1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
|
<pre>Internet Engineering Task Force (IETF) W. Mills
Request for Comments: 7293 Yahoo! Inc.
Category: Standards Track M. Kucherawy
ISSN: 2070-1721 Facebook, Inc.
July 2014
<span class="h1">The Require-Recipient-Valid-Since Header Field</span>
<span class="h1">and SMTP Service Extension</span>
Abstract
This document defines an extension for the Simple Mail Transfer
Protocol (SMTP) called "RRVS" to provide a method for senders to
indicate to receivers a point in time when the ownership of the
target mailbox was known to the sender. This can be used to detect
changes of mailbox ownership and thus prevent mail from being
delivered to the wrong party. This document also defines a header
field called "Require-Recipient-Valid-Since" that can be used to
tunnel the request through servers that do not support the extension.
The intended use of these facilities is on automatically generated
messages, such as account statements or password change instructions,
that might contain sensitive information, though it may also be
useful in other applications.
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc7293">http://www.rfc-editor.org/info/rfc7293</a>.
<span class="grey">Mills & Kucherawy Standards Track [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
<a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a>
<a href="#section-2">2</a>. Definitions . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-3">3</a>. Description . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a>
<a href="#section-3.1">3.1</a>. The "RRVS" SMTP Extension . . . . . . . . . . . . . . . . <a href="#page-5">5</a>
<a href="#section-3.2">3.2</a>. The "Require-Recipient-Valid-Since" Header Field . . . . <a href="#page-5">5</a>
<a href="#section-3.3">3.3</a>. Timestamps . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-4">4</a>. Use By Generators . . . . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a>
<a href="#section-5">5</a>. Handling By Receivers . . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-5.1">5.1</a>. SMTP Extension Used . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a>
<a href="#section-5.1.1">5.1.1</a>. Relays . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a>
<a href="#section-5.2">5.2</a>. Header Field Used . . . . . . . . . . . . . . . . . . . . <a href="#page-9">9</a>
<a href="#section-5.2.1">5.2.1</a>. Design Choices . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a>
<a href="#section-5.3">5.3</a>. Clock Synchronization . . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-6">6</a>. Relaying without RRVS Support . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-6.1">6.1</a>. Header Field Conversion . . . . . . . . . . . . . . . . . <a href="#page-11">11</a>
<a href="#section-7">7</a>. Header Field with Multiple Recipients . . . . . . . . . . . . <a href="#page-12">12</a>
<a href="#section-8">8</a>. Special Use Addresses . . . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a>
<a href="#section-8.1">8.1</a>. Mailing Lists . . . . . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a>
<a href="#section-8.2">8.2</a>. Single-Recipient Aliases . . . . . . . . . . . . . . . . <a href="#page-13">13</a>
<a href="#section-8.3">8.3</a>. Multiple-Recipient Aliases . . . . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-8.4">8.4</a>. Confidential Forwarding Addresses . . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-8.5">8.5</a>. Suggested Mailing List Enhancements . . . . . . . . . . . <a href="#page-14">14</a>
<a href="#section-9">9</a>. Continuous Ownership . . . . . . . . . . . . . . . . . . . . <a href="#page-15">15</a>
<a href="#section-10">10</a>. Digital Signatures . . . . . . . . . . . . . . . . . . . . . <a href="#page-15">15</a>
<a href="#section-11">11</a>. Authentication-Results Definitions . . . . . . . . . . . . . <a href="#page-16">16</a>
<a href="#section-12">12</a>. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-16">16</a>
<a href="#section-12.1">12.1</a>. SMTP Extension Example . . . . . . . . . . . . . . . . . <a href="#page-17">17</a>
<a href="#section-12.2">12.2</a>. Header Field Example . . . . . . . . . . . . . . . . . . <a href="#page-17">17</a>
<a href="#section-12.3">12.3</a>. Authentication-Results Example . . . . . . . . . . . . . <a href="#page-17">17</a>
<span class="grey">Mills & Kucherawy Standards Track [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
<a href="#section-13">13</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-18">18</a>
<a href="#section-13.1">13.1</a>. Abuse Countermeasures . . . . . . . . . . . . . . . . . <a href="#page-18">18</a>
<a href="#section-13.2">13.2</a>. Suggested Use Restrictions . . . . . . . . . . . . . . . <a href="#page-18">18</a>
<a href="#section-13.3">13.3</a>. False Sense of Security . . . . . . . . . . . . . . . . <a href="#page-18">18</a>
<a href="#section-13.4">13.4</a>. Reassignment of Mailboxes . . . . . . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-14">14</a>. Privacy Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-14.1">14.1</a>. The Tradeoff . . . . . . . . . . . . . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-14.2">14.2</a>. Probing Attacks . . . . . . . . . . . . . . . . . . . . <a href="#page-19">19</a>
<a href="#section-14.3">14.3</a>. Envelope Recipients . . . . . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-14.4">14.4</a>. Risks with Use . . . . . . . . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-15">15</a>. IANA Considerations . . . . . . . . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-15.1">15.1</a>. SMTP Extension Registration . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-15.2">15.2</a>. Header Field Registration . . . . . . . . . . . . . . . <a href="#page-20">20</a>
<a href="#section-15.3">15.3</a>. Enhanced Status Code Registration . . . . . . . . . . . <a href="#page-21">21</a>
<a href="#section-15.4">15.4</a>. Authentication Results Registration . . . . . . . . . . <a href="#page-22">22</a>
<a href="#section-16">16</a>. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-22">22</a>
<a href="#section-17">17</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-23">23</a>
<a href="#section-17.1">17.1</a>. Normative References . . . . . . . . . . . . . . . . . . <a href="#page-23">23</a>
<a href="#section-17.2">17.2</a>. Informative References . . . . . . . . . . . . . . . . . <a href="#page-23">23</a>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
Email addresses sometimes get reassigned to a different person. For
example, employment changes at a company can cause an address used
for an ex-employee to be assigned to a new employee, or a mail
service provider (MSP) might expire an account and then let someone
else register for the local-part that was previously used. Those who
sent mail to the previous owner of an address might not know that it
has been reassigned. This can lead to the sending of email to the
correct address but the wrong recipient. This situation is of
particular concern with transactional mail related to purchases,
online accounts, and the like.
What is needed is a way to indicate an attribute of the recipient
that will distinguish between the previous owner of an address and
its current owner, if they are different. Further, this needs to be
done in a way that respects privacy.
The mechanisms specified here allow the sender of the mail to
indicate how "old" the address assignment is expected to be. In
effect, the sender is saying, "I know that the intended recipient was
using this address at this point in time. I don't want this message
delivered to anyone else". A receiving system can then compare this
information against the point in time at which the address was
assigned to its current user. If the assignment was made later than
the point in time indicated in the message, there is a good chance
<span class="grey">Mills & Kucherawy Standards Track [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
the current user of the address is not the correct recipient. The
receiving system can then prevent delivery and, preferably, notify
the original sender of the problem.
The primary application is transactional mail (such as account
information, password change requests, and other automatically
generated messages) rather than user-authored content. However, it
may be useful in other contexts; for example, a personal address book
could record the time an email address was added to it, and thus use
that time with this extension.
Because the use cases for this extension are strongly tied to privacy
issues, attention to the Security Considerations (<a href="#section-13">Section 13</a>) and the
Privacy Considerations (<a href="#section-14">Section 14</a>) is particularly important. Note,
especially, the limitation described in <a href="#section-13.3">Section 13.3</a>.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Definitions</span>
For a description of the email architecture, consult [<a href="#ref-EMAIL-ARCH">EMAIL-ARCH</a>].
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="#ref-KEYWORDS" title=""Key words for use in RFCs to Indicate Requirement Levels"">KEYWORDS</a>].
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Description</span>
To address the problem described in <a href="#section-1">Section 1</a>, a mail-sending client
(usually an automated agent) needs to indicate to the server to which
it is connecting that it expects the destination address of the
message to have been under continuous ownership (see <a href="#section-9">Section 9</a>) since
a specified point time. That specified time would be the time when
the intended recipient gave the address to the message author, or
perhaps a more recent time when the intended recipient reconfirmed
ownership of the address with the sender.
Two mechanisms are defined here: an extension to the Simple Mail
Transfer Protocol [<a href="#ref-SMTP" title=""Simple Mail Transfer Protocol"">SMTP</a>] and a new message header field. The SMTP
extension permits strong assurance of enforcement by confirming
support at each handling step for a message and the option to demand
support at all nodes in the handling path of the message (and
returning of the message to the originator otherwise). The header
field can be used when the Message Delivery Agent (MDA) supports this
function, but an intermediary system between the sending system and
the MDA does not. However, the header field does not provide the
same strong assurance described above and is more prone to exposure
of private information (see <a href="#section-14.1">Section 14.1</a>).
<span class="grey">Mills & Kucherawy Standards Track [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
The SMTP extension is called "RRVS" and adds a parameter to the SMTP
"RCPT" command that indicates the most recent point in time when the
message author believed the destination mailbox to be under the
continuous ownership of a specific party. Similarly, the "Require-
Recipient-Valid-Since" header field includes an intended recipient
coupled with a timestamp indicating the same thing.
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. The "RRVS" SMTP Extension</span>
Extensions to SMTP are described in Section 2.2 of [<a href="#ref-SMTP" title=""Simple Mail Transfer Protocol"">SMTP</a>].
The name of the extension is "RRVS", an abbreviation of "Require
Recipient Valid Since". Servers implementing the SMTP extension
advertise an additional EHLO keyword of "RRVS", which has no
associated parameters, introduces no new SMTP commands, and does not
alter the MAIL command.
A Message Transfer Agent (MTA) implementing RRVS can transmit or
accept one new parameter to the RCPT command. An MDA can also accept
this new parameter. The parameter is "RRVS", and the value is a
timestamp expressed as "date-time" as defined in [<a href="#ref-DATETIME" title=""Date and Time on the Internet: Timestamps"">DATETIME</a>], with the
added restriction that a "time-secfrac" MUST NOT be used. The
timestamp MAY optionally be followed by a semicolon character and a
letter (known as the "no-support action"), indicating the action to
be taken when a downstream MTA is discovered that does not support
the extension. Valid actions are "R" (reject; the default) and "C"
(continue).
Formally, the new parameter and its value are defined as follows:
rrvs-param = "RRVS=" date-time [ ";" ( "C" / "R" ) ]
Accordingly, this extension increases the maximum command length for
the RCPT command by 33 characters.
The meaning of this extension, when used, is described in
<a href="#section-5.1">Section 5.1</a>.
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. The "Require-Recipient-Valid-Since" Header Field</span>
The general constraints on syntax and placement of header fields in a
message are defined in "Internet Message Format" [<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>].
Using Augmented Backus-Naur Form [<a href="#ref-ABNF" title=""Augmented BNF for Syntax Specifications: ABNF"">ABNF</a>], the syntax for the field is:
rrvs = "Require-Recipient-Valid-Since:" addr-spec ";" date-time
CRLF
<span class="grey">Mills & Kucherawy Standards Track [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
"date-time" is defined in <a href="#section-3.3">Section 3.3</a>, and "addr-spec" is defined in
Section 3.4.1 of [<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>].
<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. Timestamps</span>
The header field version of this protocol has a different format for
the date and time expression than the SMTP extension does. This is
because message header fields use a format to express date and time
that is specific to message header fields, and this is consistent
with that usage.
Use of both date and time is done to be consistent with how current
implementations typically store the timestamp and to make it easy to
include the time zone. In practice, granularity beyond the date may
or may not be useful.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Use By Generators</span>
When a message is generated whose content is sufficiently sensitive
that an author or author's ADministrative Management Domain (ADMD),
see [<a href="#ref-EMAIL-ARCH">EMAIL-ARCH</a>], wishes to protect against misdelivery using this
protocol, it determines for each recipient mailbox on the message a
timestamp at which it last confirmed ownership of that mailbox. It
then applies the SMTP extension when sending the message to its
destination.
In cases where the outgoing MTA does not support the extension, the
header field defined above can be used to pass the request through
that system. However, use of the header field is only a "best-
effort" approach to solving the stated goals, and it has some
shortcomings:
1. The positive confirmation of support at each handling node, with
the option to return the message to the originator when
end-to-end support cannot be confirmed, will be unavailable;
2. The protocol is focused on affecting delivery (that is, the
transaction) rather than content, and therefore use of a header
field in the content is generally inappropriate;
3. The mechanism cannot be used with multiple recipients without
unintentionally exposing information about one recipient to the
others (see <a href="#section-7">Section 7</a>); and
4. There is a risk of the timestamp parameter being inadvertently
forwarded, automatically or intentionally by the user (since user
agents might not reveal the presence of the header field), and
therefore exposed to unintended recipients. (See <a href="#section-14.4">Section 14.4</a>.)
<span class="grey">Mills & Kucherawy Standards Track [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
Thus, the header field format MUST NOT be used unless the originator
or relay has specific knowledge that the receiving MDA or an
intermediary MTA will apply it properly. In any case, it SHOULD NOT
be used for the multi-recipient case.
Use of the header field mechanism is further restricted by the
practices described in Section 7.2 of [<a href="#ref-SMTP" title=""Simple Mail Transfer Protocol"">SMTP</a>], Section 3.6.3 of
[<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>], and <a href="#section-7">Section 7</a> of this document.
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Handling By Receivers</span>
If a receiver implements this specification, then there are two
possible evaluation paths:
1. The sending client uses the extension, and so there is an RRVS
parameter on a RCPT TO command in the SMTP session, and the
parameters of interest are taken only from there (and the header
field, if present, is disregarded); or
2. The sending client does not use the extension, so the RRVS
parameter is not present on the RCPT TO commands in the SMTP
session, but the corresponding header field might be present in
the message.
When the continuous ownership test fails for transient reasons (such
as an unavailable database or other condition that is likely
temporary), normal transient failure handling for the message is
applied.
If the continuous ownership test cannot be completed because the
necessary datum (the mailbox creation or reassignment date and time)
was not recorded, the MDA doing the evaluation selects a date and
time to use that is the latest possible point in time at which the
mailbox could have been created or reassigned. For example, this
might be the earliest of all recorded mailbox creation/reassignment
timestamps, or the time when the host was first installed. If no
reasonable substitute for the timestamp can be selected, the MDA
rejects the message using an SMTP reply code, preferably with an
enhanced mail system status code (see <a href="#section-15.3">Section 15.3</a>), that indicates
the test cannot be completed. A message originator can then decide
whether to reissue the message without RRVS protection or find
another way to reach the mailbox owner.
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. SMTP Extension Used</span>
For an MTA supporting the SMTP extension, the requirement is to
continue enforcement of RRVS during the relaying process to the next
MTA or the MDA.
<span class="grey">Mills & Kucherawy Standards Track [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
A receiving MTA or MDA that implements the SMTP extension declared
above and observes an RRVS parameter on a RCPT TO command checks
whether the current owner of the destination mailbox has held it
continuously, far enough back to include the given point in time, and
delivers it unless that check returns in the negative. Specifically,
an MDA will do the following before continuing with delivery:
1. Ignore the parameter if the named mailbox is known to be a role
account as listed in "Mailbox Names for Common Services, Roles
and Functions" [<a href="#ref-ROLES" title=""Mailbox Names for Common Services, Roles and Functions"">ROLES</a>].
2. If the address is not known to be a role account, and if that
address has not been under continuous ownership since the
timestamp specified in the extension, return a 550 error to the
RCPT command. (See also <a href="#section-15.3">Section 15.3</a>.)
<span class="h4"><a class="selflink" id="section-5.1.1" href="#section-5.1.1">5.1.1</a>. Relays</span>
An MTA that does not make mailbox ownership checks, such as an MTA
positioned to do SMTP ingress at an organizational boundary, SHOULD
relay the RRVS extension parameter to the next MTA or MDA so that it
can be processed there.
For the SMTP extension, the optional RRVS parameter defined in
<a href="#section-5.1">Section 5.1</a> indicates the action to be taken when relaying a message
to another MTA that does not advertise support for this extension.
When this is the case and the no-support action was not specified or
is "R" (reject), the MTA handling the message MUST reject the message
by:
1. returning a 550 error to the DATA command, if synchronous service
is being provided to the SMTP client that introduced the message,
or
2. generating a Delivery Status Notification [<a href="#ref-DSN" title=""An Extensible Message Format for Delivery Status Notifications"">DSN</a>] to indicate to
the originator of the message that the non-delivery occurred and
terminating further relay attempts.
An enhanced mail system status code is defined for such rejections in
<a href="#section-15.3">Section 15.3</a>.
See <a href="#section-8.2">Section 8.2</a> for additional discussion.
When relaying, an MTA MUST preserve the no-support action if it was
used by the SMTP client.
<span class="grey">Mills & Kucherawy Standards Track [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Header Field Used</span>
A receiving system that implements this specification, upon receiving
a message bearing a "Require-Recipient-Valid-Since" header field when
no corresponding RRVS SMTP extension was used, checks whether the
destination mailbox owner has held it continuously, far enough back
to include the given date-time, and delivers it unless that check
returns in the negative. Expressed as a sequence of steps:
1. Extract those Require-Recipient-Valid-Since fields from the
message that contain a recipient for which no corresponding RRVS
SMTP extension was used.
2. Discard any such fields that match any of these criteria:
* are syntactically invalid;
* name a role account as listed in [<a href="#ref-ROLES" title=""Mailbox Names for Common Services, Roles and Functions"">ROLES</a>];
* the "addr-spec" portion does not match a current recipient, as
listed in the RCPT TO commands in the SMTP session; or
* the "addr-spec" portion does not refer to a mailbox handled
for local delivery by this ADMD.
3. For each field remaining, determine if the named address has been
under continuous ownership since the corresponding timestamp. If
it has not, reject the message.
4. RECOMMENDED: If local delivery is being performed, remove all
instances of this field prior to delivery to a mailbox; if the
message is being forwarded, remove those instances of this header
field that were not discarded by step 2 above.
Handling proceeds normally upon completion of the above steps if
rejection has not been performed.
The final step is not mandatory as not all mail handling agents are
capable of stripping away header fields, and there are sometimes
reasons to keep the field intact such as debugging or presence of
digital signatures that might be invalidated by such a change. See
<a href="#section-10">Section 10</a> for additional discussion.
If a message is to be rejected within the SMTP protocol itself
(versus generating a rejection message separately), servers
implementing this protocol SHOULD also implement the SMTP extension
described in "Enhanced Mail System Status Codes" [<a href="#ref-ESC" title=""Enhanced Mail System Status Codes"">ESC</a>] and use the
enhanced status codes described in <a href="#section-15.3">Section 15.3</a> as appropriate.
<span class="grey">Mills & Kucherawy Standards Track [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
Implementation by this method is expected to be transparent to non-
participants, since they would typically ignore this header field.
This header field is not normally added to a message that is
addressed to multiple recipients. The intended use of this field
involves an author seeking to protect transactional or otherwise
sensitive data intended for a single recipient, and thus generating
independent messages for each individual recipient is normal
practice. See <a href="#section-7">Section 7</a> for further discussion and restrictions.
<span class="h4"><a class="selflink" id="section-5.2.1" href="#section-5.2.1">5.2.1</a>. Design Choices</span>
The presence of the address in the field content supports the case
where a message bearing this header field is forwarded. The specific
use case is as follows:
1. A user subscribes to a service "S" at date-time "D" and confirms
an email address at the user's current location, "A";
2. At some later date, the user intends to leave the current
location and thus creates a new mailbox elsewhere, at "B";
3. The user configures address "A" to forward to "B";
4. "S" constructs a message to "A" claiming that the address was
valid at date-time "D" and sends it to "A";
5. The receiving MTA for "A" determines that the forwarding in
effect was created by the same party that owned the mailbox there
and thus concludes that the continuous ownership test has been
satisfied;
6. If possible, the MTA for "A" removes this header field from the
message, and in either case, forwards it to "B"; and
7. On receipt at "B", either the header field has been removed or
the header field does not refer to a current envelope recipient,
and in either case the MTA delivers the message.
<a href="#section-8">Section 8</a> discusses some interesting use cases, such as the case
where "B" above results in further forwarding of the message.
SMTP has never required any correspondence between addresses in the
<a href="./rfc5321">RFC5321</a>.MailFrom and <a href="./rfc5321">RFC5321</a>.RcptTo parameters and header fields of a
message, which is why the header field defined here contains the
recipient address to which the timestamp applies.
<span class="grey">Mills & Kucherawy Standards Track [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
<span class="h3"><a class="selflink" id="section-5.3" href="#section-5.3">5.3</a>. Clock Synchronization</span>
The timestamp portion of this specification supports a precision at
the seconds level. Although uncommon, it is not impossible for a
clock at either a generator or a receiver to be incorrect, leading to
an incorrect result in the RRVS evaluation.
To minimize the risk of such incorrect results, both generators and
receivers implementing this specification MUST use a standard clock
synchronization protocol such as [<a href="#ref-NTP" title=""Network Time Protocol Version 4: Protocol and Algorithms Specification"">NTP</a>] to synchronize to a common
clock.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Relaying without RRVS Support</span>
When a message is received using the SMTP extension defined here but
will not be delivered locally (that is, it needs to be relayed
further), the MTA to which the relay will take place might not be
compliant with this specification. Where the MTA in possession of
the message observes it is going to relay the message to an MTA that
does not advertise this extension, it needs to choose one of the
following actions:
1. Decline to relay the message further, preferably generating a
Delivery Status Notification [<a href="#ref-DSN" title=""An Extensible Message Format for Delivery Status Notifications"">DSN</a>] to indicate failure
(RECOMMENDED);
2. Downgrade the data thus provided in the SMTP extension to a
header field, as described in <a href="#section-6.1">Section 6.1</a> below (SHOULD NOT
unless the conditions in that section are satisfied, and only
when the previous option is not available); or
3. Silently continue with delivery, dropping the protection offered
by this protocol.
Using options other than the first option needs to be avoided unless
there is specific knowledge that further relaying with the degraded
protections thus provided does not introduce undue risk.
<span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Header Field Conversion</span>
If an SMTP server ("B") receives a message bearing one or more
"Require-Recipient-Valid-Since" header fields from a client ("A"),
presumably because "A" does not support the SMTP extension, and needs
to relay the corresponding message on to another server ("C")
(thereby becoming a client), and "C" advertises support for the SMTP
extension, "B" SHOULD delete the header field(s) and instead relay
this information by making use of the SMTP extension. Note that such
modification of the header might affect later validation of the
<span class="grey">Mills & Kucherawy Standards Track [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
header upon delivery; for example, a hash of the modified header
would produce a different result. This might be a valid cause for
some operators to skip this delete operation.
Conversely, if "B" has received a mailbox timestamp from "A" using
the SMTP extension for which it must now relay the message on to "C",
but "C" does not advertise the SMTP extension, and "B" does not
reject the message because rejection was specifically declined by the
client (see <a href="#section-5.1.1">Section 5.1.1</a>), "B" SHOULD add a Require-Recipient-Valid-
Since header field matching the mailbox to which relaying is being
done, and the corresponding valid-since timestamp for it, if it has
prior information that the eventual MDA or another intermediate MTA
supports this mechanism and will be able to process the header field
as described in this specification.
The admonitions about very cautious use of the header field described
in <a href="#section-4">Section 4</a> apply to this relaying mechanism as well. If multiple
mailbox timestamps are received from "A", the admonitions in
<a href="#section-7">Section 7</a> also apply.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Header Field with Multiple Recipients</span>
Numerous issues arise when using the header field form of this
extension, particularly when multiple recipients are specified for a
single message resulting in multiple fields each with a distinct
address and timestamp.
Because of the nature of SMTP, a message bearing a multiplicity of
Require-Recipient-Valid-Since header fields could result in a single
delivery attempt for multiple recipients (in particular, if two of
the recipients are handled by the same server), and if any one of
them fails the test, the delivery fails to all of them; it then
becomes necessary to do one of the following:
o reject the message on completion of the DATA phase of the SMTP
session, which is a rejection of delivery to all recipients, or
o accept the message on completion of DATA, and then generate a
Delivery Status Notification [<a href="#ref-DSN" title=""An Extensible Message Format for Delivery Status Notifications"">DSN</a>] message for each of the failed
recipients.
Additional complexity arises when a message is sent to two
recipients, "A" and "B", presumably with different timestamps, both
of which are then redirected to a common address "C". The author is
not necessarily aware of the current or past ownership of mailbox
"C", or indeed that "A" and/or "B" have been redirected. This might
<span class="grey">Mills & Kucherawy Standards Track [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
result in either or both of the two deliveries failing at "C", which
is likely to confuse the message author, who (as far as the author is
aware) never sent a message to "C" in the first place.
Finally, there is an obvious concern with the fan-out of a message
bearing the timestamps of multiple users; tight control over the
handling of the timestamp information is very difficult to assure as
the number of handling agents increases.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Special Use Addresses</span>
In [<a href="#ref-DSN-SMTP" title=""Simple Mail Transfer Protocol (SMTP) Service Extension for Delivery Status Notifications (DSNs)"">DSN-SMTP</a>], an SMTP extension was defined to allow SMTP clients to
request generation of DSNs and related information to allow such
reports to be maximally useful. <a href="#section-5.2.7">Section 5.2.7</a> of that document
explored the issue of the use of that extension where the recipient
is a mailing list. This extension has similar concerns, which are
covered here following that document as a model.
For all cases described below, a receiving MTA SHOULD NOT introduce
RRVS in either form (SMTP extension or header field) if the message
did not arrive with RRVS in use. This would amount to second
guessing the message originator's intention and might lead to an
undesirable outcome.
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Mailing Lists</span>
Delivery to a mailing list service is considered a final delivery.
Where this protocol is in use, it is evaluated as per any normal
delivery: if the same mailing list has been operating in place of the
specified recipient mailbox since at least the timestamp given as the
RRVS parameter, the message is delivered to the list service
normally, and is otherwise not delivered.
It is important, however, that the participating MDA passing the
message to the list service needs to omit the RRVS parameter in
either form (SMTP extension or header field) when doing so. The
emission of a message from the list service to its subscribers
constitutes a new message not covered by the previous transaction.
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Single-Recipient Aliases</span>
Upon delivery of an RRVS-protected message to an alias (acting in
place of a mailbox) that results in relaying of the message to a
single other destination, the usual RRVS check is performed. The
continuous ownership test here might succeed if, for example, a
conventional user inbox was replaced with an alias on behalf of that
same user, and the time when this was done is recorded in a way that
can be queried by the relaying MTA.
<span class="grey">Mills & Kucherawy Standards Track [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
If the relaying system also performs some kind of step where
ownership of the new destination address is confirmed, it SHOULD
apply RRVS using the later of that timestamp and the one that was
used inbound. This also allows for changes to the alias without
disrupting the protection offered by RRVS.
If the relaying system has no such time records related to the new
destination address, the RRVS SMTP extension is not used on the
relaying SMTP session, and the header field relative to the local
alias is removed, in accordance with <a href="#section-5">Section 5</a>.
<span class="h3"><a class="selflink" id="section-8.3" href="#section-8.3">8.3</a>. Multiple-Recipient Aliases</span>
Upon delivery of an RRVS-protected message to an alias (acting in
place of a mailbox) that results in relaying of the message to
multiple other destinations, the usual RRVS check is performed as in
<a href="#section-8.2">Section 8.2</a>. The MTA expanding such an alias then decides which of
the options enumerated in that section is to be applied for each new
recipient.
<span class="h3"><a class="selflink" id="section-8.4" href="#section-8.4">8.4</a>. Confidential Forwarding Addresses</span>
In the above cases, the original author could receive message
rejections, such as DSNs, from the ultimate destination, where the
RRVS check (or indeed, any other) fails and rejection is warranted.
This can reveal the existence of a forwarding relationship between
the original intended recipient and the actual final recipient.
Where this is a concern, the initial delivery attempt is to be
treated like a mailing list delivery, with RRVS evaluation done and
then all RRVS information removed from the message prior to relaying
it to its true destination.
<span class="h3"><a class="selflink" id="section-8.5" href="#section-8.5">8.5</a>. Suggested Mailing List Enhancements</span>
Mailing list services could store the timestamp at which a subscriber
was added to a mailing list. This specification could then be used
in conjunction with that information in order to restrict list
traffic to the original subscriber, rather than a different person
now in possession of an address under which the original subscriber
was added to the list. Upon receiving a rejection caused by this
specification, the list service can remove that address from further
distribution.
A mailing list service that receives a message containing the header
field defined here needs to remove it from the message prior to
redistributing it, limiting exposure of information regarding the
relationship between the message's author and the mailing list.
<span class="grey">Mills & Kucherawy Standards Track [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Continuous Ownership</span>
For the purposes of this specification, an address is defined as
having been under continuous ownership since a given date-time if a
message sent to the address at any point since the given date-time
would not go to anyone except the owner at that given date-time.
That is, while an address may have been suspended or otherwise
disabled for some period, any mail actually delivered would have been
delivered exclusively to the same owner. It is presumed that some
sort of relationship exists between the message sender and the
intended recipient. Presumably, there has been some confirmation
process applied to establish this ownership of the receiver's
mailbox; however, the method of making such determinations is a local
matter and outside the scope of this document.
Evaluating the notion of continuous ownership is accomplished by
doing any query that establishes whether the above condition holds
for a given mailbox.
Determining continuous ownership of a mailbox is a local matter at
the receiving site. The only possible answers to the continuous-
ownership-since question are "yes", "no", and "unknown"; the action
to be taken in the "unknown" case is a matter of local policy.
For example, when control of a domain name is transferred, the new
domain owner might be unable to determine whether the owner of the
subject address has been under continuous ownership since the stated
date-time if the mailbox history is not also transferred (or was not
previously maintained). It will also be "unknown" if whatever
database contains mailbox ownership data is temporarily unavailable
at the time a message arrives for delivery. In this latter case,
typical SMTP temporary failure handling is appropriate.
To avoid exposing account details unnecessarily, if the address
specified has had one continuous owner since it was created, any
confirmation date-time SHOULD be considered to pass the test, even if
that date-time is earlier than the account creation date and time.
This is further discussed in <a href="#section-13">Section 13</a>.
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. Digital Signatures</span>
This protocol mandates removal of the header field (when used) upon
delivery in all but exceptional circumstances. If a message with the
header field were digitally signed in a way that included the header
field, altering a message in this way would invalidate the signature.
However, the header field is strictly for tunneling purposes and
should be regarded by the rest of the transport system as purely
trace information.
<span class="grey">Mills & Kucherawy Standards Track [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
Accordingly, the header field MUST NOT be included in the content
covered by digital signatures.
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. Authentication-Results Definitions</span>
[<a id="ref-AUTHRES">AUTHRES</a>] defines a mechanism for indicating, via a header field, the
results of message authentication checks. <a href="#section-15">Section 15</a> registers RRVS
as a new method that can be reported in this way, as well as
corresponding result names. The possible result names and their
meanings are as follows:
none: The message had no recipient mailbox timestamp associated with
it, either via the SMTP extension or header field method; this
protocol was not in use.
unknown: At least one form of this protocol was in use, but
continuous ownership of the recipient mailbox could not be
determined.
temperror: At least one form of this protocol was in use, but some
kind of error occurred during evaluation that was transient in
nature; a later retry will likely produce a final result.
permerror: At least one form of this protocol was in use, but some
kind of error occurred during evaluation that was not recoverable;
a later retry will not likely produce a final result.
pass: At least one form of this protocol was in use, and the
destination mailbox was confirmed to have been under continuous
ownership since the timestamp thus provided.
fail: At least one form of this protocol was in use, and the
destination mailbox was confirmed not to have been under
continuous ownership since the timestamp thus provided.
Where multiple recipients are present on a message, multiple results
can be reported using the mechanism described in [<a href="#ref-AUTHRES" title=""Message Header Field for Indicating Message Authentication Status"">AUTHRES</a>].
<span class="h2"><a class="selflink" id="section-12" href="#section-12">12</a>. Examples</span>
In the following examples, "C:" indicates data sent by an SMTP
client, and "S:" indicates responses by the SMTP server. Message
content is CRLF terminated, though these are omitted here for ease of
reading.
<span class="grey">Mills & Kucherawy Standards Track [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
<span class="h3"><a class="selflink" id="section-12.1" href="#section-12.1">12.1</a>. SMTP Extension Example</span>
C: [connection established]
S: 220 server.example.com ESMTP ready
C: EHLO client.example.net
S: 250-server.example.com
S: 250 RRVS
C: MAIL FROM:<sender@example.net>
S: 250 OK
C: RCPT TO:<receiver@example.com> RRVS=2014-04-03T23:01:00Z
S: 550 5.7.17 receiver@example.com is no longer valid
C: QUIT
S: 221 So long!
<span class="h3"><a class="selflink" id="section-12.2" href="#section-12.2">12.2</a>. Header Field Example</span>
C: [connection established]
S: 220 server.example.com ESMTP ready
C: HELO client.example.net
S: 250 server.example.com
C: MAIL FROM:<sender@example.net>
S: 250 OK
C: RCPT TO:<receiver@example.com>
S: 250 OK
C: DATA
S: 354 Ready for message content
C: From: Mister Sender <sender@example.net>
To: Miss Receiver <receiver@example.com>
Subject: Are you still there?
Date: Fri, 28 Jun 2013 18:01:01 +0200
Require-Recipient-Valid-Since: receiver@example.com;
Sat, 1 Jun 2013 09:23:01 -0700
Are you still there?
.
S: 550 5.7.17 receiver@example.com is no longer valid
C: QUIT
S: 221 So long!
<span class="h3"><a class="selflink" id="section-12.3" href="#section-12.3">12.3</a>. Authentication-Results Example</span>
Here is an example use of the Authentication-Results header field
used to yield the results of an RRVS evaluation:
Authentication-Results: mx.example.com; rrvs=pass
smtp.rcptto=user@example.com
<span class="grey">Mills & Kucherawy Standards Track [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
This indicates that the message arrived addressed to the mailbox
user@example.com, the continuous ownership test was applied with the
provided timestamp, and the check revealed that the test was
satisfied. The timestamp is not revealed.
<span class="h2"><a class="selflink" id="section-13" href="#section-13">13</a>. Security Considerations</span>
<span class="h3"><a class="selflink" id="section-13.1" href="#section-13.1">13.1</a>. Abuse Countermeasures</span>
The response of a server implementing this protocol can disclose
information about the age of an existing email mailbox.
Implementation of countermeasures against probing attacks is
RECOMMENDED. For example, an operator could track appearance of this
field with respect to a particular mailbox and observe the timestamps
being submitted for testing; if it appears that a variety of
timestamps are being tried against a single mailbox in short order,
the field could be ignored and the message silently discarded. This
concern is discussed further in <a href="#section-14">Section 14</a>.
<span class="h3"><a class="selflink" id="section-13.2" href="#section-13.2">13.2</a>. Suggested Use Restrictions</span>
If the mailbox named in the field is known to have had only a single
continuous owner since creation, or not to have existed at all (under
any owner) prior to the date-time specified in the field, then the
field SHOULD be silently ignored and normal message handling applied
so that this information is not disclosed. Such fields are likely
the product of either gross error or an attack.
A message author using this specification might restrict inclusion of
the header field such that it is only done for recipients known also
to implement this specification, in order to reduce the possibility
of revealing information about the relationship between the author
and the mailbox.
If ownership of an entire domain is transferred, the new owner may
not know what addresses were assigned in the past by the prior owner.
Hence, no address can be known not to have had a single owner, or to
have existed (or not) at all. In this case, the "unknown" result is
likely appropriate.
<span class="h3"><a class="selflink" id="section-13.3" href="#section-13.3">13.3</a>. False Sense of Security</span>
Senders implementing this protocol likely believe their content is
being protected by doing so. It has to be considered, however, that
receiving systems might not implement this protocol correctly, or at
all. Furthermore, use of RRVS by a sending system constitutes
nothing more than a request to the receiving system; that system
could choose not to prevent delivery for some local policy, for legal
<span class="grey">Mills & Kucherawy Standards Track [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
or operational reasons, which compromises the security the sending
system believed was a benefit to using RRVS. This could mean the
timestamp information involved in the protocol becomes inadvertently
revealed.
This concern lends further support to the notion that senders would
do well to avoid using this protocol other than when sending to
known, trusted receivers.
<span class="h3"><a class="selflink" id="section-13.4" href="#section-13.4">13.4</a>. Reassignment of Mailboxes</span>
This specification is a direct response to the risks involved with
reassignment or recycling of email addresses, an inherently dangerous
practice. It is typically expected that email addresses will not
have a high rate of turnover or ownership change.
It is RECOMMENDED to have a substantial period of time between
mailbox owners during which the mailbox accepts no mail, giving
message generators an opportunity to detect that the previous owner
is no longer at that address.
<span class="h2"><a class="selflink" id="section-14" href="#section-14">14</a>. Privacy Considerations</span>
<span class="h3"><a class="selflink" id="section-14.1" href="#section-14.1">14.1</a>. The Tradeoff</span>
That some MSPs allow for expiration of account names when they have
been unused for a protracted period forces a choice between two
potential types of privacy vulnerabilities, one of which presents
significantly greater threats to users than the other. Automatically
generated mail is often used to convey authentication credentials
that can potentially provide access to extremely sensitive
information. Supplying such credentials to the wrong party after a
mailbox ownership change could allow the previous owner's data to be
exposed without his or her authorization or knowledge. In contrast,
the information that may be exposed to a third party via the proposal
in this document is limited to information about the mailbox history.
Given that MSPs have chosen to allow transfers of mailbox ownership
without the prior owner's involvement, the information leakage from
the extensions specified here creates far lower overall risk than the
potential for delivering mail to the wrong party.
<span class="h3"><a class="selflink" id="section-14.2" href="#section-14.2">14.2</a>. Probing Attacks</span>
As described above, use of this extension or header field in probing
attacks can disclose information about the history of the mailbox.
The harm that can be done by leaking any kind of private information
is difficult to predict, so it is prudent to be sensitive to this
sort of disclosure, either inadvertently or in response to probing by
<span class="grey">Mills & Kucherawy Standards Track [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
an attacker. It bears restating, then, that implementing
countermeasures against abuse of this capability needs strong
consideration.
<span class="h3"><a class="selflink" id="section-14.3" href="#section-14.3">14.3</a>. Envelope Recipients</span>
The email To and Cc header fields are not required to be populated
with addresses that match the envelope recipient set, and Cc may even
be absent. However, the algorithm in <a href="#section-3">Section 3</a> requires that this
header field contain a match for an envelope recipient in order to be
actionable. As such, use of this specification can reveal some or
all of the original intended recipient set to any party that can see
the message in transit or upon delivery.
For a message destined to a single recipient, this is unlikely to be
a concern, which is one of the reasons use of this specification on
multi-recipient messages is discouraged.
<span class="h3"><a class="selflink" id="section-14.4" href="#section-14.4">14.4</a>. Risks with Use</span>
MDAs might not implement the recommendation to remove the header
field defined here when messages are delivered, either out of
ignorance or due to error. Since user agents often do not render all
of the header fields present, the message could be forwarded to
another party that would then inadvertently have the content of this
header field.
A bad actor may detect use of either form of the RRVS protocol and
interpret it as an indication of high-value content.
<span class="h2"><a class="selflink" id="section-15" href="#section-15">15</a>. IANA Considerations</span>
<span class="h3"><a class="selflink" id="section-15.1" href="#section-15.1">15.1</a>. SMTP Extension Registration</span>
Section 2.2.2 of [<a href="#ref-SMTP" title=""Simple Mail Transfer Protocol"">SMTP</a>] sets out the procedure for registering a new
SMTP extension. IANA has registered the SMTP extension using the
details provided in <a href="#section-3.1">Section 3.1</a> of this document.
<span class="h3"><a class="selflink" id="section-15.2" href="#section-15.2">15.2</a>. Header Field Registration</span>
IANA has added the following entry to the "Permanent Message Header
Field Names" registry, as per the procedure found in [<a href="#ref-IANA-HEADERS">IANA-HEADERS</a>]:
Header field name: Require-Recipient-Valid-Since
Applicable protocol: mail ([<a href="#ref-MAIL" title=""Internet Message Format"">MAIL</a>])
Status: standard
Author/Change controller: IETF
Specification document(s): <a href="./rfc7293">RFC 7293</a>
<span class="grey">Mills & Kucherawy Standards Track [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
Related information:
Requesting review of any proposed changes and additions to
this field is recommended.
<span class="h3"><a class="selflink" id="section-15.3" href="#section-15.3">15.3</a>. Enhanced Status Code Registration</span>
IANA has registered the following in the Enumerated Status Codes
table of the "Simple Mail Transfer Protocol (SMTP) Enhanced Status
Codes Registry":
Code: X.7.17
Sample Text: Mailbox owner has changed
Associated basic status code: 5XX
Description: This status code is returned when a message is
received with a Require-Recipient-Valid-Since
field or RRVS extension and the receiving
system is able to determine that the intended
recipient mailbox has not been under continuous
ownership since the specified date-time.
Reference: <a href="./rfc7293">RFC 7293</a>
Submitter: M. Kucherawy
Change controller: IESG
Code: X.7.18
Sample Text: Domain owner has changed
Associated basic status code: 5XX
Description: This status code is returned when a message is
received with a Require-Recipient-Valid-Since
field or RRVS extension and the receiving
system wishes to disclose that the owner of
the domain name of the recipient has changed
since the specified date-time.
Reference: <a href="./rfc7293">RFC 7293</a>
Submitter: M. Kucherawy
Change controller: IESG
Code: X.7.19
Sample Text: RRVS test cannot be completed
Associated basic status code: 5XX
Description: This status code is returned when a message is
received with a Require-Recipient-Valid-Since
field or RRVS extension and the receiving
system cannot complete the requested
evaluation because the required timestamp was
not recorded. The message originator needs to
decide whether to reissue the message without
RRVS protection.
Reference: <a href="./rfc7293">RFC 7293</a>
<span class="grey">Mills & Kucherawy Standards Track [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
Submitter: M. Kucherawy
Change controller: IESG
<span class="h3"><a class="selflink" id="section-15.4" href="#section-15.4">15.4</a>. Authentication Results Registration</span>
IANA has registered the following in the "Email Authentication
Methods" registry:
Method: rrvs
Specifying Document: <a href="./rfc7293">RFC 7293</a>
ptype: smtp
Property: rcptto
Value: envelope recipient
Status: active
Version: 1
IANA has also registered the following in the "Email Authentication
Result Names" registry:
Codes: none, unknown, temperror, permerror, pass, fail
Defined: <a href="./rfc7293">RFC 7293</a>
Auth Method(s): rrvs
Meaning: <a href="./rfc7293#section-11">Section 11 of RFC 7293</a>
Status: active
<span class="h2"><a class="selflink" id="section-16" href="#section-16">16</a>. Acknowledgments</span>
Erling Ellingsen proposed the idea.
Reviews and comments were provided by Michael Adkins, Kurt Andersen,
Eric Burger, Alissa Cooper, Dave Cridland, Dave Crocker, Ned Freed,
John Levine, Alexey Melnikov, Jay Nancarrow, Hector Santos, Gregg
Stefancik, and Ed Zayas.
<span class="grey">Mills & Kucherawy Standards Track [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
<span class="h2"><a class="selflink" id="section-17" href="#section-17">17</a>. References</span>
<span class="h3"><a class="selflink" id="section-17.1" href="#section-17.1">17.1</a>. Normative References</span>
[<a id="ref-ABNF">ABNF</a>] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, <a href="./rfc5234">RFC 5234</a>, January 2008.
[<a id="ref-DATETIME">DATETIME</a>] Klyne, G., Ed. and C. Newman, "Date and Time on the
Internet: Timestamps", <a href="./rfc3339">RFC 3339</a>, July 2002.
[<a id="ref-IANA-HEADERS">IANA-HEADERS</a>]
Klyne, G., Nottingham, M., and J. Mogul, "Registration
Procedures for Message Header Fields", <a href="https://www.rfc-editor.org/bcp/bcp90">BCP 90</a>, <a href="./rfc3864">RFC 3864</a>,
September 2004.
[<a id="ref-KEYWORDS">KEYWORDS</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-MAIL">MAIL</a>] Resnick, P., Ed., "Internet Message Format", <a href="./rfc5322">RFC 5322</a>,
October 2008.
[<a id="ref-NTP">NTP</a>] Mills, D., Martin, J., Burbank, J., and W. Kasch, "Network
Time Protocol Version 4: Protocol and Algorithms
Specification", <a href="./rfc5905">RFC 5905</a>, June 2010.
[<a id="ref-ROLES">ROLES</a>] Crocker, D., "Mailbox Names for Common Services, Roles and
Functions", <a href="./rfc2142">RFC 2142</a>, May 1997.
[<a id="ref-SMTP">SMTP</a>] Klensin, J., "Simple Mail Transfer Protocol", <a href="./rfc5321">RFC 5321</a>,
October 2008.
<span class="h3"><a class="selflink" id="section-17.2" href="#section-17.2">17.2</a>. Informative References</span>
[<a id="ref-AUTHRES">AUTHRES</a>] Kucherawy, M., "Message Header Field for Indicating
Message Authentication Status", <a href="./rfc7001">RFC 7001</a>, September 2013.
[<a id="ref-DSN">DSN</a>] Moore, K. and G. Vaudreuil, "An Extensible Message Format
for Delivery Status Notifications", <a href="./rfc3464">RFC 3464</a>, January
2003.
[<a id="ref-DSN-SMTP">DSN-SMTP</a>] Moore, K., "Simple Mail Transfer Protocol (SMTP) Service
Extension for Delivery Status Notifications (DSNs)", <a href="./rfc3461">RFC</a>
<a href="./rfc3461">3461</a>, January 2003.
[<a id="ref-EMAIL-ARCH">EMAIL-ARCH</a>]
Crocker, D., "Internet Mail Architecture", <a href="./rfc5598">RFC 5598</a>, July
2009.
<span class="grey">Mills & Kucherawy Standards Track [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc7293">RFC 7293</a> Require-Recipient-Valid-Since July 2014</span>
[<a id="ref-ESC">ESC</a>] Vaudreuil, G., "Enhanced Mail System Status Codes", <a href="./rfc3463">RFC</a>
<a href="./rfc3463">3463</a>, January 2003.
Authors' Addresses
William J. Mills
Yahoo! Inc.
EMail: wmills_92105@yahoo.com
Murray S. Kucherawy
Facebook, Inc.
1 Hacker Way
Menlo Park, CA 94025
USA
EMail: msk@fb.com
Mills & Kucherawy Standards Track [Page 24]
</pre>
|
