Internet DRAFT - draft-duan-smtp-receiver-driven

draft-duan-smtp-receiver-driven






Network Working Group                                            Z. Duan
Internet-Draft                                                K. Gopalan
Expires: January 5, 2007                        Florida State University
                                                                 Y. Dong
                                                    University of Hawaii
                                                            July 4, 2006


                   Receiver-Driven Extensions to SMTP
                 draft-duan-smtp-receiver-driven-03.txt

Status of this Memo

   By submitting this Internet-Draft, each author represents that any
   applicable patent or other IPR claims of which he or she is aware
   have been or will be disclosed, and any of which he or she becomes
   aware will be disclosed, in accordance with Section 6 of BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on January 5, 2007.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   The Differentiated Mail Transfer Protocol (DMTP) provides simple
   extensions to the Simple Mail Transfer Protocol (SMTP) that enable
   receivers to exercise greater control over the email delivery
   process.  The current SMTP-based email delivery architecture is
   fundamentally sender-driven and distinctly lacks receiver control
   over the message delivery mechanisms.  This document describes DMTP



Duan, et al.             Expires January 5, 2007                [Page 1]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


   that enables receivers to classify senders into three categories --
   allowed, denied, and unclassified -- and process the delivery of
   messages from each category independently.  As is the current
   practice, receivers may directly accept messages from senders in the
   allowed category and decline senders in the denied category.  In
   addition, DMTP receivers require senders in the unclassified category
   to store messages on the senders' own mail servers.  Such messages
   are retrieved only if and when the end receivers wish to do so.  By
   granting  greater control over message  delivery to receivers and
   imposing greater message storage and maintenance overhead on senders,
   DMTP provides  significant  advantages in  controlling spam.  DMTP
   also easily operates in conjunction  with (but does not require) many
   currently deployed anti-spam techniques.

Table of Contents

   1.   Introduction . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.   Terminology  . . . . . . . . . . . . . . . . . . . . . . . .   5
   3.   Extending  SMTP to Support Differentiated Message Delivery .   6
     3.1  Receiver-Defined SMTA Classification . . . . . . . . . . .   6
     3.2  Receiver-Driven Differentiated Message Delivery  . . . . .   6
     3.3  New Commands in DMTP . . . . . . . . . . . . . . . . . . .   7
     3.4  Extending SMTP to Support New Commands . . . . . . . . . .   8
     3.5  Message Transmission and Retrieval using DMTP  . . . . . .   8
     3.6  Constructing Message IDs . . . . . . . . . . . . . . . . .  10
     3.7  Populating Sender Classifiers  . . . . . . . . . . . . . .  11
     3.8  Incremental Deployment . . . . . . . . . . . . . . . . . .  12
     3.9  Considerations for Supporting Mailing lists  . . . . . . .  13
     3.10   Handling Mail Relay Servers  . . . . . . . . . . . . . .  14
   4.   Security Considerations  . . . . . . . . . . . . . . . . . .  16
   5.   References . . . . . . . . . . . . . . . . . . . . . . . . .  16
        Authors' Addresses . . . . . . . . . . . . . . . . . . . . .  17
        Intellectual Property and Copyright Statements . . . . . . .  18


















Duan, et al.             Expires January 5, 2007                [Page 2]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


1.  Introduction

   The objective of Differentiated Mail Transfer Protocol (DMTP) is to
   define simple extensions to the Simple Mail Transfer Protocol (SMTP)
   [RFC2821] that provide greater control to receivers over the email
   delivery process.  The current SMTP based email delivery architecture
   is essentially sender-driven, in which any sender can push an email
   message to any receiver at will, regardless of whether or not the
   receiver is interested in receiving the message.  It is only after
   receiving the entire message that the receiver has the opportunity to
   examine the message header and contents and either accept or discard
   it.

   This document describes DMTP -- a receiver-driven differentiated
   message   delivery  protocol   [SRUTI05] [NET2006] that complements
   the current sender-driven SMTP protocol with two new commands.  DMTP
   enables receivers to classify senders into three categories --
   allowed, denied, and unclassified -- and process the message delivery
   from each category independently.  Messages from allowed senders are
   handled in the same manner as in the  current SMTP architecture and
   messages from denied senders are summarily declined.  Senders who are
   neither allowed nor denied fall under the unclassified category by
   default.  Such unclassified senders are permitted by DMTP receivers
   to convey an intent to send an email in place of sending the entire
   email.  The email itself needs to be stored at the unclassified
   sender's mail server till the intended recipient expresses interest
   in receiving the entire email message.

   Unlike the current  SMTP architecture,  DMTP grants greater control
   over message delivery to receivers, which provides us with several
   important advantages in controlling spam [DMTP-TR].  First, the
   delivery rate of spam is determined by the spam retrieval behavior of
   receivers instead of being controlled by spammers, which helps
   eradicate the economy of scale that spammers rely on.  Second,
   spammers are forced to stay online for longer periods of time
   (because the sending rate of spam is regulated by the spam retrieval
   rate of receivers), which can significantly improve the performance
   of real-time blacklists (RBLs).  Third, regular correspondents of a
   receiver do not need to make any extra effort to communicate with the
   receiver---correspondence from regular contacts is handled in the
   same manner as in the current SMTP-based email system.  In addition,
   DMTP can be easily deployed on the Internet incrementally.

   DMTP also easily operates in conjunction with currently deployed
   anti-spam   techniques  such   as   content-based  filters   and
   sender-authentication schemes.  However, DMTP is orthogonal to these
   techniques and does not require any of them to operate correctly.
   The  rest of this document describes the details of the DMTP



Duan, et al.             Expires January 5, 2007                [Page 3]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


   extensions to the SMTP architecture.


















































Duan, et al.             Expires January 5, 2007                [Page 4]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


2.  Terminology

   o  Sender: An end-user sending an email message.

   o  Receiver: An end-user intended to receive an email message.

   o  MUA: Mail User Agent -- A  tool used by the end-user for sending
      and receiving messages.

   o  RMUA: Receiving Mail User Agent -- an MUA receiving an email
      message.

   o  SMUA: Sending Mail User Agent -- an MUA sending an email message.

   o  MTA:  Mail Transfer  Agent -- An  email server that  transfers
      email messages from one  MUA to another, possibly in  coordination
      with other MTAs.

   o  RMTA: Receiving Mail Transfer Agent -- an MTA that accepts an
      email from a Sending MTA (SMTA) and delivers it to an RMUA.

   o  SMTA: Sending Mail Transfer Agent -- an MTA that accepts an email
      from an SMUA and delivers it to an RMTA.




























Duan, et al.             Expires January 5, 2007                [Page 5]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


3.  Extending  SMTP to Support Differentiated Message Delivery

3.1  Receiver-Defined SMTA Classification

   In order to differentiate the delivery of messages from different
   senders, the RMTAs classify SMTAs into following three categories,
   called SMTA classifiers, depending  on how  well the RMTA trusts the
   SMTA.

   o  Allowed (or trusted) MTAs : This class contains the IP addresses
      or the domain names of the SMTAs whom the RMTA trusts and from
      whom it is willing to directly accept entire email messages using
      the sender-driven model of SMTP.

   o  Denied (or black-listed) MTAs: This class contains the IP
      addresses or the domain names of the SMTAs with whom the RMTA does
      not wish to communicate.  This class may contain well-known
      spammers, or the SMTAs whose messages the RMTA wants to block.

   o  Unclassified  (or untrusted) MTAs: This class includes all SMTAs
      that do not belong to either allowed or denied category, but who
      may possibly be legitimate SMTAs.  This is the default category
      for any SMTA unless it is explicitly listed in the allowed or
      denied category.  Note that, unlike allowed and denied categories,
      this category does not require explicit enumeration of MTAs.

   The classifiers at RMTA can potentially be defined at two levels:
   MTA-level (as in the above description) and email-address-level.  An
   MTA-level classifier contains IP addresses and/or domain  names of
   the SMTAs.  MTA-level classifiers are equivalent to the IP and domain
   level black lists employed in many of today's MTAs.  In contrast, an
   email-address-level classifier includes end-user email addresses.
   This document focuses on using only MTA-level classifiers because
   these are both simple and sufficient for the operation of DMTP.
   [DMTP-TR] describes in further detail how email-address-level
   classifiers could also be incorporated to further improve the
   effectiveness of DMTP in controlling spam.

   MTA-level classifiers support coarse-grained sender differentiation
   at the level of IP-addresses or network domains of the SMTAs.  They
   do not require (but can operate in conjunction with) any other sender
   authentication mechanisms because they simply rely on IP addresses
   and/or domain names of the SMTAs.

3.2  Receiver-Driven Differentiated Message Delivery

   RMTAs apply different handling strategies for messages from the three
   different SMTA categories.  Whereas it is relatively straightforward



Duan, et al.             Expires January 5, 2007                [Page 6]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


   to handle messages from allowed and denied SMTAs, the principal
   challenge lies in handling the interaction with unclassified SMTAs.

   An RMTA accepts messages from allowed SMTAs in the same manner as in
   the current SMTP architecture.  Specifically, the complete messages
   that include both headers and bodies can be pushed directly from the
   SMTA to RMTA.  On the other hand, an RMTA will decline any messages
   from denied SMTAs, which typically includes well-known MTAs used by
   spammers.

   Unlike messages from allowed and denied SMTAs, the messages from
   unclassified  SMTAs can  be either legitimate or spam messages.  The
   goal here is not to permit malicious unclassified SMTAs from pushing
   spam messages and, at the same time, enable legitimate unclassified
   SMTAs to express their intent to communicate.  Hence this is the most
   critical category that a DMTP-compliant RMTA needs to manage.

   To balance these two considerations, RMTA only accepts the envelopes
   of messages from unclassified SMTAs.  The complete messages need to
   be stored at the SMTAs.  An RMUA that wishes to read such messages at
   a later convenient time can instruct its RMTA to retrieve (or pull)
   the messages from the SMTA.

3.3  New Commands in DMTP

   If  an SMTA  cannot  directly deliver  an  entire message  to the
   RMTA, because  it  is  in  the  unclassified  class of  the  RMTA
   (Section 3.4), the SMTA stores the message locally at  the sender
   side and generates a reference message identifier (Section 3.6).
   This message identifier is then sent to the RMTA using a new command
   MSID (see below, using format defined in [RFC2234]).  The MSID
   command conveys the sender's intent to send a complete message to the
   receiver.

   MSID <SP> msid [ <SP>  Subject] <CRLF>

   where  msid is the  message identifier, and the optional Subject is a
   a brief string that is simply the original subject line of the email
   message or an auto-generated summary text of the message.  DMTP
   requires that the MSID  command line cannot exceed a maximum length
   of 32 bytes.

   The RMTA conveys this intent to the receiver's MUA (possibly through
   a POP3 [RFC1939] or IMAP [RFC3501] server) in place of the entire
   message.  If and when the actual receiver wishes to read the
   message, the RMTA retrieves the message from SMTA using a new command
   GTML which has the following syntax:




Duan, et al.             Expires January 5, 2007                [Page 7]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


   GTML <SP> msid <SP> Receiver <CRLF>

   where  msid  is the  identifier  of the  message  to  be retrieved,
   and Receiver is the email address of the receiver.  When the SMTA
   receives the GTML command, it first verifies that the  corresponding
   message is  intended for the receiver  listed in the command.  More
   importantly the SMTA verifies that the requesting RMTA is indeed  the
   mail  server responsible for  the receiver, i.e.,  the one which was
   originally contacted  by the SMTA  for message  delivery.

   Note  above  that we  assume  that  the  RMUA cannot  directly
   retrieve messages from SMTA.  Rather it relies on its RMTA to perform
   this function.  We  make   this   design  choice   based  on
   security considerations  (see  the  "Security Considerations"
   section),  limited resources on user machines (for  example, MTA
   servers normally have more powerful  spam filters than  user PCs),
   and the  reality that  some user email clients  (such as cell phones
   and other wireless  PDA devices) can only contact their own email
   servers.

3.4  Extending SMTP to Support New Commands

   A  DMTP-compliant SMTA  includes the  keyword  "DMTP" in  the MAIL
   FROM command to inform an RMTA that it supports the DMTP service
   extensions.  Note that  it is not necessary  for an RMTA  to inform
   an SMTA  that the RMTA  supports  the  service  extensions,  unless
   the  SMTA  is  in  the unclassified class  of the RMTA.  For  such
   SMTAs, the  RMTA will include the new commands MSID and GTML in  the
   reply code  250 to  the EHLO command from the SMTAs.  When  an SMTA
   receives reply  code 250 with the  MSID command, it implicitly
   indicates that the SMTA has to issue the MSID command instead of the
   DATA command.

3.5  Message Transmission and Retrieval using DMTP

   In the  following description, we discuss the  interaction between
   SMTA, RMTA, POP3 server, and RMUA  for retrieving a message  from an
   unclassified  source in greater detail (POP3 is considered here as
   only one example of an incoming mail access protocol used by MUA.
   Other incoming mail access protocols, such as IMAP, can also be used
   without any changes to the description below).

   When an RMTA receives an intent to send email from an SMTA, it first
   computes a hash value H based on the msid of the intent message
   received from SMTA and the receiver email address.  (H may be
   computed in the same manner as msid  in Section 3.6.)  The RMTA then
   composes a new short "intent message" whose  Subject line  is the
   hash  value H,  and the body conveys the intent of the sender to send



Duan, et al.             Expires January 5, 2007                [Page 8]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


   an email message.  This intent message is delivered to the receiver's
   incoming message folder from a special account on the  RMTA.  This
   account is only used  for handling  the delivery of intent messages
   to receivers (and the retrieval of the complete messages from the
   SMTAs when the receivers instruct to do so).

   An RMUA retrieves the intent message through its  POP3 server (just
   as it would retrieve complete messages) and then the receiver decides
   whether or not to retrieve the entire  message.  If the receiver
   decides to read the entire message, the receiver will simply reply to
   the intent message, which is delivered to the RMTA.  When the RMTA
   receives the reply, it will first re-compute the hash value H and
   verify that it matches the hash value in the Subject line.  If they
   do not match, the RMTA will simply discard the reply message.

   If they  do match, the RMTA then  issues the GTML command  to the
   remote SMTA to  retrieve the  complete email message.  After RMTA
   receives the complete message, it  stores the message in the
   incoming message folder of the receiver, which is then  retrieved by
   the RMUA via, say, its POP3 server.

   The  following algorithm  summarizes the message  delivery mechanism
   that uses only MTA-level classifiers.

     /* Message sequence between DMTP-compliant SMTA and RMTA*/
     0. SMTA: Open TCP connection to RMTA port 25;
     1. RMTA: ip = SMTA's IP address;
     2. RMTA: dn = SMTA's domain name;
     3. RMTA: if { (ip OR dn) is denied } /* messages to be blocked */
     4. RMTA:   reply with "554 DENIED";
     6. RMTA: else if { (ip OR dn) is allowed } /* good citizens */
     7. RMTA:   reply with "220 OK";
     8. RMTA:   proceed using original SMTP;
     9. RMTA: else /* unclassified sources */
    10. RMTA:   reply with "220 OK";
    11. SMTA:   send "EHLO domain_name";
    12. RMTA:   reply with "250-MSID";
    13  RMTA:   reply with "250 GTML";
    14. SMTA:   send "MAIL FROM: sender_email DMTP";
    15. RMTA:   reply "250 OK";
    16. SMTA:   send "RCPT TO: receiver_email";
    17. RMTA:   reply "250 OK";
    18. SMTA:   send "MSID message_id [subject];
    19. RMTA:   reply "250 OK";
    20. RMTA:   reject any attempt from SMTA to send DATA command;
    21. RMTA:   Compute an internal hash H for the intent message;
    22. RMTA:   Compose a short intent message
    23. RMTA:     /* with H as the Subject, intent as the body



Duan, et al.             Expires January 5, 2007                [Page 9]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


    24. RMTA:        and sender being a special account on RMTA */
    25. RMTA:   Store intent message in receiver's incoming folder;
    26. RMTA: end if

     0. /* Procedure to retrieve complete message from intent message */
     1. RMUA: Reply to the intent message;
     2. RMTA: Recompute hash value H for intent message;
     3. RMTA: If { Recomputed hash == hash in intent message }
     4. RMTA:    /* retrieve the message from the SMTA */
     5. RMTA:    open TCP connections to SMTA at port 25;
     6. SMTA:    ip = RMTA's IP address;
     7. SMTA:    dn = RMTA's domain name;
     8. SMTA:    if { (ip OR dn) is denied } /* msgs to be blocked */
     9. SMTA:       reply with "554 DENIED";
    10. SMTA:    else if { (ip OR dn) is allowed } /* good citizens */
    11. SMTA:       reply with "220 OK";
    12. RMTA:       send "EHLO domain name";
    13. SMTA:       reply "250 OK";
    14. SMTA:    else /* unclassified sources */
    15. SMTA:       reply with "220 OK";
    16. RMTA:       send "EHLO domain name";
    17. SMTA:       reply "250-MSID";
    18. SMTA:       reply "250 GTML";
    19. SMTA:    end if
    20. RMTA:    send "GTML message_id receiver_email";
    21. SMTA:    send DATA command followed by the message;
    22. SMTA:    close TCP connection with RMTA;
    23. RMTA:    store message in receiver's incoming folder;
    24. RMTA: else
    25. RMTA:     discard the short message;
    26. RMTA: end if
    27. RMUA: Retrieve new messages from POP3;



3.6  Constructing Message IDs

   A   sender   uses  an   SMUA   to   compose   outgoing  messages
   [RFC2821] .  After a  message is composed  by the  sender, the SMUA
   delivers the message to the SMTA.  The SMTA stores the sender's
   messages that have not been delivered and have not been deleted.  An
   SMTA will delete a  message on behalf of a sender after  the message
   has been delivered to all the intended  receivers or after a certain
   configurable expiry time (It is also possible to augment MUAs to
   allow individual senders to specify  the message-specific expiry
   times via a new  message  header.  This is a possible future
   extension and is beyond the scope of this document.)




Duan, et al.             Expires January 5, 2007               [Page 10]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


   As discussed above, if an RMTA only accepts the header of the message
   from an unclassified SMTA, a message identifier (msid) needs to be
   generated by the SMTA for that message and sent to the receiver via
   the RMTA so that the receiver can retrieve the message at a later
   time.  An msid is defined as a fixed length string with a maximum
   length of 256 bits.  When a receiver wants to retrieve the entire
   message, the RMTA uses this msid to request the message body from the
   SMTA.

   This msid can be generated  using different techniques, and each MTA
   can choose  a  scheme  according  to  the  local  preference.
   However,  the following properties are  suggested for the resulting
   msid  of a chosen scheme.

   o  The msid should not be guessable by a third party using commonly
      available information, such as sender or receiver's email address,
      or the IP address of SMTA and RMTA.

   o  The msid should be of a form that enables SMTA to quickly search
      for a message once the RMTA sends the GTML command.


3.7  Populating Sender Classifiers

   MTA-level sender classifiers are  managed by mail server
   administrators.  However, often it might be desirable for receivers
   to supply their RMTAs with the information about which senders belong
   to allowed and denied categories.  There are many possible mechanisms
   for populating sender classifiers and this document does not
   recommend one technique over another.  Below we outline one such
   mechanism as an example to illustrate the ease with which sender
   classifiers can be automatically populated by receivers.

   RMTAs can maintain a special "classifier-config" email account used
   for populating the sender classifiers.  (This account is in addition
   to another special  account for handling short intent messages that
   was described earlier.)  SMTAs can be added or removed from different
   categories by sending commands via email to this special account.  To
   add an SMTA to the allowed category, an end-user emails the
   "classifier-config" account at its RMTA with the command "add allowed
   sender-email" in the body of the email message, where sender-email is
   the email address of the allowed sender.  The RMTA will translate the
   email address to the corresponding SMTA's domain name or IP address.
   To remove an SMTA from the allowed category, the end-user emails the
   command "remove allowed sender-email".  Manipulation of other
   categories can be handled in a similar manner.  Note that from a
   security standpoint, emails to the "classifier-config" account would
   somehow need to be authenticated, so that only legitimate users can



Duan, et al.             Expires January 5, 2007               [Page 11]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


   request classifier modifications.

   Alternatively, one can also have a web-based mechanism where
   authenticated users can log in and submit requests for classifier
   modifications.  Also, DMTP-compliant RMTAs can make use of publicly/
   commercially available whitelist or blacklist of SMTAs and place the
   remaining SMTAs in the unclassified category.

3.8  Incremental Deployment

   This section outlines one possible incremental deployment path for
   DMTP.  DMTP does not require one uniform incremental deployment path
   across the Internet.  Network administrators may choose an
   incremental deployment path depending on their perceived
   requirements.

   There are two basic objectives for incremental deployment strategy.
   The first objective is to enable legitimate non-DMTP-compliant
   unclassified SMTAs to communicate with DMTP-compliant RMTAs.  Note
   that the converse communication, namely DMTP-compliant SMTAs
   communicating with legacy non-DMTP-compliant RMTAs, is not an issue
   because the latter accept the entire message by default.

   The second objective is to incorporate one or more forms of sender-
   discouragement schemes at DMTP-compliant RMTAs so that spammers do
   not use the incremental deployment path as a loophole to deliver spam
   messages.  However, unlike existing sender-discouragement schemes,
   DMTP requires only the subset of unclassified non-DMTP-compliant
   SMTAs to bear any extra  overhead in  sending a message.  DMTP-
   compliant SMTAs  in the allowed category do not need to shoulder the
   additional overhead because their message delivery mechanism is the
   same as in the current SMTP architecture.

   The following figure illustrates the message acceptance algorithm
   executed at a DMTP-compliant RMTA to support incremental deployment
   of DMTP.















Duan, et al.             Expires January 5, 2007               [Page 12]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


     /* Message sequence between DMTP-compliant RMTA and
        non-DMTP-compliant SMTA*/
     0. SMTA: Open TCP connection to RMTA port 25;
     1. RMTA: ip = SMTA's IP address;
     2. RMTA: dn = SMTA's domain name;
     3. RMTA: if { (ip OR dn) is denied } /* messages to be blocked */
     4. RMTA:   reply with "554 DENIED";
     5. RMTA: else if { (ip OR dn) is allowed } /* good citizens */
     6. RMTA:   reply with "220 OK";
     7. RMTA:   proceed using original SMTP;
     8. RMTA: else /* unclassified sources */
     9. RMTA:      reply with "220 OK";
    10. SMTA:      send "EHLO domain_name";
    11. RMTA:      reply with "250-MSID";
    12. RMTA:      reply with "250 GTML";
    13. SMTA:      if( SMTA supports DMTP)
    14. SMTA:         send "MAIL FROM: sender_email DMTP";
    15. RMTA:         proceed according to DMTP;
    16. SMTA:      else /* SMTA does not support DMTP */
    17. SMTA:         send "MAIL FROM: sender_email";
    18. RMTA:         apply sender-discouragement (such as greylisting)
    19. RMTA:         if(SMTA passes sender discouragement)
    20. RMTA:            reply "250 OK";
    21. SMTA:            send "RCPT TO: receiver_email";
    22. RMTA:            reply "250 OK";
    23. SMTA:            send "DATA";
    24. RMTA:            reply with "354";
    25. SMTA:            send entire message;
    26. RMTA:            reply "250 OK";
    27. RMTA:            store message in receiver's incoming folder
    28. RMTA:          end if
    29. SMTA:       end if
    30. RMTA: end if


3.9  Considerations for Supporting Mailing lists

   Operation of mailing lists requires careful consideration in the
   pull-based model of DMTP.  A user who joins a mailing list already
   expresses an interest in receiving all messages from the mailing
   list.  Therefore, in principle, a mailing list member should not be
   required to expend additional effort in receiving each and every
   message posted to the mailing list.  At the same time, the SMTA of a
   mailing list should not face additional overhead in delivering a
   message to a potentially large number of members on the list.

   Based on the above two considerations, this document recommends that
   the following actions should be carried out by mailing list members



Duan, et al.             Expires January 5, 2007               [Page 13]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


   and the SMTAs for mailing lists.  A user who joins a mailing  list
   should request his/her RMTA to add the SMTA of the mailing list into
   the allowed category.  For instance, this could be done semi-
   automatically by sending an  email message to the "classifier-config"
   account at the local RMTA as described earlier.

   It is also possible that a user may not necessarily remember to
   request his/her DMTP-compliant RMTA to add the SMTA of the mailing
   list to the allowed category.  In such a case, when the RMTA receives
   a message delivery request from a mailing list for its local user,
   there are two possible responses from RMTA.  First, if the mailing
   list SMTA is DMTP-compliant, the RMTA will request an intent message
   instead of the complete message.  Second, if the mailing list SMTA is
   non-DMTP-compliant,    the    RMTA    will   apply    a    certain
   sender-discouragement scheme to the sender of the message, which
   might simply be the email address of mailing list.

   In either case, this document recommends that the SMTA of the mailing
   list simply terminates its effort to deliver the  message intended
   receiver.  That  is, if the  DMTP-compliant SMTA receives reply  code
   250 with MSID included, it immediately closes the corresponding TCP
   connection and if the non-DMTP-compliant SMTA encounters certain
   sender-discouragement imposed by  the RMTA, it simply  ignores the
   discouragement  and give up the effort to deliver the related
   message.  In summary, only mailing list members who have included the
   SMTA of a mailing  list in the allowed category of their RMTA can
   receive messages from the mailing list.

   The practical rationale behind this recommendation is three-fold. (1)
   Mailing-list members served by DMTP-compliant RMTAs would prefer not
   having to respond to a large number intent messages generated from a
   highly active mailing list. (2) DMTP-compliant SMTAs of mailing lists
   would be better off not having to manage and track messages and their
   intents for potentially large number of postings. (3) Non-DMTP-
   compliant SMTAs of mailing lists would rather not deal with the
   discouragement for every posting.  The net effect of this policy is
   to insist that a mailing list member request its RMTA to white-list
   the SMTA of the mailing list.

3.10  Handling Mail Relay Servers

   A potential issue is the use of DMTP with mail relay servers,
   especially within large organizations.  In such a case, only the
   relay server located at the interface to the external world, which we
   call the border relay, needs to be DMTP-compliant.  In addition, the
   border relay will store the outgoing emails (that are waiting to be
   pulled by receivers) on behalf of all internal mail servers.  All the
   internal mail servers are included in the border relay's allowed SMTA



Duan, et al.             Expires January 5, 2007               [Page 14]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


   category.  This permits the border relay to communicate using SMTP
   with the internal mail servers and using DMTP with rest of the world.

















































Duan, et al.             Expires January 5, 2007               [Page 15]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


4.  Security Considerations

   Retrieving  messages from  SMTAs  using GTML  command  may raise  the
   security concern regarding a malicious third party using stolen msids
   to retrieve  others'  messages.  However,  note  that  the  RMTA
   fetches  a message using  TCP.  In addition, this document recommends
   that the SMTA should use the  RMTA's IP address as one of the inputs
   to its hash function.  Hence,  even if a malicious third party  has a
   sniffed or stolen msid, it would be very difficult for him/her to
   perform a Mitnick attack to  spoof the  IP address  of the RMTA.
   Also, as  a consequence, individual receivers  cannot retrieve  their
   messages directly  from the SMTA.  Instead they need to rely on their
   corresponding RMTAs to retrieve messages.  These RMTAs can be
   authenticated by SMTAs using the MX records in the DNS servers.
   Therefore, the proposed DMTP architecture provides a level  of
   security  that is  at least  comparable to  the  current Email
   architecture.

5.  References

   [DMTP-TR]  Duan, Z., Gopalan, K., and Y. Dong, "DMTP: Controlling
              Spam Through Message Delivery Differentiation", Technical
              Report  TR-041025, Department  of Computer Science,
              Florida State University, October 2004,
              <http://www.cs.fsu.edu/~duan/projects/dmtp/dmtp.htm>.

   [NET2006]  Duan, Z., Dong, Y., and K. Gopalan, "DMTP: Controlling
              Spam Through Message Delivery Differentiation", Proc.
              Networking 2006, Coimbra, Portugal, May 2006,
              <http://www.cs.fsu.edu/~duan/projects/dmtp/dmtp.htm>.

   [RFC1869]  Klensin, J., Freed, N., Rose, M., Stefferud, E., and D.
              Crocker, "SMTP Service Extensions", RFC 1869,
              November 1995.

   [RFC1939]  Myers, J. and M. Rose, "Post Office Protocol - Version 3",
              STD 53, RFC 1939, May 1996.

   [RFC2234]  Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
              Specifications: ABNF", RFC 2234, November 1997.

   [RFC2821]  Klensin, J., "Simple Mail Transfer Protocol", RFC 2821,
              April 2001.

   [RFC3501]  Crispin, M., "INTERNET MESSAGE ACCESS PROTOCOL - VERSION
              4rev1", RFC 3501, March 2003.

   [SRUTI05]  Duan, Z., Gopalan, K., and Y. Dong, "Push vs. Pull:



Duan, et al.             Expires January 5, 2007               [Page 16]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


              Implications of Protocol Design on Controlling Unwanted
              Traffic", Usenix SRUTI 2005 Workshop, Cambridge, MA,
              July 2005,
              <http://www.cs.fsu.edu/~duan/projects/dmtp/dmtp.htm>.


Authors' Addresses

   Zhenhai Duan
   Florida State University
   Department of Computer Science
   Tallahassee, FL  32306

   Phone: +1 850 645 1561
   Email: duan@cs.fsu.edu
   URI:   http://www.cs.fsu.edu/~duan


   Kartik Gopalan
   Florida State University
   Department of Computer Science
   Tallahassee, FL  32306

   Phone: +1 850 644 1685
   Email: kartik@cs.fsu.edu
   URI:   http://www.cs.fsu.edu/~kartik


   Yingfei Dong
   University of Hawaii
   Department of Electrical Engineering
   Honolulu, HI  96822

   Phone: +1 808 956 3448
   Email: yingfei@hawaii.edu
   URI:   http://www.ee.hawaii.edu/~dong/















Duan, et al.             Expires January 5, 2007               [Page 17]

Internet-Draft     Receiver-Driven Extensions to SMTP          July 2006


Intellectual Property Statement

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.


Disclaimer of Validity

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.


Copyright Statement

   Copyright (C) The Internet Society (2006).  This document is subject
   to the rights, licenses and restrictions contained in BCP 78, and
   except as set forth therein, the authors retain all their rights.


Acknowledgment

   Funding for the RFC Editor function is currently provided by the
   Internet Society.




Duan, et al.             Expires January 5, 2007               [Page 18]