EAI Working Group | B. Leiba |
Internet-Draft | Huawei Technologies |
Updates: 5322 (if approved) | November 06, 2012 |
Intended status: Standards Track | |
Expires: May 10, 2013 |
Update to Internet Message Format to Allow Group Syntax in the "From:" and "Sender:" Header Fields
draft-leiba-5322upd-from-group-07
The Internet Message Format (RFC 5322) allows "group" syntax in some email header fields, such as "To:" and "CC:", but not in "From:" nor "Sender:". This document updates RFC 5322 to relax that restriction, allowing group syntax in those latter fields, as well as in "Resent-From:" and "Resent-Sender:", in certain situations.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http:/⁠/⁠datatracker.ietf.org/⁠drafts/⁠current/⁠.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 10, 2013.
Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http:/⁠/⁠trustee.ietf.org/⁠license-⁠info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The Internet Message Format [RFC5322] allows "group" syntax in some email header fields, such as "To:" and "CC:", but not in "From:" nor "Sender:". As use cases for group syntax evolve, particularly with respect to email address internationalization issues, it is becoming clear that there is little value in forbidding that usage completely, and significant value in allowing it in certain situations:
The requirement to represent these identities as replyable mailboxes has thus become unnecessarily restrictive, and this document updates RFC 5322 to relax that restriction, allowing group syntax in "From:", "Sender:", "Resent-From:", and "Resent-Sender:" for limited use (see Section 3).
The notational conventions here are the same as those in RFC 5322, and the following two subsections are copied directly from that document.
This document occasionally uses terms that appear in capital letters. When the terms "MUST", "SHOULD", "RECOMMENDED", "MUST NOT", "SHOULD NOT", and "MAY" appear capitalized, they are being used to indicate particular requirements of this specification. A discussion of the meanings of these terms appears in [RFC2119].
This specification uses the Augmented Backus-Naur Form (ABNF) [RFC5234] notation for the formal definitions of the syntax of messages. Characters will be specified either by a decimal value (e.g., the value %d65 for uppercase A and %d97 for lowercase A) or by a case-insensitive literal value enclosed in quotation marks (e.g., "A" for either uppercase or lowercase A).
Section 3.6.2 of RFC 5322 defines the "From:" header field as containing a <mailbox-list> syntax element. This changes that definition to use the <address-list> syntax element, as is used in other fields, such as "To:", "CC:", and "Reply-To:". This also changes the definition of the "Sender:" header field from the <mailbox> syntax element to the <address> syntax element. While the <address> element includes the <mailbox> element already, we have chosen to specify both in the updated syntax as a way of highlighting the limited use intended for the change (see Section 3).
Section 2.1 below is a full replacement for Section 3.6.2 of RFC 5322, containing the new syntax as well as a new description of the semantics for the "From:" and "Sender:" fields. Section 2.2 below is a replacement of only the ABNF syntax for the "Resent-From:" and "Resent-Sender:" fields in section 3.6.6 of RFC 5322; the rest of the syntax as well as the descriptive text of section 3.6.6 of RFC 5322 remains unchanged.
In version -00, this section is unchanged from RFC 5322, to make it easier to use DIFF to see the actual changes that this version contains. Compare this version with version -00.
The originator fields of a message consist of the from field, the sender field (when applicable), and optionally the reply-to field. The from field consists of the field name "From" and a comma-separated list of one or more addresses (either mailbox or group syntax). If the from field contains more than one mailbox specification (including all mailboxes included in any groups), then the sender field, containing the field name "Sender" and a single address, MUST appear in the message. The from field and the sender field SHOULD NOT use group syntax; rather, the from field SHOULD use only the mailbox-list syntax and the sender field SHOULD use only mailbox syntax (see Section 3). If the sender field uses group syntax, the group MUST NOT contain more than one mailbox. In either case, an optional reply-to field MAY also be included, which contains the field name "Reply-To" and a comma-separated list of one or more addresses.
from = "From:" (mailbox-list / address-list) CRLF
sender = "Sender:" (mailbox / address) CRLF
reply-to = "Reply-To:" address-list CRLF
The originator fields indicate the mailbox(es) of the source of the message. The "From:" field specifies the author(s) of the message, that is, the mailbox(es) of the person(s) or system(s) responsible for the writing of the message. The "Sender:" field specifies the mailbox of the agent responsible for the actual transmission of the message. For example, if a secretary were to send a message for another person, the mailbox of the secretary would appear in the "Sender:" field and the mailbox of the actual author would appear in the "From:" field. If the originator of the message can be indicated by a single mailbox and the author and transmitter are identical, the "Sender:" field SHOULD NOT be used. Otherwise, both fields SHOULD appear.
The originator fields also provide the information required when replying to a message. When the "Reply-To:" field is present, it indicates the address(es) to which the author of the message suggests that replies be sent. In the absence of the "Reply-To:" field, replies SHOULD by default be sent to the mailbox(es) specified in the "From:" field unless otherwise specified by the person composing the reply.
In all cases, the "From:" field SHOULD NOT contain any mailbox that does not belong to the author(s) of the message. See also [RFC5322] Section 3.6.3 for more information on forming the destination addresses for a reply.
This updates RFC 5322, Section 3.6.6, to allow groups (via the address-list ABNF production) in the "Resent-From:" and "Resent-Sender:" fields, to parallel the change to "From:" and "Sender:" above. The ABNF for those fields is changed as follows:
resent-from = "Resent-From:" (mailbox-list / address-list) CRLF
resent-sender = "Resent-Sender:" (mailbox / address) CRLF
Mailbox syntax is the normal use in the "From:" and "Sender:" header fields; the address syntax defined in Section 2.1, which allows the specification of a group, is only for Limited Use (see [RFC2026], Section 3.3, item (d)) for the reasons described below.
Very many Internet email procedures and software assume that the addresses in "From:" and "Sender:" fields can be replied to and are suitable for use in mail organizing and filtering. The use of groups instead of mailboxes can disrupt those uses. Consequently, while this specification legitimizes the use of groups, it does so only to enable circumstances when that use is necessary, and it is important that its use be limited to those circumstances and that it be used with caution. In particular, user agents SHOULD NOT permit the use of groups in those fields in outgoing messages.
See the Internet Message Format specification [RFC5322] for general discussion of security considerations related to the formatting of email messages.
The "From:" address is special, in that most user agents display that address, or the "friendly" text associated with it, to the end user, and label that so as to identify it as the origin of the message (as implied in Section 3.6.2 of RFC 5322). Group syntax in the "From:" header field can be used to hide the identity of the message originator. It is as easy to use a fabricated "From:" address to accomplish the same thing, so allowing groups there does not exacerbate the security problem.
Some protocols attempt to validate the originator address by matching the "From:" address to a particular verified domain (see Author Domain Signing Practices (ADSP) [RFC5617] for one such protocol). Such protocols will not be applicable to messages that lack an actual email address (whether real or fake) in the "From:" field. Local policy will determine how such messages are handled, and senders, therefore, need to be aware that using groups in the "From:" might adversely affect deliverability of the message.
Because groups have previously not been allowed in the "From:" and "Sender:" header fields, it is possible that some implementations that conform to RFC 5322 might not be prepared to handle that syntax, and, indeed, might not even recognize that group syntax is being used. Of those implementations, some subset might, when presented with group syntax in those header fields, behave in a way that is exploitable by an attacker. It is deemed unlikely that this will be a serious problem in practice: address field parsing is generally an integral component of implementations, and address field parsers are required to understand group syntax. In addition, if any implementations should be exploitable through this mechanism, it is already possible for attackers to do it by violating RFC 5322, and other RFC 5322 violations are commonly used by malefactors.
OLD +----------------+--------+------------+--------------------------+ | From | mail | standard | [RFC5322] | +----------------+--------+------------+--------------------------+ +----------------+--------+------------+--------------------------+ | Sender | mail | standard | [RFC5322] | +----------------+--------+------------+--------------------------+ +----------------+--------+------------+--------------------------+ | Resent-From | mail | standard | [RFC5322] | +----------------+--------+------------+--------------------------+ +----------------+--------+------------+--------------------------+ | Resent-Sender | mail | standard | [RFC5322] | +----------------+--------+------------+--------------------------+ NEW +----------------+--------+------------+--------------------------+ | From | mail | standard | [RFC5322] [[this RFC]] | +----------------+--------+------------+--------------------------+ +----------------+--------+------------+--------------------------+ | Sender | mail | standard | [RFC5322] [[this RFC]] | +----------------+--------+------------+--------------------------+ +----------------+--------+------------+--------------------------+ | Resent-From | mail | standard | [RFC5322] [[this RFC]] | +----------------+--------+------------+--------------------------+ +----------------+--------+------------+--------------------------+ | Resent-Sender | mail | standard | [RFC5322] [[this RFC]] | +----------------+--------+------------+--------------------------+
IANA is asked to update the Permanent Message Header Field Names registry ( http://www.iana.org/assignments/message-headers/perm-headers.html ) as follows:
[RFC2026] | Bradner, S., "The Internet Standards Process -- Revision 3", BCP 9, RFC 2026, October 1996. |
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. |
[RFC5234] | Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, January 2008. |
[RFC5322] | Resnick, P., "Internet Message Format", RFC 5322, October 2008. |
[RFC5617] | Allman, E., Fenton, J., Delany, M. and J. Levine, "DomainKeys Identified Mail (DKIM) Author Domain Signing Practices (ADSP)", RFC 5617, August 2009. |