I've just posted a final version of draft-ietf-sieve-notify-mailto. It resolves
all the last-call and IESG issues, including Cullen's DISCUSS position, which he
should be clearing when he reviews this version.
There are some editorial changes to fix some nits and some old references.
The substantive changes are these:
Changed in "2.7.1. The Auto-Submitted header field":
The auto-notified Auto-Submitted field MUST include one or both of
the following parameters:
This makes at least one of the "owner-*" parameters required, so that we can be
sure that an accidental recipient of notification messages will have a way to
contact the sending domain and get the problem fixed.
Added to "5. Security Considerations":
Email addresses specified as recipients of notifications might not be
owned by the entity that owns the Sieve script. As a result, a
notification recipient could wind up as the target of unwanted
notifications, either through intent (using scripts to mount a mail-
bomb attack) or by accident (an address was mistyped or has been
reassigned). The situation is arguably no worse than any other in
which a recipient gets unwanted email, and some of the same
mechanisms can be used in this case. But those deploying this
extension have to be aware of the potential extra problems here,
where scripts might be created through means that do not adequately
validate email addresses, and such scripts might then be forgotten
and left to run indefinitely.
In particular, note that the Auto-Submitted header field is required
to include a value that a recipient can use when contacting the
source domain of the notification message (see Section 2.7.1). That
value will allow the domain to track down the script's owner and have
the script corrected or disabled. Domains that enable this extension
MUST be prepared to respond to such complaints, in order to limit the
damage caused by a faulty script.
Problems can also show up if notification messages are sent to a
gateway into another service, such as SMS. Information from the
email message is often lost in the gateway translation, and in this
case critical information needed to avoid loops, to contact the
script owner, and to resolve other problems might be lost.
Developers of email gateways should consider these issues, and try to
preseve as much information as possible, including what appears in
email trace headers and Auto-Submitted.
Please comment quickly if you have a problem with any of this. Otherwise, the
new draft will go through with these changes.