Network Working Group C. Newman
Internet-Draft Sun Microsystems
Updates: 3461,3464,3798 A. Melnikov, Ed.
(if approved) Isode Ltd
Intended status: Experimental November 16, 2007
Expires: May 19, 2008
International Delivery and Disposition Notifications
draft-ietf-eai-dsn-05.txt
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 19, 2008.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
Delivery status notifications (DSNs) are critical to the correct
operation of an email system. However, the existing draft standard
is presently limited to US-ASCII text in the machine readable
portions of the protocol. This specification adds a new address type
for international email addresses so an original recipient address
with non-US-ASCII characters can be correctly preserved even after
Newman & Melnikov Expires May 19, 2008 [Page 1]
Internet-Draft International Message Notifications November 2007
downgrading. This also provides updated content return media types
for delivery status notifications and message disposition
notifications to support use of the new address type.
This document experimentally extends RFC 3461, RFC 3464 and RFC 3798.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in this Document . . . . . . . . . . . . . . 3
3. UTF-8 Address Type . . . . . . . . . . . . . . . . . . . . . . 3
4. UTF-8 Delivery Status Notifications . . . . . . . . . . . . . 6
4.1. Additional requirements on SMTP servers . . . . . . . . . 8
5. UTF-8 Message Disposition Notifications . . . . . . . . . . . 8
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10
6.1. UTF-8 Mail Address Type Registration . . . . . . . . . . . 10
6.2. Update to 'smtp' Diagnostic Type Registration . . . . . . 11
6.3. message/global-headers . . . . . . . . . . . . . . . . . . 11
6.4. message/global-delivery-status . . . . . . . . . . . . . . 12
6.5. message/global-disposition-notification . . . . . . . . . 13
7. Security Considerations . . . . . . . . . . . . . . . . . . . 14
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
8.1. Normative References . . . . . . . . . . . . . . . . . . . 15
8.2. Informative References . . . . . . . . . . . . . . . . . . 16
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 17
Appendix B. Changes from -04 . . . . . . . . . . . . . . . . . . 17
Appendix C. Changes from -03 . . . . . . . . . . . . . . . . . . 17
Appendix D. Changes from -02 . . . . . . . . . . . . . . . . . . 17
Appendix E. Changes from -01 . . . . . . . . . . . . . . . . . . 17
Appendix F. Changes from -00 . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 18
Intellectual Property and Copyright Statements . . . . . . . . . . 19
Newman & Melnikov Expires May 19, 2008 [Page 2]
Internet-Draft International Message Notifications November 2007
1. Introduction
When an email message is transmitted using the UTF8SMTP
[I-D.ietf-eai-smtpext] extension and Internationalized Email Headers
[I-D.ietf-eai-utf8headers], it is sometimes necessary to return that
message or generate a Message Disposition Notification [RFC3798]
(MDN). As a message sent to multiple recipients can generate a
status and disposition notification for each recipient, it is helpful
if a client can correlate these returns based on the recipient
address it provided, thus preservation of the original recipient is
important. This specification describes how to preserve the original
recipient and updates the MDN and DSN formats to support the new
address types.
2. Conventions Used in this Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
The formal syntax use the Augmented Backus-Naur Form (ABNF) [RFC4234]
notation including the core rules defined in Appendix B of RFC 4234
and the UTF-8 syntax rules in section 4 of [RFC3629].
3. UTF-8 Address Type
An Extensible Message Format for Delivery Status Notifications
[RFC3464] defines the concept of an address type. The address format
introduced in Internationalized Email Headers
[I-D.ietf-eai-utf8headers] is a new address type. The syntax for the
new address type in the context of status notifications follows:
An SMTP [RFC2821] server which advertises both the UTF8SMTP extension
[I-D.ietf-eai-smtpext] and the DSN extension [RFC3461] MUST accept a
UTF-8 address type in the ORCPT parameter including 8-bit UTF-8
characters. This address type also includes a 7-bit encoding
suitable for use in a message/delivery-status body part or an ORCPT
parameter sent to an SMTP server which does not advertise UTF8SMTP.
This address type has 3 forms: utf-8-addr-xtext, utf-8-addr-unitext
and utf-8-address. The first 2 forms are 7-bit safe.
The utf-8-address form is only suitable for use in newly defined
protocols capable of native representation of 8-bit characters. I.e.
the utf-8-address form MUST NOT be used in the ORCPT parameter when
the SMTP server doesn't advertise support for UTF8SMTP or the SMTP
Newman & Melnikov Expires May 19, 2008 [Page 3]
Internet-Draft International Message Notifications November 2007
server supports UTF8SMTP, but the address contains US-ASCII
characters not permitted in the ORCPT parameter (e.g. the ORCPT
parameter forbids unencoded SP and the = character); or in a 7-bit
transport environment including a message/delivery-status Original-
Recipient or Final-Recipient field. In the former case the utf-8-
addr-xtext form (see below) MUST be used instead, in the latter case
the utf-8-addr-unitext form MUST be used. The utf-8-address form MAY
be used in the ORCPT parameter when the SMTP server also advertises
support for UTF8SMTP and the address doesn't contain any US-ASCII
characters not permitted in the ORCPT parameter. It SHOULD be used
in a message/global-delivery-status Original-Recipient or Final-
Recipient DSN field; or in an Original-Recipient header field
[RFC3798] if the message is a UTF8SMTP message.
In addition, the utf-8-addr-unitext form can be used anywhere where
the utf-8-address form is allowed.
When using in the ORCPT parameter, the UTF-8 address type requires
that US-ASCII CTLs, SP, \, + and = be encoded using xtext encoding as
described in [RFC3461]. This is described by the utf-8-addr-xtext
form in the ABNF below. Unicode characters MAY be included in a
UTF-8 address type using a "\x{HEXPOINT}" syntax
(EmbeddedUnicodeChar), where HEXPOINT is 2 to 6 hexadecimal digits.
When sending data to a UTF8SMTP capable server, native UTF-8
characters SHOULD be used instead of the EmbeddedUnicodeChar syntax
described in details below. When sending data to an SMTP server
which does not advertise UTF8SMTP, then the EmbeddedUnicodeChar
syntax MUST be used instead of UTF-8.
When the ORCPT parameter is placed in a message/
global-delivery-status Original-Recipient field, the utf-8-addr-xtext
form of the UTF-8 address type SHOULD be converted to the 'utf-8-
address' form (see the ABNF below) by removing all xtext encoding
first (which will result in the 'utf-8-addr-unitext' form), followed
by removal of the 'unitext' encoding. However, if an address is
labeled with the UTF-8 address type but does not conform to utf-8
syntax, then it MUST be copied into the message/
global-delivery-status field without alteration.
The ability to encode characters with the EmbeddedUnicodeChar
encodings should be viewed as a transitional mechanism. It is hoped
that as systems lacking support for UTF8SMTP become less common over
time, these encodings can eventually be phased out.
Newman & Melnikov Expires May 19, 2008 [Page 4]
Internet-Draft International Message Notifications November 2007
utf-8-type-addr = "utf-8;" utf-8-enc-addr
utf-8-address = uMailbox [ 1*WSP "<" Mailbox ">" ]
; 'uMailbox' is defined in [I-D.ietf-eai-smtpext].
; 'Mailbox' is defined in [RFC2821].
utf-8-enc-addr = utf-8-addr-xtext /
utf-8-addr-unitext /
utf-8-address
utf-8-addr-xtext = xtext
; xtext is defined in [RFC3461].
; When xtext encoding is removed,
; the syntax MUST conform to
; 'utf-8-addr-unitext'.
utf-8-addr-unitext = 1*(QUCHAR / EmbeddedUnicodeChar)
; MUST follow 'utf-8-address' ABNF when
; dequoted
QUCHAR = %x21-2a / %x2c-3c / %x3e-5b / %x5d-7e /
UTF8-2 / UTF8-3 / UTF8-4
; US-ASCII printable characters except
; CTLs, SP, '\', '+' and '=', plus
; other Unicode characters in UTF-8
EmbeddedUnicodeChar = %x5C.78 "{" HEXPOINT "}"
; starts with "\x"
HEXPOINT = "5C" / (HEXDIG8 HEXDIG) / ; 2 digit forms
( NZHEXDIG 2(HEXDIG) ) / ; 3 digit forms
( NZDHEXDIG 3(HEXDIG) ) /
( "D" %x30-37 2(HEXDIG) ) /
; 4 digit forms excluding surrogate
( NZHEXDIG 4(HEXDIG) ) / ; 5 digit forms
( "10" 4*HEXDIG ) ; 6 digit forms
; represents either "\" or a Unicode code point outside the
; US-ASCII repertoire
HEXDIG8 = %x38-39 / "A" / "B" / "C" / "D" / "E" / "F"
; HEXDIG excluding 0-7
NZHEXDIG = %x31-39 / "A" / "B" / "C" / "D" / "E" / "F"
; HEXDIG excluding "0"
NZDHEXDIG = %x31-39 / "A" / "B" / "C" / "E" / "F"
; HEXDIG excluding "0" and "D"
Newman & Melnikov Expires May 19, 2008 [Page 5]
Internet-Draft International Message Notifications November 2007
4. UTF-8 Delivery Status Notifications
A traditional delivery status notification [RFC3464] comes in a
three-part multipart/report [RFC3462] container, where the first part
is human readable text describing the error, the second part is a
7-bit-only message/delivery-status and the optional third part is
used for content (message/rfc822) or header (text/rfc822-headers)
return. As the present DSN format does not permit returning of
undeliverable UTF8SMTP messages, three new media types are needed.
The first type, message/global-delivery-status has the syntax of
message/delivery-status with three modifications. First, the charset
for message/global-delivery-status is UTF-8 and thus any field MAY
contain UTF-8 characters when appropriate (see the ABNF below). In
particular, the Diagnostic-Code field MAY contain UTF-8 as described
in UTF8SMTP [I-D.ietf-eai-smtpext]; the Diagnostic-Code field SHOULD
be in i-default language [DEFAULTLANG]. Second, systems generating a
message/global-delivery-status body part SHOULD use the utf-8-address
form of the UTF-8 address type for all addresses containing
characters outside the US-ASCII repertoire. These systems SHOULD up-
convert the utf-8-addr-xtext or the utf-8-addr-unitext form of a
UTF-8 address type in the ORCPT parameter to the utf-8-address form
of a UTF-8 address type in the Original-Recipient field. Third, a
new optional field called Localized-Diagnostic is added. Each
instance includes a language tag [LANGTAGS] and contains text in the
specified language. This is equivalent to the text part of the
Diagnostic-Code field. All instances of Localized-Diagnostic MUST
use different language tags. The ABNF for message/
global-delivery-status is specified below:
Newman & Melnikov Expires May 19, 2008 [Page 6]
Internet-Draft International Message Notifications November 2007
utf-8-delivery-status-content = per-message-fields
1*( CRLF utf-8-per-recipient-fields )
; "per-message-fields" remains unchanged from the definition
; in RFC 3464, except for the "extension-field"
; which is updated below.
utf-8-per-recipient-fields =
[ original-recipient-field CRLF ]
final-recipient-field CRLF
action-field CRLF
status-field CRLF
[ remote-mta-field CRLF ]
[ diagnostic-code-field CRLF
*(localized-diagnostic-text-field CRLF) ]
[ last-attempt-date-field CRLF ]
[ will-retry-until-field CRLF ]
*( extension-field CRLF )
; All fields except for "original-recipient-field",
; "final-recipient-field", "diagnostic-code-field"
; and "extension-field" remain unchanged from
; the definition in RFC 3464.
generic-address =/ utf-8-enc-addr
; Only allowed with the "utf-8" address-type.
;
; This indirectly updates "original-recipient-field"
; and "final-recipient-field"
diagnostic-code-field =
"Diagnostic-Code" ":" diagnostic-type ";" *text
localized-diagnostic-text-field =
"Localized-Diagnostic" ":" Language-Tag ";" *utf8-text
; "Language-Tag" is a language tag as defined in [LANGTAGS].
extension-field =/ extension-field-name ":" *utf8-text
text-fixed = %d1-9 / ; Any Unicode character except for NUL,
%d11 / ; CR and LF, encoded in UTF-8
%d12 /
%d14-127
; Same as <text> from RFC 2822, but without <obs-text>.
; If/when RFC 2822 to disallow <obs-text>, this should become
; just <text>
utf8-text = text-fixed / UTF8-non-ascii
UTF8-non-ascii = UTF2 / UTF3 / UTF4
Newman & Melnikov Expires May 19, 2008 [Page 7]
Internet-Draft International Message Notifications November 2007
The second type, used for returning the content, is message/global
which is similar to message/rfc822, except it contains a message with
UTF-8 headers. This media type is described in
[I-D.ietf-eai-utf8headers].
The third type, used for returning the headers, is message/
global-headers and contains only the UTF-8 header fields of a message
(all lines prior to the first blank line in a UTF8SMTP message).
Unlike message/global, this body part provides no difficulties for
present infrastructure.
Note, that as far as multipart/report [RFC3462] container is
concerned, message/global-delivery-status, message/global and
message/global-headers MUST be treated as equivalent to message/
delivery-status, message/rfc822 and text/rfc822-headers. I.e.
implementations processing multipart/report MUST expect any
combinations of the 6 MIME types mentioned above inside a multipart/
report MIME type.
All three new types will typically use the "8bit" Content-Transfer-
Encoding. (In the event all content is 7-bit, the equivalent
traditional types for delivery status notifications MAY be used. For
example, if information in message/global-delivery-status part can be
represented without any loss of information as message/
delivery-status, then the message/delivery-status body part may be
used.) Note that [I-D.ietf-eai-utf8headers] relaxed restriction from
MIME [RFC2046] regarding use of Content-Transfer-Encoding in new
"message" subtypes. This specification explicitly allows use of
Content-Transfer-Encoding in message/global-headers and message/
global-delivery-status. This is not believed to be problematic as
these new MIME types are intended primarily for use by newer systems
with full support for 8-bit MIME and UTF-8 headers.
4.1. Additional requirements on SMTP servers
If an SMTP server which advertises both UTF8SMTP and DSN needs to
return an undeliverable UTF8SMTP message, then it MUST NOT downgrade
[I-D.ietf-eai-downgrade] the UTF8SMTP message when generating the
corresponding multipart/report. If the return path SMTP server does
not support UTF8SMTP, then the undeliverable body part and headers
MUST be encoded using a 7 bit Content-Transfer-Encoding such as
base64 or quoted-printable [RFC2045], as detailed in Section 4.
Otherwise 8bit Content-Transfer-Encoding can be used.
5. UTF-8 Message Disposition Notifications
Message Disposition Notifications [RFC3798] have a similar design and
Newman & Melnikov Expires May 19, 2008 [Page 8]
Internet-Draft International Message Notifications November 2007
structure to DSNs. As a result, they use the same basic return
format. When generating a MDN for a UTF-8 header message, the third
part of the multipart/report contains the returned content (message/
global) or header (message/global-headers), same as for DSNs. The
second part of the multipart/report uses a new media type, message/
global-disposition-notification, which has the syntax of message/
disposition-notification with two modifications. First, the charset
for message/global-disposition-notification is UTF-8 and thus any
field MAY contain UTF-8 characters when appropriate (see the ABNF
below). (In particular, the failure-field, the error-field and the
warning-field MAY contain UTF-8. These fields SHOULD be in i-default
language [DEFAULTLANG].) Second, systems generating a message/
global-disposition-notification body part (typically a mail user
agent) SHOULD use the UTF-8 address type for all addresses containing
characters outside the US-ASCII repertoire.
The MDN specification also defines the Original-Recipient header
field which is added with a copy of the contents of ORCPT at delivery
time. When generating an Original-Recipient header field, a delivery
agent writing a UTF-8 header message in native format SHOULD convert
the utf-8-addr-xtext or the utf-8-addr-unitext form of a UTF-8
address type in the ORCPT parameter to the corresponding utf-8-
address form.
The MDN specification also defines the Disposition-Notification-To
header which is an address header and thus follows the same 8-bit
rules as other address headers such as "From" and "To" when used in a
UTF-8 header message.
; ABNF for "original-recipient-header", "original-recipient-field"
; and "final-recipient-field" from RFC 3798 is implicitly updated
; as they use the updated "generic-address" as defined in
; section 4 of this document.
failure-field = "Failure" ":" *utf8-text
; "utf8-text" is defined in section 4 of this document.
error-field = "Error" ":" *utf8-text
; "utf8-text" is defined in section 4 of this document.
warning-field = "Warning" ":" *utf8-text
; "utf8-text" is defined in section 4 of this document.
Newman & Melnikov Expires May 19, 2008 [Page 9]
Internet-Draft International Message Notifications November 2007
6. IANA Considerations
This specification does not create any new IANA registries. However
the following items are registered as a result of this document:
6.1. UTF-8 Mail Address Type Registration
The mail address type registry was created by RFC 3464. The
registration template response follows:
(a) The proposed address-type name.
UTF-8
(b) The syntax for mailbox addresses of this type, specified using
BNF, regular expressions, ASN.1, or other non-ambiguous language.
See Section 3.
(c) If addresses of this type are not composed entirely of graphic
characters from the US-ASCII repertoire, a specification for how they
are to be encoded as graphic US-ASCII characters in a DSN Original-
Recipient or Final-Recipient DSN field.
This address type has 3 forms (as defined in Section 3): utf-8-addr-
xtext, utf-8-addr-unitext and utf-8-address. The first 2 forms are
7-bit safe.
The utf-8-address form MUST NOT be used
1. in the ORCPT parameter when the SMTP server doesn't advertise
support for UTF8SMTP
2. or the SMTP server supports UTF8SMTP, but the address contains
US-ASCII characters not permitted in the ORCPT parameter (e.g.
the ORCPT parameter forbids SP and the = characters);
3. or in a 7-bit transport environment including a message/
delivery-status Original-Recipient or Final-Recipient field.
The utf-8-addr-xtext form MUST be used instead in the first case, the
utf-8-addr-unitext form MUST be used in the other two cases. The
utf-8-address form MAY be used in the ORCPT parameter when the SMTP
server also advertises support for UTF8SMTP and the address doesn't
contain any US-ASCII characters not permitted in the ORCPT parameter;
in a message/global-delivery-status Original-Recipient or Final-
Recipient DSN field; or in an Original-Recipient header field
[RFC3798] if the message is a UTF8SMTP message.
Newman & Melnikov Expires May 19, 2008 [Page 10]
Internet-Draft International Message Notifications November 2007
In addition, the utf-8-addr-unitext form can be used anywhere where
the utf-8-address form is allowed.
6.2. Update to 'smtp' Diagnostic Type Registration
The mail diagnostic type registry was created by RFC 3464. The
registration for the 'smtp' diagnostic type should be updated to
reference RFC XXXX in addition to RFC 3464.
When the 'smtp' diagnostic type is used in the context of a message/
delivery-status body part, it remains as presently defined. When the
'smtp' diagnostic type is used in the context of a message/
global-delivery-status body part, the codes remain the same, but the
text portion MAY contain UTF-8 characters.
6.3. message/global-headers
Type name: message
Subtype name: global-headers
Required parameters: none
Optional parameters: none
Encoding considerations: This media type contains Internationalized
Email Headers [I-D.ietf-eai-utf8headers] with no message body.
Whenever possible, the 8-bit content transfer encoding SHOULD be
used. When this media type passes through a 7-bit-only SMTP
infrastructure it MAY be encoded with the base64 or quoted-
printable content transfer encoding.
Security considerations: See Section 7
Interoperability considerations: It is important this media type is
not converted to a charset other than UTF-8. As a result,
implementations MUST NOT include a charset parameter with this
media type. Although it might be possible to downconvert this
media type to the text/rfc822-header media type, such conversion
is discouraged as it loses information.
Published specification: RFC XXXX
Applications that use this media type: UTF8SMTP servers and email
clients that support multipart/report generation or parsing.
Newman & Melnikov Expires May 19, 2008 [Page 11]
Internet-Draft International Message Notifications November 2007
Additional information:
Magic number(s): none
File extension(s): In the event this is saved to a file, the
extension ".u8hdr" is suggested.
Macintosh file type code(s): The 'TEXT' type code is suggested as
files of this type are typically used for diagnostic purposes and
suitable for analysis in a UTF-8 aware text editor. A uniform
type identifier (UTI) of "public.utf8-email-message-header" is
suggested. This type conforms to "public.utf8-plain-text" and
"public.plain-text".
Person & email address to contact for further information: See the
Author's address section of this document.
Intended usage: COMMON
Restrictions on usage: This media type contains textual data in the
UTF-8 charset. It typically contains octets with the 8th bit set.
As a result a transfer encoding is required when a 7-bit transport
is used.
Author: See Author's Address section of this document.
Change controller: IETF Standards Process
6.4. message/global-delivery-status
Type name: message
Subtype name: global-delivery-status
Required parameters: none
Optional parameters: none
Encoding considerations: This media type contains delivery status
notification attributes in the UTF-8 charset. The 8-bit content
transfer encoding MUST be used with this content-type, unless it
is sent over a 7-bit transport environment in which case quoted-
printable or base64 may be necessary.
Security considerations: See Section 7
Newman & Melnikov Expires May 19, 2008 [Page 12]
Internet-Draft International Message Notifications November 2007
Interoperability considerations: This media type provides
functionality similar to the message/delivery-status content type
for email message return information. Clients of the previous
format will need to be upgraded to interpret the new format,
however the new media type makes it simple to identify the
difference.
Published specification: RFC XXXX
Applications that use this media type: SMTP servers and email
clients that support delivery status notification generation or
parsing.
Additional information:
Magic number(s): none
File extension(s): The extension ".u8dsn" is suggested.
Macintosh file type code(s): A uniform type identifier (UTI) of
"public.utf8-email-message-delivery-status" is suggested. This
type conforms to "public.utf8-plain-text".
Person & email address to contact for further information: See the
Author's address section of this document.
Intended usage: COMMON
Restrictions on usage: This is expected to be the second part of a
multipart/report.
Author: See Author's Address section of this document.
Change controller: IETF Standards Process
6.5. message/global-disposition-notification
Type name: message
Subtype name: global-disposition-notification
Required parameters: none
Optional parameters: none
Newman & Melnikov Expires May 19, 2008 [Page 13]
Internet-Draft International Message Notifications November 2007
Encoding considerations: This media type contains disposition
notification attributes in the UTF-8 charset. The 8-bit content
transfer encoding MUST be used with this content-type, unless it
is sent over a 7-bit transport environment in which case quoted-
printable or base64 may be necessary.
Security considerations: See Section 7
Interoperability considerations: This media type provides
functionality similar to the message/disposition-notification
content type for email message disposition information. Clients
of the previous format will need to be upgraded to interpret the
new format, however the new media type makes it simple to identify
the difference.
Published specification: RFC XXXX
Applications that use this media type: Email clients or servers that
support message disposition notification generation or parsing.
Additional information:
Magic number(s): none
File extension(s): The extension ".u8mdn" is suggested.
Macintosh file type code(s): A uniform type identifier (UTI) of
"public.utf8-email-message-disposition-notification" is suggested.
This type conforms to "public.utf8-plain-text".
Person & email address to contact for further information: See the
Author's address section of this document.
Intended usage: COMMON
Restrictions on usage: This is expected to be the second part of a
multipart/report.
Author: See Author's Address section of this document.
Change controller: IETF Standards Process
7. Security Considerations
Automated use of report types without authentication presents several
security issues. Forging negative reports presents the opportunity
for denial-of-service attacks when the reports are used for automated
Newman & Melnikov Expires May 19, 2008 [Page 14]
Internet-Draft International Message Notifications November 2007
maintenance of directories or mailing lists. Forging positive
reports may cause the sender to incorrectly believe a message was
delivered when it was not.
Malicious users can generate report structures designed to trigger
coding flaws in report parsers. Report parsers need to use secure
coding techniques to avoid the risk of buffer overflow or denial-of-
service attacks against parser coding mistakes. Code reviews of such
parsers are also recommended.
Malicious users of the email system regularly send messages with
forged envelope return paths and these messages trigger delivery
status reports that result in a large amount of unwanted traffic on
the Internet. Many users choose to ignore delivery status
notifications because they are usually the result of "blowback" from
forged messages and thus never notice when messages they sent go
undelivered. As a result, support for correlation of delivery status
and message disposition notification messages with sent-messages has
become a critical feature of mail clients and possibly mail stores if
the email infrastructure is to remain reliable. In the short term,
simply correlating message-IDs may be sufficient to distinguish true
status notifications from those resulting from forged originator
addresses. But in the longer term, including cryptographic signature
material that can securely associate the status notification with the
original message is advisable.
As this specification permits UTF-8 in additional fields, the
security considerations of UTF-8 [RFC3629] apply.
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2821] Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
April 2001.
[RFC3461] Moore, K., "Simple Mail Transfer Protocol (SMTP) Service
Extension for Delivery Status Notifications (DSNs)",
RFC 3461, January 2003.
[RFC3462] Vaudreuil, G., "The Multipart/Report Content Type for the
Reporting of Mail System Administrative Messages",
RFC 3462, January 2003.
Newman & Melnikov Expires May 19, 2008 [Page 15]
Internet-Draft International Message Notifications November 2007
[RFC3464] Moore, K. and G. Vaudreuil, "An Extensible Message Format
for Delivery Status Notifications", RFC 3464,
January 2003.
[RFC3629] Yergeau, F., "UTF-8, a transformation format of ISO
10646", STD 63, RFC 3629, November 2003.
[RFC3798] Hansen, T. and G. Vaudreuil, "Message Disposition
Notification", RFC 3798, May 2004.
[RFC4234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 4234, October 2005.
[]
Yang, A., "Internationalized Email Headers",
draft-ietf-eai-utf8headers-07 (work in progress),
April 2007.
[I-D.ietf-eai-smtpext]
Yao, J. and W. Mao, "SMTP extension for internationalized
email address", draft-ietf-eai-smtpext-09 (work in
progress), November 2007.
[LANGTAGS]
Phillips, A. and M. Davis, "Tags for Identifying
Languages", RFC 4646, September 2006.
[DEFAULTLANG]
Alvestrand, H., "IETF Policy on Character Sets and
Languages", RFC 2277, January 1998.
8.2. Informative References
[RFC2045] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part One: Format of Internet Message
Bodies", RFC 2045, November 1996.
[RFC2046] Freed, N. and N. Borenstein, "Multipurpose Internet Mail
Extensions (MIME) Part Two: Media Types", RFC 2046,
November 1996.
[I-D.ietf-eai-downgrade]
Yoneya, Y. and K. Fujiwara, "Downgrading mechanism for
Email Address Internationalization (EAI)",
draft-ietf-eai-downgrade-04 (work in progress), Mar 2007.
Newman & Melnikov Expires May 19, 2008 [Page 16]
Internet-Draft International Message Notifications November 2007
Appendix A. Acknowledgements
Many thanks for input provided by Pete Resnick, James Galvin, Ned
Freed, John Klensin, Harald Alvestrand, Frank Ellermann and members
of the EAI WG to help solidify this proposal.
Appendix B. Changes from -04
Restructured <utf8-text> to be more clear about how it relates to RFC
2822 <text>.
Appendix C. Changes from -03
Addressed editorial comments from Frank Ellermann and
sm+ietf@elandsys.com.
Moved EAI-downgrade to the Informative References.
Updated references.
Deleted the list of open issues.
Fixed IDnits.
Appendix D. Changes from -02
Make the space between UTF-8 and ASCII address mandatory.
Changed all MIME types to be message/global-*.
Clarified that new message/global-* MIME types are semantically
equivalent to the corresponding RFC 3464 MIME types.
Added a requirement not to downgrade non-delivery reports.
Deleted unused RFC 3501 reference and updated other references.
Appendix E. Changes from -01
Cleaned up and tightened ABNF, in particular HEXPOINT.
Extended DSN report syntax to allow for localized version of
diagnostic-code-field.
Newman & Melnikov Expires May 19, 2008 [Page 17]
Internet-Draft International Message Notifications November 2007
Added ABNF for the EAI DSN and EAI MDN.
Appendix F. Changes from -00
Added paragraph about use of 8bit Content-Transfer-Encoding for new
message sub-types.
Updated the list of open issues.
Clarified that this document is targeted to become an Experimental
RFC.
Made the EAI downgrade document a normative reference.
Updated ABNF for utf-8-address.
Authors' Addresses
Chris Newman
Sun Microsystems
3401 Centrelake Dr., Suite 410
Ontario, CA 91761
US
Email: chris.newman@sun.com
Alexey Melnikov (editor)
Isode Ltd
5 Castle Business Village
36 Station Road
Hampton, Middlesex TW12 2BX
UK
Email: Alexey.Melnikov@isode.com
Newman & Melnikov Expires May 19, 2008 [Page 18]
Internet-Draft International Message Notifications November 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Newman & Melnikov Expires May 19, 2008 [Page 19]