A Registry for SMTP Enhanced Mail System Status Codes
draft-hansen-4468upd-mailesc-registry-02

Status of this Memo

By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress.”

The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html.

This Internet-Draft will expire on January 10, 2008.

Abstract

This document establishes an IANA registry for SMTP Enhanced Status Codes.

Table of Contents

1.  Introduction
2.  IANA Considerations
3.  Security Considerations
4.  Acknowledgements
5.  References
    5.1.  Normative References
    5.2.  Informative References
§  Authors' Addresses
§  Intellectual Property and Copyright Statements

1.  Introduction

Enhanced Status Codes for SMTP were first defined in [RFC1893] (Vaudreuil, G., “Enhanced Mail System Status Codes,” January 1996.), subsequently replaced by [RFC3463] (Vaudreuil, G., “Enhanced Mail System Status Codes,” January 2003.). Since that time, various RFCs have been published and internet drafts proposed that define further status codes. However, no IANA registry was defined for the status codes and conflicts in definitions have begun to appear. This RFC defines such an IANA registry and was written to help prevent further conflicts from appearing in the future.

This document is being discussed on the SMTP mailing list, ietf-smtp@imc.org.

2.  IANA Considerations

IANA is directed to create the registry Mail Enhanced Status Codes. In the terms of [RFC2434] (Narten, T. and H. Alvestrand, “Guidelines for Writing an IANA Considerations Section in RFCs,” October 1998.), values of Enhanced Status Codes must be registered with IANA under the IETF Review (formerly known as the IETF Consensus) method. (Specifically, new values are assigned only through RFCs that have been shepherded through the IESG as IETF (AD-Sponsored or WG) documents.)

The Mail Enhanced Status Codes registry will have three tables:

• class sub-code,
• subject sub-code, and
• enumerated status codes, which include both a subject sub-code and a detail sub-code.

Each entry in the tables will include:

1. The sub-code or enumerated status code, which will be a numeric code consisting of three components, as specified in RFC 3463.
2. Text expected to be associated with the code.
3. A short description of the code, including the basic reply code of RFC 2821 [RFC2821] (Klensin, J., “Simple Mail Transfer Protocol,” April 2001.) with which it is associated.
4. A reference to the document in which the code is defined. This reference should note whether the relevant specification is standards-track or not.
5. The identity of the submitter or registrant ("IESG" in the case of IETF-produced documents).

An example of an entry in the enumerated status code table would be:

X.0.0 Other undefined Status

Other undefined status is the only undefined error code.
X.0.0 should be used for all errors for which only the class of the error is known.

Defined in RFC 3463.

Registered by IESG.

The initial values for the class and subject sub-code tables is to be populated from section 2 of [RFC3463] (Vaudreuil, G., “Enhanced Mail System Status Codes,” January 2003.). Specifically, these are the values for 2.XXX.XXX, 4.XXX.XXX and 5.XXX.XXX for the class sub-code table, and the values X.0.XXX, X.1.XXX, X.2.XXX, X.3.XXX, X.4.XXX, X.5.XXX, X.6.XXX and X.7.XXX for the subject sub-code table. Each entry is to be designated as defined in RFC 3463 and registered by IESG.

The initial values for the enumerated status code table is to be populated from sections 3.1 through 3.8 of [RFC3463] (Vaudreuil, G., “Enhanced Mail System Status Codes,” January 2003.), (X.0.0, X.1.0 through X.1.8, X.2.0 through X.2.4, X.3.0 through X.3.5, X.4.0 through X.4.7, X.5.0 through X.5.5, X.6.0 through X.6.5, and X.7.0 through X.7.7) section 3.3.4 of [RFC3886] (Allman, E., “An Extensible Message Format for Message Tracking Responses,” September 2004.) (X.1.9), and the definition of X.6.6 found in section 5 of [RFC4468] (Newman, C., “Message Submission BURL Extension,” May 2006.). Each entry is to be designated as defined in the corresponding RFC and registered by IESG.

The following additional definitions are to be registered in the enumerated status code table.

X.5.6 Authentication Exchange line is too long

This enhanced status code SHOULD be returned when the server fails the AUTH command due to the client sending a response which is longer than the maximum buffer size available for the currently selected SASL mechanism.
Defined by RFC XXXX. Registered by IESG.

X.7.8 Trust relationship required or Authentication credentials invalid

Because of conflicting definitions in different documents, this value should no longer be used.
Defined by RFC XXXX. Registered by IESG.

X.7.9 Authentication mechanism is too weak

This response to the AUTH command indicates that the selected authentication mechanism is weaker than server policy permits for that user. The client SHOULD retry with a new authentication mechanism.
Defined by RFC XXXX. Registered by IESG.

X.7.10 Encryption Needed

This indicates that external strong privacy layer is needed in order to use the requested authentication mechanism. This is primarily intended for use with clear text authentication mechanisms. A client which receives this may activate a security layer such as TLS prior to authenticating, or attempt to use a stronger mechanism.
Defined by RFC XXXX. Registered by IESG.

X.7.11 Encryption required for requested authentication mechanism

This indicates the user's passphrase or passphrase has expired and needs to be changed. Many sites have a policy which forbids a passphrase or passphrase from being used too long. These sites will set a time period after which passphrases must be changed. Some sites also pre-expire passphrases set by a system administrator, such that a user must change their passphrase prior to using their account. A client which receives this error code can treat it as a user request to change her passphrase.
Defined by RFC XXXX. Registered by IESG.

X.7.12 A password transition is needed

This response to the AUTH command indicates that the user needs to transition to the selected authentication mechanism. This is typically done by authenticating once using the [PLAIN] authentication mechanism. The selected mechanism SHOULD then work for authentications in subsequent sessions.
Defined by RFC XXXX. Registered by IESG.

X.7.13 User Account Disabled

Sometimes a system administrator will have to disable a user's account (e.g., due to lack of payment, abuse, evidence of a break-in attempt, etc). This error code occurs after a successful authentication to a disabled account. This informs the client that the failure is permanent until the user contacts their system administrator to get the account re- enabled. It differs from a generic authentication failure where the client's best option is to present the passphrase entry dialog in case the user simply mistyped their passphrase.
Defined by RFC XXXX. Registered by IESG.

X.7.14 Trust relationship required

The submission server requires a configured trust relationship with a third-party server in order to access the message content. This value replaces the prior use of X.7.8 for this error condition.
Defined by RFC XXXX. Registered by IESG.

X.7.15 Authentication credentials invalid

Authentication failed due to invalid or insufficient authentication credentials. This value replaces the prior use of X.7.8 for this error condition, thereby updating [RFC4468] (Newman, C., “Message Submission BURL Extension,” May 2006.).
Defined by RFC XXXX. Registered by IESG.

3.  Security Considerations

As stated in [RFC1893] (Vaudreuil, G., “Enhanced Mail System Status Codes,” January 1996.), use of enhanced status codes may disclose additional information about how an internal mail system is implemented beyond that available through the SMTP status codes.

Many proposed additions to the response code list are security related. Having these registered in one place to prevent collisions will improve their value. Security error responses can leak information to active attackers (e.g., the distinction between "user not found" and "bad password" during authentication). Documents defining security error codes should make it clear when this is the case so SMTP server software subject to such threats can provide appropriate controls to restrict exposure.

4.  Acknowledgements

Thanks go to the members of the ietf-smtp@imc.org mailing list.

5.  References

5.1. Normative References

5.2. Informative References

Authors' Addresses

Full Copyright Statement

Copyright © The IETF Trust (2007).

This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.

This document and the information contained herein are provided on an “AS IS” basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.

Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.