--- 1/draft-ietf-extra-sieve-special-use-01.txt 2018-03-05 11:15:01.089582992 -0800 +++ 2/draft-ietf-extra-sieve-special-use-02.txt 2018-03-05 11:15:01.113583556 -0800 @@ -1,18 +1,18 @@ EXTRA S. Bosch Internet-Draft Dovecot Oy -Intended status: Standards Track January 7, 2018 -Expires: July 11, 2018 +Intended status: Standards Track March 5, 2018 +Expires: September 6, 2018 Sieve Email Filtering: Delivering to Special-Use Mailboxes - draft-ietf-extra-sieve-special-use-01 + draft-ietf-extra-sieve-special-use-02 Abstract The SPECIAL-USE capability of the IMAP protocol (RFC 6154) allows clients to identify special-use mailboxes; e.g., where draft or sent messages should be put. This simplifies client configuration. In contrast, the Sieve mail filtering language (RFC 5228) currently has no such capability. This memo defines a Sieve extension that fills this gap: it adds a test for checking whether a special-use attribute is assigned for a particular mailbox or any mailbox, and it adds the @@ -27,21 +27,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on July 11, 2018. + This Internet-Draft will expire on September 6, 2018. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -54,21 +54,21 @@ Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Conventions Used in This Document . . . . . . . . . . . . . . 3 3. Test "specialuse_exists" . . . . . . . . . . . . . . . . . . 3 4. ":specialuse" Argument to "fileinto" Command . . . . . . . . 4 4.1. Interaction with ":create" Argument to "fileinto" Command 5 5. Sieve Capability Strings . . . . . . . . . . . . . . . . . . 5 6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 5 7. Security Considerations . . . . . . . . . . . . . . . . . . . 6 - 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 + 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 10.1. Normative References . . . . . . . . . . . . . . . . . . 7 10.2. Informative References . . . . . . . . . . . . . . . . . 8 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 1. Introduction Commonly, several mailboxes in an IMAP message store [IMAP] have a special use; e.g. it is where the user's draft messages are stored, @@ -91,46 +91,47 @@ testing for the presence of a special-use attribute in the "/private/ specialuse" IMAP METADATA [IMAP-METADATA] entry of a mailbox. Still, not all implementers will be willing to add the complexity of the IMAP METADATA capability, just to provide access to special-use attributes to the Sieve interpreter. This document defines an extension to the Sieve mail filtering language that adds the ability to freely access mailbox special-use attributes. It adds a test called "specialuse_exists" that checks whether a special-use attribute is assigned for a particular mailbox - or - if omitted - any mailbox. It also adds the ability to file - messages into an anonymous mailbox that has a particular special-use - attribute assigned using a ":specialuse" argument for the "fileinto" - command [SIEVE]. + or - if omitted - any of the user's personal mailboxes. It also adds + the ability to file messages into an anonymous personal mailbox that + has a particular special-use attribute assigned using a ":specialuse" + argument for the "fileinto" command [SIEVE]. 2. Conventions Used in This Document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [KEYWORDS]. Conventions for notations are as in [SIEVE] Section 1.1, including use of the "Usage:" label for the definition of action and tagged arguments syntax. 3. Test "specialuse_exists" Usage: specialuse_exists [] If the "mailbox" string argument is omitted, the "specialuse_exists" test yields true if all of the following statements are true for each of the special-use flags listed in the "special-use-flags" argument: - a. at least one mailbox exists in the mail store that has that - particular special-use flag assigned, and + a. at least one mailbox exists in the user's personal namespace + [NAMESPACE] that has that particular special-use flag assigned, + and b. that mailbox allows the user in whose context the Sieve script runs to "deliver" messages into it. If the "mailbox" argument is specified, the "specialuse_exists" test yields true if all of the following statements are true: a. the indicated mailbox exists, b. that mailbox allows the user in whose context the Sieve script @@ -144,57 +145,63 @@ messages into a mailbox is deemed possible. 4. ":specialuse" Argument to "fileinto" Command Usage: fileinto [:specialuse ] Normally, the "fileinto" command delivers the message in the mailbox specified using its positional mailbox argument. However, if the optional ":specialuse" argument is also specified, the "fileinto" - command first checks whether a mailbox exists with the specified - special-use flag assigned to it. If that is the case, that special- - use mailbox is used for delivery instead. If there is no such - mailbox or if the specified special-use flag is unknown to the - implementation in general, the "fileinto" action proceeds as it would - without the ":specialuse" argument. + command first checks whether a mailbox exists in the user's personal + namespace [NAMESPACE] with the specified special-use flag assigned to + it. If that is the case, that special-use mailbox is used for + delivery instead. If there is no such mailbox or if the specified + special-use flag is unknown to the implementation in general, the + "fileinto" action proceeds as it would without the ":specialuse" + argument. Summarizing, if the ":specialuse" argument is specified, the fileinto command deals with two mailboxes that may or may not exist: - o An anonymous special-use mailbox, which has at least the special- - use flag specified with the ":specialuse" argument assigned to it. + o An anonymous special-use mailbox in the user's personal namespace, + which has at least the special-use flag specified with the + ":specialuse" argument assigned to it. o The default mailbox named by the positional string argument of the "fileinto" command, which is used when the special-use mailbox is not found. The special-use flag specified with the ":specialuse" argument MUST conform to the "use-attr" syntax described in Section 6 of RFC6154 [SIEVE-MAILBOX]. Implementations SHOULD handle an invalid special- use flag in the same way as an invalid mailbox name is handled. The string parameter of the ":specialuse" argument is not a constant string, which means that variable substitutions are allowed when the "variables" extension [VARIABLES] is active. In that case, the syntax of the special-use flag is only verified at runtime. If neither the special-use mailbox nor the default mailbox exists, the "fileinto" action MUST proceed exactly as it does in case the ":specialuse" is argument is absent and the mailbox named by its positional argument does not exist. The various options for handling this situation are described in Section 4.1 of RFC5228 [SIEVE]. - More than one mailbox can have a particular special-use flag - assigned. In that case, the mailbox that is chosen for delivery is - implementation-defined. However, implementations MUST ensure that - this choice is made consistently, so that the same mailbox is used - every time. + More than one mailbox in the user's personal namespace can have a + particular special-use flag assigned. In case of such ambiguity, the + mailbox that is chosen for delivery is implementation-defined. + However, while the set of mailboxes to which the involved special-use + flags are assigned remains unchanged, implementations MUST ensure + that the mailbox choice is made consistently, so that the same + mailbox is used every time. Conversely, the chosen mailbox MAY + change once the special-use flag assignments that are relevant for + the mailbox choice are changed (usually by user interaction). If delivery to the special-use mailbox fails for reasons not relating to its existence, the Sieve interpreter MUST NOT subsequently attempt delivery in the indicated default mailbox as a fall-back. Instead, it MUST proceed exactly as it does in case the ":specialuse" argument is absent and delivery to the mailbox named by its positional argument fails. This prevents the situation where messages are unexpectedly spread over two mailboxes in case transient or intermittent delivery failures occur. @@ -267,20 +274,35 @@ specialuse_exists "${mailbox}" "\\Junk") { redirect "spam-report@example.org"; } 7. Security Considerations Security considerations are discussed in [SIEVE], [VARIABLES], and [SPECIAL-USE]. It is believed that this extension does not introduce any additional security concerns. + Note that this specification explicitly restricts the anonymous + special-use mailbox to the user's personal namespace. First, this + avoids the need to search the entire mail storage for mailboxes that + have a particular special-use flag assigned. This could put undue + load on the system, while shared special-use mailboxes are deemed of + limited use with the currently defined special-use flags. Secondly, + it prevents security concerns with shared mailboxes that have + special-use flags assigned that apply to all users. Searching the + entire mail storage for special-use mailboxes could lead to messages + unexpectedly or even maliciously being filed to shared mailboxes. + + This restriction could be lifted for particular future special-use + flags, but such new flags should have a clear application for shared + mailboxes and the security concerns should be considered carefully. + 8. IANA Considerations The following template specifies the IANA registration of the Sieve extension specified in this document: To: iana@iana.org Subject: Registration of new Sieve extension Capability name: special-use Description: adds a test for checking whether an IMAP @@ -309,20 +331,25 @@ [IMAP-METADATA] Daboo, C., "The IMAP METADATA Extension", RFC 5464, DOI 10.17487/RFC5464, February 2009, . [KEYWORDS] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. + [NAMESPACE] + Gahrns, M. and C. Newman, "IMAP4 Namespace", RFC 2342, + DOI 10.17487/RFC2342, May 1998, . + [SIEVE] Guenther, P. and T. Showalter, "Sieve: An Email Filtering Language", RFC 5228, January 2008. [SIEVE-MAILBOX] Melnikov, A., "The Sieve Mail-Filtering Language -- Extensions for Checking Mailbox Status and Accessing Mailbox Metadata", RFC 5490, March 2009. [SPECIAL-USE] Leiba, B. and J. Nicolson, "IMAP LIST Extension for