
1255 Requirement Levels", BCP 14, RFC 2119, March 1997.
1256
1257 [MAIL] Resnick, P., Ed., "Internet Message Format", RFC 5322,
1258 October 2008.
1259
1260 [NTP] Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network
1261 Time Protocol Version 4: Protocol and Algorithms
1262 Specification", RFC 5905, June 2010.
1263
1264 [ROLES] Crocker, D., "Mailbox Names for Common Services, Roles and
1265 Functions", RFC 2142, May 1997.
1266
1267 [SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC 5321,
1268 October 2008.
1269
127017.2. Informative References
1271
1272 [AUTHRES] Kucherawy, M., "Message Header Field for Indicating
1273 Message Authentication Status", RFC 7001, September 2013.
1274
1275 [DSN] Moore, K. and G. Vaudreuil, "An Extensible Message Format
1276 for Delivery Status Notifications", RFC 3464, January
1277 2003.
1278
1279 [DSN-SMTP] Moore, K., "Simple Mail Transfer Protocol (SMTP) Service
1280 Extension for Delivery Status Notifications (DSNs)", RFC
1281 3461, January 2003.
1282
1283 [EMAIL-ARCH]
1284 Crocker, D., "Internet Mail Architecture", RFC 5598, July
1285 2009.
1286
1287
1288
1289
1290Mills & Kucherawy Standards Track [Page 23]
1291
1292RFC 7293 Require-Recipient-Valid-Since July 2014
1293
1294
1295 [ESC] Vaudreuil, G., "Enhanced Mail System Status Codes", RFC
1296 3463, January 2003.
1297
1298Authors' Addresses
1299
1300 William J. Mills
1301 Yahoo! Inc.
1302
1303 EMail: wmills_92105@yahoo.com
1304
1305
1306 Murray S. Kucherawy
1307 Facebook, Inc.
1308 1 Hacker Way
1309 Menlo Park, CA 94025
1310 USA
1311
1312 EMail: msk@fb.com
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346Mills & Kucherawy Standards Track [Page 24]
1347
1348