One document matched: draft-ietf-marid-submitter-00.txt
MARID Working Group E. Allman
Internet Draft Sendmail, Inc
Document: draft-ietf-marid-submitter-00.txt H. Katz
Microsoft Corp
Expires: November 2004 May 2004
SMTP Service Extension for
Indicating the Responsible Submitter of an E-mail Message
Status of this Memo
This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026 [STD].
Internet-Drafts are working documents of Task Force (IETF), its
areas, and its working groups. Note that other groups may also
distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
This memo defines an extension to the Simple Mail Transfer Protocol
SMTP) service, which allows an SMTP client to specify the responsible
submitter of an e-mail message. The responsible submitter is the e-
mail address of the entity most recently responsible for introducing
a message into the transport stream. This extension helps receiving
e-mail servers efficiently determine whether the SMTP client is
authorized to transmit mail on behalf of the responsible submitter's
domain.
Conventions Used in This Document
In examples, "C:" and "S:" indicate lines sent by the client and
server respectively.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC-2119 [KEYWORDS].
<< Text contained in double angle brackets describes actions that are
yet to be taken and decisions that are yet to be made. No such text
should survive in the final version of this draft. >>
Table of Contents
1. Introduction...................................................2
2. The SUBMITTER Service Extension................................3
3. The SUBMITTER Keyword of the EHLO Command......................4
4. The SUBMITTER Parameter of the MAIL Command....................4
4.1 Setting the SUBMITTER Parameter Value......................4
4.2 Processing the SUBMITTER Parameter.........................5
4.3 Transmitting to a Non-SUBMITTER Aware SMTP Server..........6
5. Examples.......................................................6
5.1 Mail Submission............................................6
5.2 Mail Forwarding............................................7
5.3 Mobile User................................................8
5.4 Guest E-mail Service.......................................8
6. Security Considerations........................................9
7. References.....................................................9
7.1 Normative References.......................................9
7.2 Informative References....................................10
8. Acknowledgments...............................................10
9. Authors' Addresses............................................10
10. Full Copyright Statement.....................................12
1. Introduction
The practice of falsifying the identity of the sender of an e-mail
message, commonly called "spoofing", is a prevalent tactic used by
senders of unsolicited commercial e-mail or "spam". A number of
proposals have been put forward to address the spoofing problem.
Notable among them are [RMX], [SPF], [LMAP] and [CALLERID].
These proposals have many key elements in common. In particular,
they all describe a mechanism by which receiving e-mail servers can
validate whether the client MTA is authorized to transmit e-mail
messages on behalf of the sender's domain.
They differ in their choice of the identity used as a basis for the
validation, that is, in their determination of the "sender" of the
message. In this specification, this identity will be referred to as
the "purported responsible address" of the message, that is, the
Internet address from which the message purports to originate. The
purported responsible domain is the domain portion of that address.
[RMX], [SPF] and [LMAP] use the domain part of the e-mail address
used on the RFC 2821 MAIL FROM command, and in some cases the EHLO
command, as the purported responsible domain. [CALLERID] derives the
purported responsible domain by examining certain RFC 2822 headers
specified in the body of the message.
Each approach has certain advantages and disadvantages.
Deriving the purported responsible domain from RFC 2821 data has the
advantage that validation can be performed before the SMTP client has
transmitted the message body. If spoofing is detected, then the SMTP
server has the opportunity, depending upon local policy, to reject
the message before it is ever transmitted. The disadvantage of this
approach is the risk of false positives, that is, incorrectly
concluding that the sender's e-mail address has been spoofed. There
are today legitimate reasons why the Internet domain names used in
RFC 2821 commands may be different from that of the sender of an e-
mail message.
Deriving the purported responsible domain from RFC 2822 headers has
the advantage of basing the sender validation on an identity that is
usually visible to the end recipient of the message. This aids in
detection of a particularly noxious form of spoofing known as
"phishing" in which a malicious sender attempts to fool a recipient
into believing that a message originates from a firm well known to
the recipient. This approach carries a lower risk of false positives
since there are fewer legitimate reasons for RFC 2822 headers to
differ from the true sender of the message. The disadvantage of this
approach is that it does require parsing and analysis of message
headers. In practice, much if not all the message body is also
transmitted since the SMTP protocol described in RFC 2821 provides no
mechanism to interrupt message transmission after the DATA command
has been issued.
It is desirable to unify these two approaches in a way that combines
the benefits of both while minimizing their respective disadvantages.
This memo describes just such a unified approach. It uses the
mechanism described in [SMTP] to describe an extension to the SMTP
protocol. Using this extension, an SMTP client can specify the e-
mail address of the entity responsible for submitting the message to
the SMTP client in a new SUBMITTER parameter of the SMTP MAIL
command. SMTP servers can use this information to validate that the
SMTP client is authorized to transmit e-mail on behalf of the
Internet domain contained in the SUBMITTER parameter.
2. The SUBMITTER Service Extension
The following SMTP service extension is hereby defined:
(1) The name of this SMTP service extension is "Responsible
Submitter";
(2) The EHLO keyword value associated with this extension is
"SUBMITTER";
(3) The SUBMITTER keyword has no parameters;
(4) No additional SMTP verbs are defined by this extension;
(5) An optional parameter is added to the MAIL command using the
esmtp-keyword "SUBMITTER", and is used to specify the e-mail
address of the entity responsible for submitting the message to
the SMTP client;
(6) This extension is appropriate for the submission protocol
[SUBMIT].
3. The SUBMITTER Keyword of the EHLO Command
An SMTP server includes the SUBMITTER keyword in its EHLO response to
tell the SMTP client that the SUBMITTER service extension is
supported.
The SUBMITTER keyword has no parameters.
4. The SUBMITTER Parameter of the MAIL Command
If the SMTP server supports the SUBMITTER extension, then the SMTP
client MAY include the SUBMITTER parameter in MAIL commands issued
during the SMTP session.
The syntax of the SUBMITTER parameter is:
"SUBMITTER=" Mailbox
where Mailbox is the ABNF [ABNF] production defined in Section 4.1.2
of [SMTP]. Characters such as SP and "=" which may occur in Mailbox
but are not permitted in ESMTP parameter values MUST be encoded as
"xtest" as described in section 4 of [DSN].
4.1 Setting the SUBMITTER Parameter Value
The purpose of the SUBMITTER parameter is to allow the SMTP client to
indicate to the server the purported responsible address of the
message directly in the RFC 2821 protocol.
Therefore, SMTP clients who support the Responsible Submitter
extension SHOULD include the SUMBITTER parameter on all messages
where the purported responsible address, as defined in section 4 of
<<MARID Core Spec>> differs from the MAIL FROM address.
At some future time, it is likely that use of the SUBMITTER parameter
will be made MANDATORY whenever the purported responsible address
differs from the MAIL FROM address.
Furthermore, clients MUST, if necessary, insert such RFC 2822 headers
as defined in section 4 of [MARID-CORE] in order to ensure that the
purported responsible address determined from the RFC 2822 headers
matches the SUBMITTER address. In other words, SUBMIT servers
supporting SUBMITTER MUST scan the RFC 2822 header for a purported
responsible address to be included in subsequent SUBMITTER
parameters, unless the MUA includes the parameter itself.
However, when an MTA receives a message in a transaction that does
not use SUBMITTER, and that MTA does not modify any of the RFC 2822
headers, the MTA MAY send the message onward without using the
SUBMITTER extension, even when the purported responsible address
differs from the MAIL FROM address. In other words, MTAs are not
required to scan the RFC 2822 header in this situation.
A common model will be for the Mail User Agent (MUA) to transmit a
message to the SUBMIT server [SUBMIT] without a SUBMITTER parameter.
The SUBMIT server will then validate that the MUA is allowed to
submit a message using the purported Responsible Submitter address
through some external scheme, perhaps SMTP Authentication [SMTPAUTH].
The SUBMIT server, acting as an SMTP client, will then add a
SUBMITTER parameter for further transmission.
Any MTA supporting the Responsible Submitter extension that redirects
a message from the address listed in the RFC 2821 RCPT TO command
MUST modify the header of the message by:
(a) Determining a new purported responsible address for the
message that can verifiably claim to be under the control of
the forwarding MTA's domain. For example, the new purported
responsible address could be the name of the forwarded
address, the name of the forwarding mailing list, or a fixed
name at that domain.
(b) If necessary, pre-pending a Resent-From or Resent-Sender
header field to the message header containing the new
purported responsible address.
(c) Replacing the SUBMITTER parameter with the new purported
responsible address.
4.2 Processing the SUBMITTER Parameter
Receivers of e-mail messages sent with the SUBMITTER parameter SHOULD
select the domain part of the SUBMITTER address value as the
purported responsible domain of the message, and SHOULD perform such
tests, including those defined in <<MARID Core Spec>>, as are deemed
necessary to determine whether the connecting SMTP client is
authorized to transmit e-mail messages on behalf of that domain.
When, at some future time, use of the SUBMITTER parameter becomes
MANDATORY, SMTP servers MAY use the MAIL FROM address as the
purported responsible domain in the absence of the SUBMITTER
parameter.
If the above tests indicate that the connecting SMTP client is not
authorized to transmit e-mail messages on behalf of the SUBMITTER
domain, the receiving SMTP server MAY reject the message using "550
5.7.1 Submitter not allowed." The receiving SMTP server MAY
alternatively proceed to read the message and apply local policy.
If the receiving SMTP server allows the connecting SMTP client to
transmit message data, then the server SHOULD determine the purported
responsible domain of the message by examining the RFC 2822 message
headers as described in <<MARID Core Spec>>. If this purported
responsible domain does not match the domain part of the address
appearing in the SUBMITTER parameter, the receiving SMTP server MUST
reject the message using "550 5.7.1 Submitter does not match header."
If no address headers meeting these criteria is found, the SMTP
server SHOULD reject the message using "554 5.7.7 Cannot verify
submitter address."
Verifying MTAs are strongly urged to validate the SUBMITTER parameter
against the header; otherwise, an attacker can trivially defeat the
algorithm.
4.3 Transmitting to a Non-SUBMITTER Aware SMTP Server
When an MTA receives a message with a SUBMITTER parameter and must
forward it to another MTA that does not support the SUBMITTER
extension, the forwarding MTA SHOULD transmit the message without the
SUBMITTER parameter. This should involve no information loss, since
the SUBMITTER parameter is required to contain information from the
message header.
5. Examples
This section provides examples of how the SUBMITTER parameter would
be used. The following dramatis personae appear in the examples:
alice@example.com “ the original sender of each e-mail message
bob@woodgrove.example “ the final recipient of each e-mail
bob@alumni.almamater.edu “ an email address used by Bob which he has
configured to forward mail to his office account
bob@woodgrove.example
alice@consolidatedmessenger.net “ an e-mail account provided to Alice
by her mobile e-mail network carrier.
<< Need to rework these examples to each start with the message
headers and then describe what the subsequent SMTP transaction looks
like. >>
5.1 Mail Submission
Under normal circumstances, Alice would configure her MUA to submit
her message to the mail system using the SUBMIT protocol [SUBMIT].
Under most circumstances this would look like a normal, authenticated
SMTP transaction. The SUBMIT server will extract her name from the
header for use in downstream SUBMITTER parameters.
5.2 Mail Forwarding
When Alice sends a message to Bob at his alumni.almamater.edu
account, the SMTP session from her SUBMIT server might look something
like this:
S: 220 alumni.almamater.edu ESMTP server ready
C: EHLO example.com
S: 250-alumni.almamater.edu
S: 250-DSN
S: 250-AUTH
S: 250-SUBMITTER
S: 250 SIZE
C: MAIL FROM:<alice@example.com> SUBMITTER=alice@example.com
S: 250 <alice@example.com> sender ok
C: RCPT TO:<bob@alumni.almamater.edu>
S: 250 <bob@alumni.almamater.edu> recipient ok
C: DATA
S: 354 okay, send message
C: (message body goes here)
C: .
S: 250 message accepted
C: QUIT
S: 221 goodbye
The SUBMITTER parameter is optional in this first example because
alice@example.com is the original sender of the message.
The alumni.almamater.edu MTA must now forward this message to
bob@woodgrove.example. Since the original sender of the message is
alice@example.com, the alumni.almamater.edu MTA adds the SUBMITTER
parameter to indicate the forwarding address that is authorized to
transmit mail via that client.
S: 220 woodgrove.example ESMTP server ready
C: EHLO alumni.almamater.edu
S: 250-woodgrove.example
S: 250-DSN
S: 250-AUTH
S: 250-SUBMITTER
S: 250 SIZE
C: MAIL FROM:<alice@example.com>
SUBMITTER=bob@alumni.almamater.edu
S: 250 <alice@example.com> sender ok
C: RCPT TO:<bob@woodgrove.example>
S: 250 <bob@woodgrove.example> recipient ok
C: DATA
S: 354 okay, send message
C: Resent-From: bob@alumni.almamater.edu
C: Received By: ...
C: (message body goes here)
C: .
S: 250 message accepted
C: QUIT
S: 221 goodbye
Note that alumni.almamater.edu uses the SUBMITTER parameter on the
MAIL command and also inserts a Resent-From header in the message
body to ensure consistency of the purported responsible domain
derived from the RFC 2822 headers with the SUBMITTER domain.
5.3 Mobile User
Alice is at the airport and uses her mobile e-mail devise to send a
message to Bob. The message travels through the carrier network
provided by consolidatedmessenger.net, but Alice uses her example.com
address on the From line of all her messages so that replies go to
her office mailbox.
Here is an example of the SMTP session between the MTAs at
consolidatedmessanger.net and alumni.almamater.edu.
S: 220 alumni.almamater.edu ESMTP server ready
C: EHLO consolidatedmessenger.net
S: 250-alumni.almamater.edu
S: 250-DSN
S: 250-AUTH
S: 250-SUBMITTER
S: 250 SIZE
C: MAIL FROM:<alice@example.com>
SUBMITTER=alice@consolidatedmessenger.net
S: 250 <alice@example.com> sender ok
C: RCPT TO:<bob@alumni.almamater.edu>
S: 250 <bob@alumni.almamater.edu> recipient ok
C: DATA
S: 354 okay, send message
C: Sender: alice@consolidatedmessenger.net
C: Received By: ...
C: (message body goes here)
C: .
S: 250 message accepted
C: QUIT
S: 221 goodbye
Note that consolidatedmessenger.net uses the SUBMITTER parameter to
designate alice@consolidatedmessenger.net as the responsible from
address for this message. Further this client also inserts a Sender
header to ensure consistency of the purported responsible domain
derived from the RFC 2822 headers with the SUBMITTER domain.
5.4 Guest E-mail Service
While on a business trip, Alice uses the broadband access facilities
provided by the Exemplar Hotel to connect to the Internet and send e-
mail. The hotel routes all outbound e-mail through its own SMTP
server, email.exemplarhotel.com.
The SMTP session for Alice's message to Bob from the Exemplar Hotel
would look like this:
S: 220 alumni.almamater.edu ESMTP server ready
C: EHLO email.exemplarhotel.com
S: 250-alumni.almamater.edu
S: 250-DSN
S: 250-AUTH
S: 250-SUBMITTER
S: 250 SIZE
C: MAIL FROM:<alice@example.com>
SUBMITTER=guest.services@email.exemplarhotel.com
S: 250 <alice@example.com> sender ok
C: RCPT TO:<bob@alumni.almamater.edu>
S: 250 <bob@alumni.almamater.edu> recipient ok
C: DATA
S: 354 okay, send message
C: Resent-From: guest.services@email.exemplarhotel.com
C: Received By: ...
C: (message body goes here)
C: .
S: 250 message accepted
C: QUIT
S: 221 goodbye
Note that email.exemplarhotel.com uses the SUBMITTER parameter to
designate a generic account guest.services@email.exemplarhotel.com as
the responsible submitter address for this message. A generic
account is used since Alice herself does not have an account at that
domain. Further this client also inserts a Resent-From header to
ensure consistency of the purported responsible domain derived from
the RFC 2822 headers with the SUBMITTER domain.
6. Security Considerations
<< To be completed. >>
7. References
7.1 Normative References
[ABNF] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 2234, November 1997.
[DSN] Moore, K., "Simple Mail Transfer Protocol (SMTP)
Service Extension for Delivery Status Notifications
(DSNs)", RFC 3461, January 2003.
[KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[MARID-CORE] Lyon, J., "MTA Authentication Records in DNS",
draft-ietf-marid-core-00, May 2004.
[MSG-FORMAT] Resnick, P., Ed., "Internet Message Format", RFC
2822, April 2001.
[SUBMIT] Gellens, R. and J. Klensin, "Message Submission", RFC
2476, December 1998.
[SMTP] Klensin, J., "Simple Mail Transfer Protocol", RFC
2821, April 2001.
[SMTPAUTH] Meyers, J., "SMTP Service Extension for
Authentication", RFC 2554, March 1999.
7.2 Informative References
[CALLERID] Atkinson, B, Caller ID for E-mail, May 20, 2004,
draft-atkinson-callerid-00.
[LMAP] DeKok, A. (Ed.), Lightweight MTA Authentication
Protocol (LMAP) Discussion and Applicability,
November 3, 2003, draft-irtf-asrg-lmap-discussion-00.
[RMX] Danisch, Hadmut, The RMX DNS RR and method for SMTP
Sender Authorization, draft-danisch-dns-rr-smtp-03.
[SPF] Wong, Meng Weng, Mark Lentczner, Sender Permitted
From, draft-mengwong-spf-01.
8. Acknowledgments
The author would like to thank the following for their comments and
suggestions, which greatly improved this document:
Robert Atkinson, Simon Attwell, Jim Lyon, Bruce McMillan,
Sam Neely, Pete Resnick, Nick Shelness, Meng Wong
9. Authors' Addresses
Eric Allman
Sendmail, Inc.
6425 Christie Ave, Suite 400
Emeryville, CA 94608
USA
E-mail: eric@sendmail.com
Harry Katz
Microsoft Corp.
1 Microsoft Way
Redmond, WA 98052
USA
E-mail: hkatz@microsoft.com
10. Full Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78 and
except as set forth therein, the authors retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed
to pertain to the implementation or use of the technology described
in this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at ietf-
ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
| PAFTECH AB 2003-2026 | 2026-04-23 09:13:14 |