IETF Logo Mail Archive

Re: [Extra] Sieve REJECT and :fcc [was Re: Meeting minutes and notes from today]

Ned Freed <ned.freed@mrochek.com> Mon, 08 January 2018 00:53 UTC

Return-Path: <ned.freed@mrochek.com>
X-Original-To: extra@ietfa.amsl.com
Delivered-To: extra@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEBB11242F7 for <extra@ietfa.amsl.com>; Sun, 7 Jan 2018 16:53:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mrochek.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4bNZQeMUk-lL for <extra@ietfa.amsl.com>; Sun, 7 Jan 2018 16:53:38 -0800 (PST)
Received: from mauve.mrochek.com (mauve.mrochek.com [68.183.62.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1DED1200B9 for <extra@ietf.org>; Sun, 7 Jan 2018 16:53:38 -0800 (PST)
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01QNKNXF9OMO001XAM@mauve.mrochek.com> for extra@ietf.org; Sun, 7 Jan 2018 16:48:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=mrochek.com; s=201712; t=1515372514; bh=xDY7hRSxg//37x4ehQjnzGNyt9K6WzRzLxylwbTl40E=; h=Cc:Date:From:Subject:In-reply-to:References:To:From; b=ASR7h8/7ceTzUiHGg2AQOWq1t2bYEnoEqXP6wEeBHd4hToOinLa7UzaGf1KDKwlAk vcyxnjUQvSDTEoNh2H+0KjEkc3GZ1KNpauCzildhua2JXkZT2+yDkosJWyuDCXVfsG Vu7VkZD80429YkvmzjRzE06WRfoKD+k02QMR7Vxc=
MIME-version: 1.0
Content-transfer-encoding: 7bit
Content-type: TEXT/PLAIN; CHARSET="US-ASCII"
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01QNFVO5W1CW000051@mauve.mrochek.com>; Sun, 07 Jan 2018 16:48:32 -0800 (PST)
Cc: extra@ietf.org
Message-id: <01QNKNXDT7B0000051@mauve.mrochek.com>
Date: Sun, 07 Jan 2018 16:15:52 -0800
From: Ned Freed <ned.freed@mrochek.com>
In-reply-to: "Your message dated Sun, 07 Jan 2018 17:57:34 -0500" <FD410429-A7E6-411F-AF01-FD39AADBC4D5@glyphein.mailforce.net>
References: <1510734636.1704307.1173072248.27572238@webmail.messagingengine.com> <C0D8D552-4B1C-49D9-8CCC-E6F57F225C1A@glyphein.mailforce.net> <1515028094.3135331.1223576440.053F86DC@webmail.messagingengine.com> <01QNFXVO7LVS000051@mauve.mrochek.com> <BE46D703-89FF-4250-BFF8-EB194729D4CF@glyphein.mailforce.net> <01QNK22FBJC0000051@mauve.mrochek.com> <FD410429-A7E6-411F-AF01-FD39AADBC4D5@glyphein.mailforce.net>
To: Stan Kalisch <stan@glyphein.mailforce.net>
Archived-At: <https://mailarchive.ietf.org/arch/msg/extra/OvJXHKQZoXeuCOYXPmzBaEI6yAk>
Subject: Re: [Extra] Sieve REJECT and :fcc [was Re: Meeting minutes and notes from today]
X-BeenThere: extra@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Email mailstore and eXtensions To Revise or Amend <extra.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/extra>, <mailto:extra-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/extra/>
List-Post: <mailto:extra@ietf.org>
List-Help: <mailto:extra-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/extra>, <mailto:extra-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jan 2018 00:53:41 -0000

> On Jan 7, 2018, at 8:42 AM, Ned Freed <ned.freed@mrochek.com> wrote:

> >>> Making service-level copies of messages is
> >>> one thing, giving users a direct way to conveniently say "I didn't get this
> >>> message" when they actually did is quite another.
> >
> >> Perhaps, but, after all, reject already provides that facility.  But that's not the central point of my argument in favor of allowing reject to invoke :fcc.
> >
> >> Some users have arguably (at least, certainly morally) legitimate reasons to
> >> lie about the delivery of mail.  The users who first come to my mind are
> >> survivors of domestic violence and/or sexual assault.
> >
> > I object even more strongly to this justification for adding such a feature.
> >
> > There are at least two problems here: We haven't even attempted to work through
> > all the security implications of trying to hide delivery of email. (Rejection
> > after delivery is another matter entirely, but we're not talking about that
> > here.)

> Actually, I'm talking about both.

I'm not. The situation after delivery is entirely different. Once something
is delivered to a user's mailbox the transport system is no longer involved.

Everything about MDNs is discretionary: generation, content, everything.  Users
and their agents are free to say or do whatever they want. They can send a
"deleted" MDN and keep the message, or send a "dispatched" MDN when in fact
they simply deleted the message.
 
> Users can in fact lie about the reason a message triggers, say, a MDN.

Absolutely. This is expected to be the case. Of course senders can elect to
trust a sender, but if they do this is an arrangement that lies outside the
service architecture the mail system provides.

The transport infrastructure is a different story. We all have to trust it,
and there are enough issues with that already; we should not be adding more.

> Given that Sieve was designed to act on messages upon delivery,

Sorry, that's incorrect. Sieve was designed to operate at some point
around the time of delivery. There are implementations that operate
before, during, or after delivery.

In the specific case of reject, a user agent needs to use MDNs since the
time for the generation of DSNs is past. Something operating at the SMTP
server level should use SMTP status codes if at all possible - and the
specification goes to considerable trouble to make that possible.

This is further complicated by there being two verbs (reject/ereject),
which further complicates matters.

> if enough
> implementors here in the WG aren't interested in the idea of even pursuing
> anything linking Sieve to DSNs, then it's not of the greatest concern to me if
> the MDN for :fcc on reject is made mandatory.

FWIW, our implementation operates at the SMTP server level and uses SMTP
status codes whenever possible. 

> >> Granted, backscatter, MDN, DSN, etc., of course, aren't even peripheral
> >> considerations in rolling out something like that for phone calls.  But, again,
> >> we're only talking about :fcc; reject's ship has already sailed.
> >
> > I have no idea what this means.

> Again, it's about the fact that reject can accommodate the ability to be used
> with fileinto, etc, case.

First, such usage is NOT RECOMMENDED, meaning it should only be done if there's
a really good reason. Second, as the RFC points out, doing this at the SMTP
level is a direct violation of RFC 5321. Call me a stickler if you like, but I
don't think that's a good thing.

Third, it seems clear that the presence of all this text in the RFC is in a
misguided attempt to try and make sieve actions like keep and fileinto somewhat
compatible with legal intercept applications. Unfortunately the entire cant of
Sieve is such that this is basically a fool's journey in user-space sieves, and
as I have pointed out previously, system sieves are beyond the scope of what's
covered in the RFCs.

>  and that reject essentially carries a minimal ability to
> lie about why a message's disposition has ended up the way it has.

This is a result of the range of places where Sieve can be applied. What's
appropriate prior to delivery is different from what's appropriate after
delivery.

				Ned

v2.23.0 | Report a Bug | By Email