A Protocol for Remotely Managing Sieve Scripts
RFC 5804
| Document | Type | RFC - Proposed Standard (July 2010) Errata | |
|---|---|---|---|
| Authors | Tim Martin , Alexey Melnikov | ||
| Last updated | 2020-01-21 | ||
| RFC stream | Internet Engineering Task Force (IETF) | ||
| Formats | |||
| Additional resources | Mailing list discussion | ||
| IESG | Responsible AD | Lisa M. Dusseault | |
| Send notices to | (None) |
RFC 5804
>. 5. Delete the old script: DELETESCRIPT <oldname>. Note that these steps don't describe how to handle various other error conditions (for example, NO response containing QUOTA response code in step 3). Error handling is left as an exercise for the reader. Melnikov & Martin Standards Track [Page 26] RFC 5804 ManageSieve July 2010 2.12. CHECKSCRIPT Command Arguments: String - Script content The CHECKSCRIPT command is used by the client to verify Sieve script validity without storing the script on the server. The server MUST check the submitted script for syntactic validity, which includes checking that all Sieve extensions mentioned in Sieve script "require" statement(s) are supported by the Sieve interpreter. (Note that if the Sieve interpreter supports the Sieve "ihave" extension [I-HAVE], any unrecognized/unsupported extension mentioned in the "ihave" test MUST NOT cause the syntactic validation failure.) If the script fails this test, the server MUST reply with a NO response. The message given with a NO response MUST be human readable and SHOULD contain a specific error message giving the line number of the first error. Implementors should strive to produce helpful error messages similar to those given by programming language compilers. Client implementations should note that this may be a multiline literal string with more than one error message separated by CRLFs. The human-readable message is in the language returned in the latest LANGUAGE capability (or in "i-default"; see Section 1.7), encoded in UTF-8 [UTF-8]. Examples: C: CheckScript {31+} C: #comment C: InvalidSieveCommand C: S: NO "line 2: Syntax error" A ManageSieve server supporting this command MUST NOT check if the script will put the current user over its quota limit. An OK response MAY contain the WARNINGS response code. In such a case, the human-readable message that follows the OK response SHOULD contain a specific warning message (or messages) giving the line number(s) in the script that might contain errors not intended by the script writer. The human-readable message is in the language returned in the latest LANGUAGE capability (or in "i-default"; see Section 1.7), encoded in UTF-8 [UTF-8]. A client seeing such a response code SHOULD present the message to the user. Melnikov & Martin Standards Track [Page 27] RFC 5804 ManageSieve July 2010 2.13. NOOP Command Arguments: String - tag to echo back (optional) The NOOP command does nothing, beyond returning a response to the client. It may be used by clients for protocol re-synchronization or to reset any inactivity auto-logout timer on the server. The response to the NOOP command is always OK, followed by the TAG response code together with the supplied string. If no string was supplied in the NOOP command, the TAG response code MUST NOT be included. Examples: C: NOOP S: OK "NOOP completed" C: NOOP "STARTTLS-SYNC-42" S: OK (TAG {16} S: STARTTLS-SYNC-42) "Done" 2.14. Recommended Extensions The UNAUTHENTICATE extension (advertised as the "UNAUTHENTICATE" capability with no parameters) defines a new UNAUTHENTICATE command, which allows a client to return the server to non-authenticated state. Support for this extension is RECOMMENDED. 2.14.1. UNAUTHENTICATE Command The UNAUTHENTICATE command returns the server to the non-authenticated state. It doesn't affect any previously established TLS [TLS] or SASL (Section 2.1) security layer. The UNAUTHENTICATE command is only valid in authenticated state. If issued in a wrong state, the server MUST reject it with a NO response. The UNAUTHENTICATE command has no parameters. When issued in the authenticated state, the UNAUTHENTICATE command MUST NOT fail (i.e., it must never return anything other than OK or BYE). Melnikov & Martin Standards Track [Page 28] RFC 5804 ManageSieve July 2010 3. Sieve URL Scheme URI scheme name: sieve Status: permanent URI scheme syntax: Described using ABNF [ABNF]. Some ABNF productions not defined below are from [URI-GEN]. sieveurl = sieveurl-server / sieveurl-list-scripts / sieveurl-script sieveurl-server = "sieve://" authority sieveurl-list-scripts = "sieve://" authority ["/"] sieveurl-script = "sieve://" authority "/" [owner "/"] scriptname authority = <defined in [URI-GEN]> owner = *ochar ;; %-encoded version of [SASL] authorization ;; identity (script owner) or "userid". ;; ;; Empty owner is used to reference ;; global scripts. ;; ;; Note that ASCII characters such as " ", ";", ;; "&", "=", "/" and "?" must be %-encoded ;; as per rule specified in [URI-GEN]. scriptname = 1*ochar ;; %-encoded version of UTF-8 representation ;; of the script name. ;; Note that ASCII characters such as " ", ";", ;; "&", "=", "/" and "?" must be %-encoded ;; as per rule specified in [URI-GEN]. ochar = unreserved / pct-encoded / sub-delims-sh / ":" / "@" ;; Same as [URI-GEN] 'pchar', ;; but without ";", "&" and "=". unreserved = <defined in [URI-GEN]> pct-encoded = <defined in [URI-GEN]> Melnikov & Martin Standards Track [Page 29] RFC 5804 ManageSieve July 2010 sub-delims-sh = "!" / "$" / "'" / "(" / ")" / "*" / "+" / "," ;; Same as [URI-GEN] sub-delims, ;; but without ";", "&" and "=". URI scheme semantics: A Sieve URL identifies a Sieve server or a Sieve script on a Sieve server. The latter form is associated with the application/sieve MIME type defined in [SIEVE]. There is no MIME type associated with the former form of Sieve URI. The server form is used in the REFERRAL response code (see Section 1.3) in order to designate another server where the client should perform its operations. The script form allows to retrieve (GETSCRIPT), update (PUTSCRIPT), delete (DELETESCRIPT), or activate (SETACTIVE) the named script; however, the most typical action would be to retrieve the script. If the script name is empty (omitted), the URI requests that the client lists available scripts using the LISTSCRIPTS command. Encoding considerations: The script name and/or the owner, if present, is in UTF-8. Non-- US-ASCII UTF-8 octets MUST be percent-encoded as described in [URI-GEN]. US-ASCII characters such as " " (space), ";", "&", "=", "/" and "?" MUST be %-encoded as described in [URI-GEN]. Note that "&" and "?" are in this list in order to allow for future extensions. Note that the empty owner (e.g., sieve://example.com//script) is different from the missing owner (e.g., sieve://example.com/script) and is reserved for referencing global scripts. The user name (in the "authority" part), if present, is in UTF-8. Non-US-ASCII UTF-8 octets MUST be percent-encoded as described in [URI-GEN]. Applications/protocols that use this URI scheme name: ManageSieve [RFC5804] clients and servers. Clients that can store user preferences in protocols such as [LDAP] or [ACAP]. Interoperability considerations: None. Melnikov & Martin Standards Track [Page 30] RFC 5804 ManageSieve July 2010 Security considerations: The <scriptname> part of a ManageSieve URL might potentially disclose some confidential information about the author of the script or, depending on a ManageSieve implementation, about configuration of the mail system. The latter might be used to prepare for a more complex attack on the mail system. Clients resolving ManageSieve URLs that wish to achieve data confidentiality and/or integrity SHOULD use the STARTTLS command (if supported by the server) before starting authentication, or use a SASL mechanism, such as GSSAPI, that provides a confidentiality security layer. Contact: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. References: This document and RFC 5228 [SIEVE]. 4. Formal Syntax The following syntax specification uses the Augmented Backus-Naur Form (BNF) notation as specified in [ABNF]. This uses the ABNF core rules as specified in Appendix A of the ABNF specification [ABNF]. "UTF8-2", "UTF8-3", and "UTF8-4" non-terminal are defined in [UTF-8]. Except as noted otherwise, all alphabetic characters are case- insensitive. The use of upper- or lowercase characters to define token strings is for editorial clarity only. Implementations MUST accept these strings in a case-insensitive fashion. SAFE-CHAR = %x01-09 / %x0B-0C / %x0E-21 / %x23-5B / %x5D-7F ;; any TEXT-CHAR except QUOTED-SPECIALS QUOTED-CHAR = SAFE-UTF8-CHAR / "\" QUOTED-SPECIALS QUOTED-SPECIALS = DQUOTE / "\" SAFE-UTF8-CHAR = SAFE-CHAR / UTF8-2 / UTF8-3 / UTF8-4 ;; <UTF8-2>, <UTF8-3>, and <UTF8-4> ;; are defined in [UTF-8]. ATOM-CHAR = "!" / %x23-27 / %x2A-5B / %x5D-7A / %x7C-7E ;; Any CHAR except ATOM-SPECIALS ATOM-SPECIALS = "(" / ")" / "{" / SP / CTL / QUOTED-SPECIALS Melnikov & Martin Standards Track [Page 31] RFC 5804 ManageSieve July 2010 NZDIGIT = %x31-39 ;; 1-9 atom = 1*1024ATOM-CHAR iana-token = atom ;; MUST be registered with IANA auth-type = DQUOTE auth-type-name DQUOTE auth-type-name = iana-token ;; as defined in SASL [SASL] command = (command-any / command-auth / command-nonauth) CRLF ;; Modal based on state command-any = command-capability / command-logout / command-noop ;; Valid in all states command-auth = command-getscript / command-setactive / command-listscripts / command-deletescript / command-putscript / command-checkscript / command-havespace / command-renamescript / command-unauthenticate ;; Valid only in Authenticated state command-nonauth = command-authenticate / command-starttls ;; Valid only when in Non-Authenticated ;; state command-authenticate = "AUTHENTICATE" SP auth-type [SP string] *(CRLF string) command-capability = "CAPABILITY" command-deletescript = "DELETESCRIPT" SP sieve-name command-getscript = "GETSCRIPT" SP sieve-name command-havespace = "HAVESPACE" SP sieve-name SP number command-listscripts = "LISTSCRIPTS" command-noop = "NOOP" [SP string] Melnikov & Martin Standards Track [Page 32] RFC 5804 ManageSieve July 2010 command-logout = "LOGOUT" command-putscript = "PUTSCRIPT" SP sieve-name SP sieve-script command-checkscript = "CHECKSCRIPT" SP sieve-script sieve-script = string command-renamescript = "RENAMESCRIPT" SP old-sieve-name SP new-sieve-name old-sieve-name = sieve-name new-sieve-name = sieve-name command-setactive = "SETACTIVE" SP active-sieve-name command-starttls = "STARTTLS" command-unauthenticate= "UNAUTHENTICATE" extend-token = atom ;; MUST be defined by a Standards Track or ;; IESG-approved experimental protocol ;; extension extension-data = extension-item *(SP extension-item) extension-item = extend-token / string / number / "(" [extension-data] ")" literal-c2s = "{" number "+}" CRLF *OCTET ;; The number represents the number of ;; octets. ;; This type of literal can only be sent ;; from the client to the server. literal-s2c = "{" number "}" CRLF *OCTET ;; Almost identical to literal-c2s, ;; but with no '+' character. ;; The number represents the number of ;; octets. ;; This type of literal can only be sent ;; from the server to the client. Melnikov & Martin Standards Track [Page 33] RFC 5804 ManageSieve July 2010 number = (NZDIGIT *DIGIT) / "0" ;; A 32-bit unsigned number ;; with no extra leading zeros. ;; (0 <= n < 4,294,967,296) number-str = string ;; <number> encoded as a <string>. quoted = DQUOTE *1024QUOTED-CHAR DQUOTE ;; limited to 1024 octets between the <">s resp-code = "AUTH-TOO-WEAK" / "ENCRYPT-NEEDED" / "QUOTA" ["/" ("MAXSCRIPTS" / "MAXSIZE")] / resp-code-sasl / resp-code-referral / "TRANSITION-NEEDED" / "TRYLATER" / "ACTIVE" / "NONEXISTENT" / "ALREADYEXISTS" / "WARNINGS" / "TAG" SP string / resp-code-ext resp-code-referral = "REFERRAL" SP sieveurl resp-code-sasl = "SASL" SP string resp-code-name = iana-token ;; The response code name is hierarchical, ;; separated by '/'. ;; The response code name MUST NOT start ;; with '/'. resp-code-ext = resp-code-name [SP extension-data] ;; unknown response codes MUST be tolerated ;; by the client. response = response-authenticate / response-logout / response-getscript / response-setactive / response-listscripts / response-deletescript / response-putscript / response-checkscript / response-capability / response-havespace / response-starttls / response-renamescript / response-noop / Melnikov & Martin Standards Track [Page 34] RFC 5804 ManageSieve July 2010 response-unauthenticate response-authenticate = *(string CRLF) ((response-ok [response-capability]) / response-nobye) ;; <response-capability> is REQUIRED if a ;; SASL security layer was negotiated and ;; MUST be omitted otherwise. response-capability = *(single-capability) response-oknobye single-capability = capability-name [SP string] CRLF capability-name = string ;; Note that literal-s2c is allowed. initial-capabilities = DQUOTE "IMPLEMENTATION" DQUOTE SP string / DQUOTE "SASL" DQUOTE SP sasl-mechs / DQUOTE "SIEVE" DQUOTE SP sieve-extensions / DQUOTE "MAXREDIRECTS" DQUOTE SP number-str / DQUOTE "NOTIFY" DQUOTE SP notify-mechs / DQUOTE "STARTTLS" DQUOTE / DQUOTE "LANGUAGE" DQUOTE SP language / DQUOTE "VERSION" DQUOTE SP version / DQUOTE "OWNER" DQUOTE SP string ;; Each capability conforms to ;; the syntax for single-capability. ;; Also, note that the capability name ;; can be returned as either literal-s2c ;; or quoted, even though only "quoted" ;; string is shown above. version = ( DQUOTE "1.0" DQUOTE ) / version-ext version-ext = DQUOTE ver-major "." ver-minor DQUOTE ; Future versions specified in updates ; to this document. An increment to ; the ver-major means a backward-incompatible ; change to the protocol, e.g., "3.5" (ver-major "3") ; is not backward-compatible with any "2.X" version. ; Any version "Z.W" MUST be backward compatible ; with any version "Z.Q", where Q < W. ; For example, version "2.4" is backward compatible ; with version "2.0", "2.1", "2.2", and "2.3". ver-major = number Melnikov & Martin Standards Track [Page 35] RFC 5804 ManageSieve July 2010 ver-minor = number sasl-mechs = string ; Space-separated list of SASL mechanisms, ; each SASL mechanism name complies with rules ; specified in [SASL]. ; Can be empty. sieve-extensions = string ; Space-separated list of supported SIEVE extensions. ; Can be empty. language = string ; Contains <Language-Tag> from [RFC5646]. notify-mechs = string ; Space-separated list of URI schema parts ; for supported notification [NOTIFY] methods. ; MUST NOT be empty. response-deletescript = response-oknobye response-getscript = (sieve-script CRLF response-ok) / response-nobye response-havespace = response-oknobye response-listscripts = *(sieve-name [SP "ACTIVE"] CRLF) response-oknobye ;; ACTIVE may only occur with one sieve-name response-logout = response-oknobye response-unauthenticate= response-oknobye ;; "NO" response can only be returned when ;; the command is issued in a wrong state ;; or has a wrong number of parameters response-ok = "OK" [SP "(" resp-code ")"] [SP string] CRLF ;; The string contains human-readable text ;; encoded as UTF-8. response-nobye = ("NO" / "BYE") [SP "(" resp-code ")"] [SP string] CRLF ;; The string contains human-readable text ;; encoded as UTF-8. Melnikov & Martin Standards Track [Page 36] RFC 5804 ManageSieve July 2010 response-oknobye = response-ok / response-nobye response-noop = response-ok response-putscript = response-oknobye response-checkscript = response-oknobye response-renamescript = response-oknobye response-setactive = response-oknobye response-starttls = (response-ok response-capability) / response-nobye sieve-name = string ;; See Section 1.6 for the full list of ;; prohibited characters. ;; Empty string is not allowed. active-sieve-name = string ;; See Section 1.6 for the full list of ;; prohibited characters. ;; This is similar to <sieve-name>, but ;; empty string is allowed and has a special ;; meaning. string = quoted / literal-c2s / literal-s2c ;; literal-c2s is only allowed when sent ;; from the client to the server. ;; literal-s2c is only allowed when sent ;; from the server to the client. ;; quoted is allowed in either direction. 5. Security Considerations The AUTHENTICATE command uses SASL [SASL] to provide authentication and authorization services. Integrity and privacy services can be provided by [SASL] and/or [TLS]. When a SASL mechanism is used, the security considerations for that mechanism apply. This protocol's transactions are susceptible to passive observers or man-in-the-middle attacks that alter the data, unless the optional encryption and integrity services of the SASL (via the AUTHENTICATE command) and/or [TLS] (via the STARTTLS command) are enabled, or an external security mechanism is used for protection. It may be useful to allow configuration of both clients and servers to refuse to transfer sensitive information in the absence of strong encryption. Melnikov & Martin Standards Track [Page 37] RFC 5804 ManageSieve July 2010 If an implementation supports SASL mechanisms that are vulnerable to passive eavesdropping attacks (such as [PLAIN]), then the implementation MUST support at least one configuration where these SASL mechanisms are not advertised or used without the presence of an external security layer such as [TLS]. Some response codes returned on failed AUTHENTICATE command may disclose whether or not the username is valid (e.g., TRANSITION- NEEDED), so server implementations SHOULD provide the ability to disable these features (or make them not conditional on a per-user basis) for sites concerned about such disclosure. In the case of ENCRYPT-NEEDED, if it is applied to all identities then no extra information is disclosed, but if it is applied on a per-user basis it can disclose information. A compromised or malicious server can use the TRANSITION-NEEDED response code to force the client that is configured to use a mechanism that does not disclose the user's password to the server (e.g., Kerberos), to send the bare password to the server. Clients SHOULD have the ability to disable the password transition feature, or disclose that risk to the user and offer the user an option of how to proceed. 6. IANA Considerations IANA has reserved TCP port number 4190 for use with the ManageSieve protocol described in this document. IANA has registered the "sieve" URI scheme defined in Section 3 of this document. IANA has registered "sieve" in the "GSSAPI/Kerberos/SASL Service Names" registry. IANA has created a new registry for ManageSieve capabilities. The registration template for ManageSieve capabilities is specified in Section 6.1. ManageSieve protocol capabilities MUST be specified in a Standards-Track or IESG-approved Experimental RFC. IANA has created a new registry for ManageSieve response codes. The registration template for ManageSieve response codes is specified in Section 6.3. ManageSieve protocol response codes MUST be specified in a Standards-Track or IESG-approved Experimental RFC. Melnikov & Martin Standards Track [Page 38] RFC 5804 ManageSieve July 2010 6.1. ManageSieve Capability Registration Template To: iana@iana.org Subject: ManageSieve Capability Registration Please register the following ManageSieve capability: Capability name: Description: Relevant publications: Person & email address to contact for further information: Author/Change controller: 6.2. Registration of Initial ManageSieve Capabilities To: iana@iana.org Subject: ManageSieve Capability Registration Please register the following ManageSieve capabilities: Capability name: IMPLEMENTATION Description: Its value contains the name of the server implementation and its version. Relevant publications: this RFC, Section 1.7. Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Capability name: SASL Description: Its value contains a space-separated list of SASL mechanisms supported by the server. Relevant publications: this RFC, Sections 1.7 and 2.1. Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Capability name: SIEVE Description: Its value contains a space-separated list of supported SIEVE extensions. Relevant publications: this RFC, Section 1.7. Also [SIEVE]. Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Melnikov & Martin Standards Track [Page 39] RFC 5804 ManageSieve July 2010 Capability name: STARTTLS Description: This capability is returned if the server supports TLS (STARTTLS command). Relevant publications: this RFC, Sections 1.7 and 2.2. Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Capability name: NOTIFY Description: This capability is returned if the server supports the 'enotify' [NOTIFY] Sieve extension. Relevant publications: this RFC, Section 1.7. Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Capability name: MAXREDIRECTS Description: This capability returns the limit on the number of Sieve "redirect" actions a script can perform during a single evaluation. The value is a non-negative number represented as a ManageSieve string. Relevant publications: this RFC, Section 1.7. Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Capability name: LANGUAGE Description: The language (<Language-Tag> from [RFC5646]) currently used for human-readable error messages. Relevant publications: this RFC, Section 1.7. Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Capability name: OWNER Description: Its value contains the UTF-8-encoded name of the currently logged-in user ("authorization identity" according to RFC 4422). Relevant publications: this RFC, Section 1.7. Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Melnikov & Martin Standards Track [Page 40] RFC 5804 ManageSieve July 2010 Capability name: VERSION Description: This capability is returned if the server is compliant with RFC 5804; i.e., that it supports RENAMESCRIPT, CHECKSCRIPT, and NOOP commands. Relevant publications: this RFC, Sections 2.11, 2.12, and 2.13. Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. 6.3. ManageSieve Response Code Registration Template To: iana@iana.org Subject: ManageSieve Response Code Registration Please register the following ManageSieve response code: Response Code: Arguments (use ABNF to specify syntax, or the word NONE if none can be specified): Purpose: Published Specification(s): Person & email address to contact for further information: Author/Change controller: 6.4. Registration of Initial ManageSieve Response Codes To: iana@iana.org Subject: ManageSieve Response Code Registration Please register the following ManageSieve response codes: Response Code: AUTH-TOO-WEAK Arguments (use ABNF to specify syntax, or the word NONE if none can be specified): NONE Purpose: This response code is returned in the NO response from an AUTHENTICATE command. It indicates that site security policy forbids the use of the requested mechanism for the specified authentication identity. Published Specification(s): [RFC5804] Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Melnikov & Martin Standards Track [Page 41] RFC 5804 ManageSieve July 2010 Response Code: ENCRYPT-NEEDED Arguments (use ABNF to specify syntax, or the word NONE if none can be specified): NONE Purpose: This response code is returned in the NO response from an AUTHENTICATE command. It indicates that site security policy requires the use of a strong encryption mechanism for the specified authentication identity and mechanism. Published Specification(s): [RFC5804] Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Response Code: QUOTA Arguments (use ABNF to specify syntax, or the word NONE if none can be specified): NONE Purpose: If this response code is returned in the NO/BYE response, it means that the command would have placed the user above the site-defined quota constraints. If this response code is returned in the OK response, it can mean that the user is near its quota or that the user exceeded its quota, but the server supports soft quotas. Published Specification(s): [RFC5804] Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Response Code: QUOTA/MAXSCRIPTS Arguments (use ABNF to specify syntax, or the word NONE if none can be specified): NONE Purpose: If this response code is returned in the NO/BYE response, it means that the command would have placed the user above the site-defined limit on the number of Sieve scripts. If this response code is returned in the OK response, it can mean that the user is near its quota or that the user exceeded its quota, but the server supports soft quotas. This response code is a more specific version of the QUOTA response code. Published Specification(s): [RFC5804] Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Melnikov & Martin Standards Track [Page 42] RFC 5804 ManageSieve July 2010 Response Code: QUOTA/MAXSIZE Arguments (use ABNF to specify syntax, or the word NONE if none can be specified): NONE Purpose: If this response code is returned in the NO/BYE response, it means that the command would have placed the user above the site-defined maximum script size. If this response code is returned in the OK response, it can mean that the user is near its quota or that the user exceeded its quota, but the server supports soft quotas. This response code is a more specific version of the QUOTA response code. Published Specification(s): [RFC5804] Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Response Code: REFERRAL Arguments (use ABNF to specify syntax, or the word NONE if none can be specified): <sieveurl> Purpose: This response code may be returned with a BYE result from any command, and includes a mandatory parameter that indicates what server to access to manage this user's Sieve scripts. The server will be specified by a Sieve URL (see Section 3). The scriptname portion of the URL MUST NOT be specified. The client should authenticate to the specified server and use it for all further commands in the current session. Published Specification(s): [RFC5804] Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Response Code: SASL Arguments (use ABNF to specify syntax, or the word NONE if none can be specified): <string> Purpose: This response code can occur in the OK response to a successful AUTHENTICATE command and includes the optional final server response data from the server as specified by [SASL]. Published Specification(s): [RFC5804] Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Melnikov & Martin Standards Track [Page 43] RFC 5804 ManageSieve July 2010 Response Code: TRANSITION-NEEDED Arguments (use ABNF to specify syntax, or the word NONE if none can be specified): NONE Purpose: This response code occurs in a NO response of an AUTHENTICATE command. It indicates that the user name is valid, but the entry in the authentication database needs to be updated in order to permit authentication with the specified mechanism. This is typically done by establishing a secure channel using TLS, followed by authenticating once using the [PLAIN] authentication mechanism. The selected mechanism SHOULD then work for authentications in subsequent sessions. Published Specification(s): [RFC5804] Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Response Code: TRYLATER Arguments (use ABNF to specify syntax, or the word NONE if none can be specified): NONE Purpose: A command failed due to a temporary server failure. The client MAY continue using local information and try the command later. This response code only make sense when returned in a NO/BYE response. Published Specification(s): [RFC5804] Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Response Code: ACTIVE Arguments (use ABNF to specify syntax, or the word NONE if none can be specified): NONE Purpose: A command failed because it is not allowed on the active script, for example, DELETESCRIPT on the active script. This response code only makes sense when returned in a NO/BYE response. Published Specification(s): [RFC5804] Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Melnikov & Martin Standards Track [Page 44] RFC 5804 ManageSieve July 2010 Response Code: NONEXISTENT Arguments (use ABNF to specify syntax, or the word NONE if none can be specified): NONE Purpose: A command failed because the referenced script name doesn't exist. This response code only makes sense when returned in a NO/BYE response. Published Specification(s): [RFC5804] Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Response Code: ALREADYEXISTS Arguments (use ABNF to specify syntax, or the word NONE if none can be specified): NONE Purpose: A command failed because the referenced script name already exists. This response code only makes sense when returned in a NO/BYE response. Published Specification(s): [RFC5804] Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Response Code: WARNINGS Arguments (use ABNF to specify syntax, or the word NONE if none can be specified): NONE Purpose: This response code MAY be returned by the server in the OK response (but it might be returned with the NO/ BYE response as well) and signals the client that even though the script is syntactically valid, it might contain errors not intended by the script writer. Published Specification(s): [RFC5804] Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Response Code: TAG Arguments (use ABNF to specify syntax, or the word NONE if none can be specified): string Purpose: This response code name is followed by a string specified in the command that caused this response. It is typically used for client state synchronization. Published Specification(s): [RFC5804] Person & email address to contact for further information: Alexey Melnikov <alexey.melnikov@isode.com> Author/Change controller: IESG. Melnikov & Martin Standards Track [Page 45] RFC 5804 ManageSieve July 2010 7. Internationalization Considerations The LANGUAGE capability (see Section 1.7) allows a client to discover the current language used in all human-readable responses that might be returned at the end of any OK/NO/BYE response. Human-readable text in OK responses typically doesn't need to be shown to the user, unless it is returned in response to a PUTSCRIPT or CHECKSCRIPT command that also contains the WARNINGS response code (Section 1.3). Human-readable text from NO/BYE responses is intended be shown to the user, unless the client can automatically handle failure of the command that caused such a response. Clients SHOULD use response codes (Section 1.3) for automatic error handling. Response codes MAY also be used by the client to present error messages in a language understood by the user, for example, if the LANGUAGE capability doesn't return a language understood by the user. Note that the human-readable text from OK (WARNINGS) or NO/BYE responses for PUTSCRIPT/CHECKSCRIPT commands is intended for advanced users that understand Sieve language. Such advanced users are often sophisticated enough to be able to handle whatever language the server is using, even if it is not their preferred language, and will want to see error/warning text no matter what language the server puts it in. A client that generates Sieve script automatically, for example, if the script is generated without user intervention or from a UI that presents an abstract list of conditions and corresponding actions, SHOULD NOT present warning/error messages to the user, because the user might not even be aware that the client is using Sieve underneath. However, if the client has a debugging mode, such warnings/errors SHOULD be available in the debugging mode. Note that this document doesn't provide a way to modify the currently used language. It is expected that a future extension will address that. 8. Acknowledgements Thanks to Simon Josefsson, Larry Greenfield, Allen Johnson, Chris Newman, Lyndon Nerenberg, Tim Showalter, Sarah Robeson, Walter Wong, Barry Leiba, Arnt Gulbrandsen, Stephan Bosch, Ken Murchison, Phil Pennock, Ned Freed, Jeffrey Hutzelman, Mark E. Mallett, Dilyan Palauzov, Dave Cridland, Aaron Stone, Robert Burrell Donkin, Patrick Ben Koetter, Bjoern Hoehrmann, Martin Duerst, Pasi Eronen, Magnus Westerlund, Tim Polk, and Julien Coloos for help with this document. Special thank you to Phil Pennock for providing text for the NOOP command, as well as finding various bugs in the document. Melnikov & Martin Standards Track [Page 46] RFC 5804 ManageSieve July 2010 9. References 9.1. Normative References [ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008. [ACAP] Newman, C. and J. Myers, "ACAP -- Application Configuration Access Protocol", RFC 2244, November 1997. [BASE64] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, October 2006. [DNS-SRV] Gulbrandsen, A., Vixie, P., and L. Esibov, "A DNS RR for specifying the location of services (DNS SRV)", RFC 2782, February 2000. [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [NET-UNICODE] Klensin, J. and M. Padlipsky, "Unicode Format for Network Interchange", RFC 5198, March 2008. [NOTIFY] Melnikov, A., Leiba, B., Segmuller, W., and T. Martin, "Sieve Email Filtering: Extension for Notifications", RFC 5435, January 2009. [RFC2277] Alvestrand, H., "IETF Policy on Character Sets and Languages", BCP 18, RFC 2277, January 1998. [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello, "Internationalizing Domain Names in Applications (IDNA)", RFC 3490, March 2003. [RFC4519] Sciberras, A., "Lightweight Directory Access Protocol (LDAP): Schema for User Applications", RFC 4519, June 2006. [RFC5646] Phillips, A. and M. Davis, "Tags for Identifying Languages", BCP 47, RFC 5646, September 2009. [RFC791] Postel, J., "Internet Protocol", STD 5, RFC 791, September 1981. Melnikov & Martin Standards Track [Page 47] RFC 5804 ManageSieve July 2010 [SASL] Melnikov, A. and K. Zeilenga, "Simple Authentication and Security Layer (SASL)", RFC 4422, June 2006. [SASLprep] Zeilenga, K., "SASLprep: Stringprep Profile for User Names and Passwords", RFC 4013, February 2005. [SCRAM] Menon-Sen, A., Melnikov, A., Newman, C., and N. Williams, "Salted Challenge Response Authentication Mechanism (SCRAM) SASL and GSS-API Mechanisms", RFC 5802, July 2010. [SIEVE] Guenther, P. and T. Showalter, "Sieve: An Email Filtering Language", RFC 5228, January 2008. [StringPrep] Hoffman, P. and M. Blanchet, "Preparation of Internationalized Strings ("stringprep")", RFC 3454, December 2002. [TLS] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008. [URI-GEN] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, January 2005. [UTF-8] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003. [X509] Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., and W. Polk, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", RFC 5280, May 2008. [X509-SRV] Santesson, S., "Internet X.509 Public Key Infrastructure Subject Alternative Name for Expression of Service Name", RFC 4985, August 2007. 9.2. Informative References [DIGEST-MD5] Leach, P. and C. Newman, "Using Digest Authentication as a SASL Mechanism", RFC 2831, May 2000. [GSSAPI] Melnikov, A., "The Kerberos V5 ("GSSAPI") Simple Authentication and Security Layer (SASL) Mechanism", RFC 4752, November 2006. Melnikov & Martin Standards Track [Page 48] RFC 5804 ManageSieve July 2010 [I-HAVE] Freed, N., "Sieve Email Filtering: Ihave Extension", RFC 5463, March 2009. [IMAP] Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION 4rev1", RFC 3501, March 2003. [LDAP] Zeilenga, K., "Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map", RFC 4510, June 2006. [PLAIN] Zeilenga, K., "The PLAIN Simple Authentication and Security Layer (SASL) Mechanism", RFC 4616, August 2006. Authors' Addresses Alexey Melnikov (editor) Isode Limited 5 Castle Business Village 36 Station Road Hampton, Middlesex TW12 2BX UK EMail: Alexey.Melnikov@isode.com Tim Martin BeThereBeSquare, Inc. 672 Haight st. San Francisco, CA 94117 USA Phone: +1 510 260-4175 EMail: timmartin@alumni.cmu.edu Melnikov & Martin Standards Track [Page 49]