Re: X-headers

John C Klensin <> Sun, 06 April 2008 15:57 UTC

Return-Path: <>
Received: from (localhost []) by (Postfix) with ESMTP id 9E5AD3A6CC1; Sun, 6 Apr 2008 08:57:58 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3CDB33A6CC1 for <>; Sun, 6 Apr 2008 08:57:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.037
X-Spam-Status: No, score=-2.037 tagged_above=-999 required=5 tests=[AWL=0.562, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jeGbqwhEoFgq for <>; Sun, 6 Apr 2008 08:57:55 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 8F3F73A6C11 for <>; Sun, 6 Apr 2008 08:57:55 -0700 (PDT)
Received: from [] (helo=p3.JCK.COM) by with esmtp (Exim 4.34) id 1JiXFq-000N6k-CZ; Sun, 06 Apr 2008 11:58:05 -0400
Date: Sun, 06 Apr 2008 11:58:00 -0400
From: John C Klensin <>
To: Dave Aronson <>,
Subject: Re: X-headers
Message-ID: <67C120C7BBCEE80ED3C4DB34@p3.JCK.COM>
In-Reply-To: <>
References: <> <><ft57m4$csu$> <8BB8410A1437A8973C333DCE@p3.JCK.COM> <> <ft85nn$sga$> <1C6AF6C07BA71958E4092D98@p3.JCK.COM> <>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Disposition: inline
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF Discussion <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

--On Sunday, 06 April, 2008 11:40 -0400 Dave Aronson
<> wrote:

> Some (though admittedly not all) of the problem could be
> mitigated if software authors were encouraged (not forced!) to
> have their programs:
>   1) accept new X-headers both with and without the X-, and
>   2) be configurable to send either, defaulting to "with".
> If a given header gets approved, and registered without the
> X-, the software need not be changed and redeployed, or even
> reconfigured, to *accept* the new version.  Having it *send*
> the new version, would be a matter of configuration, hopefully
> simple.
> As new versions of the software are written, support for the
> X-version could even be removed, preferably after some
> agreeable fairly long amount of time.  (A "deprecated"
> registry would certainly help there. That could be cluttered
> if ALL abandoned X-headers are listed, but it could be
> restricted to those that have been deprecated in favor of
> things that became official.)
> The main problem I see is site admins too far behind the times
> to bother flipping the switch to send without an X-, nor
> upgrade to versions that don't support sending the X-.  Their
> users may send to sites that have upgraded to versions that no
> longer accept the X- version.  In this case, the header will
> not be recognized.
> One could take at least approaches here.  First, one could
> simply say "X-headers are experimental, not to be relied upon,
> so who cares, tough luck, if it's that important to you, get
> your admin to flip the switch."   Second, it could be
> mitigated by simply having the software continue to accept the
> X- version, rather than deliberately removing X- support.
> Your thoughts?

Interesting, probably impractical, almost certainly irrelevant
to the text that goes into 2822bis because this would constitute
a new processing requirement (although one might get it through
by insisting that it is just a clarifying suggestion).  The
problem of how to turn "experimental" command verbs, header
lines, etc., has been with us for a very long time.  We have
never figured out how to get it right.  The discussion in RFC
1123 Section about something that the authors though had
been fixed in RFC 959 (four years earlier) is a symptom of the
problem, but by no means the earliest case.

My belief that your idea is impractical is reinforced by the
knowledge that many "firewall" SMTP implementations will simply
remove any X- header and any other header that they do not
recognize on the assumption that it is either private-use and
hence doesn't belong there or that it is a potential vector for
attack or hidden information disclosure.

In my view, RFC 2822 adopted an innovative solution to the
problem, which was to abolish all distinctions and pretend that
there was no history that would lead software to assumptions
about anything that started in an "X-".   My view (I think
consistent with Brian's) is that the 2822 approach has
demonstrably failed and therefore that, for the private-use
cases as least, we need to move the text toward a clear
restatement of the intent of the 822 text. 


IETF mailing list