doc/rfc/spec-bosch-sieve-extprograms.txt
author Stephan Bosch <stephan@rename-it.nl>
Fri Jan 08 22:27:34 2016 +0100 (14 months ago)
changeset 2218 801b4b6ba339
permissions -rw-r--r--
lib-sieve: imap4flags extension: Forgot to check for empty flag/keyword in new flag checking function.
     1 Pigeonhole Project                                              S. Bosch
     2                                                         October 12, 2012
     3 
     4 
     5            Sieve Email Filtering: Invoking External Programs
     6 
     7 Abstract
     8 
     9    The Sieve filtering language (RFC 5228) is explicitly designed to be
    10    powerful enough to be useful yet limited in order to allow for a safe
    11    filtering system.  The base specification of the language makes it
    12    impossible for users to do anything more complex (and dangerous) than
    13    write simple mail filters.  One of the consequences of this security-
    14    minded design is that users cannot execute programs external to the
    15    Sieve filter.  However, this can be a very useful and flexible
    16    feature for situations where Sieve cannot provide some uncommon
    17    functionality by itself.  This document updates the Sieve filtering
    18    language with extensions that add support for invoking a predefined
    19    set of external programs.  Messages can be piped to or filtered
    20    through those programs and string data can be input to and retrieved
    21    from those programs.
    22 
    23 
    24 
    25 
    26 
    27 
    28 
    29 
    30 
    31 
    32 
    33 
    34 
    35 
    36 
    37 
    38 
    39 
    40 
    41 
    42 
    43 
    44 
    45 
    46 
    47 
    48 
    49 
    50 
    51 
    52 Bosch                                                           [Page 1]
    53 
    54                          Sieve External Programs            October 2012
    55 
    56 
    57 Table of Contents
    58 
    59    1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
    60    2.  Conventions Used in This Document  . . . . . . . . . . . . . .  3
    61    3.  Naming of External Programs  . . . . . . . . . . . . . . . . .  3
    62    4.  Arguments for External Programs  . . . . . . . . . . . . . . .  4
    63    5.  Action "pipe"  . . . . . . . . . . . . . . . . . . . . . . . .  5
    64      5.1.  Interactions with Other Sieve Actions  . . . . . . . . . .  5
    65      5.2.  Interaction with the Sieve "copy" Extension  . . . . . . .  6
    66    6.  Action "filter"  . . . . . . . . . . . . . . . . . . . . . . .  6
    67      6.1.  Interaction with Other Tests and Actions . . . . . . . . .  7
    68    7.  Action "execute" . . . . . . . . . . . . . . . . . . . . . . .  7
    69    8.  Actions "filter" and "execute" as Tests  . . . . . . . . . . .  8
    70    9.  Sieve Capability Strings . . . . . . . . . . . . . . . . . . .  9
    71    10. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . .  9
    72      10.1. Example 1  . . . . . . . . . . . . . . . . . . . . . . . .  9
    73      10.2. Example 2  . . . . . . . . . . . . . . . . . . . . . . . . 10
    74      10.3. Example 3  . . . . . . . . . . . . . . . . . . . . . . . . 10
    75      10.4. Example 4  . . . . . . . . . . . . . . . . . . . . . . . . 11
    76    11. Security Considerations  . . . . . . . . . . . . . . . . . . . 12
    77    12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
    78      12.1. Normative References . . . . . . . . . . . . . . . . . . . 12
    79      12.2. Informative References . . . . . . . . . . . . . . . . . . 13
    80    Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13
    81 
    82 
    83 
    84 
    85 
    86 
    87 
    88 
    89 
    90 
    91 
    92 
    93 
    94 
    95 
    96 
    97 
    98 
    99 
   100 
   101 
   102 
   103 
   104 
   105 
   106 
   107 
   108 Bosch                                                           [Page 2]
   109 
   110                          Sieve External Programs            October 2012
   111 
   112 
   113 1.  Introduction
   114 
   115    This is an extension to the Sieve filtering language defined by RFC
   116    5228 [SIEVE].  It adds commands for invoking a predefined set of
   117    external programs.  Messages can be piped to or filtered through
   118    those programs and, alternatively, string data can be passed to and
   119    retrieved from those programs.
   120 
   121    The Sieve language is explicitly designed to be powerful enough to be
   122    useful yet limited in order to allow for a safe server-side filtering
   123    system.  Therefore, the base specification of the language makes it
   124    impossible for users to do anything more complex (and dangerous) than
   125    write simple mail filters.  One of the consequences of this security-
   126    minded design is that users cannot execute external programs from
   127    their Sieve script.  Particularly for server-side filtering setups in
   128    which mail accounts have no corresponding system account, allowing
   129    the execution of arbitrary programs from the mail filter can be a
   130    significant security risk.  However, such functionality can also be
   131    very useful, for instance to easily implement a custom action or
   132    external effect that Sieve normally cannot provide.
   133 
   134    This document updates the Sieve filtering language with an extension
   135    to support invoking a predefined set of external programs using a set
   136    of new commands.  To mitigate the security concerns, the external
   137    programs cannot be chosen arbitrarily; the available programs are
   138    restricted through administrator configuration.
   139 
   140    This extension is specific to the Pigeonhole Sieve implementation for
   141    the Dovecot Secure IMAP server.  It will therefore most likely not be
   142    supported by web interfaces and GUI-based Sieve editors.  This
   143    extension is primarily meant for use in small setups or global
   144    scripts that are managed by the system's administrator.
   145 
   146 
   147 2.  Conventions Used in This Document
   148 
   149    The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   150    "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   151    document are to be interpreted as described in [KEYWORDS].
   152 
   153    Conventions for notations are as in [SIEVE] Section 1.1, including
   154    use of the "Usage:" label for the definition of action and tagged
   155    arguments syntax.
   156 
   157 
   158 3.  Naming of External Programs
   159 
   160    An external program is identified by a name.  This MUST not
   161 
   162 
   163 
   164 Bosch                                                           [Page 3]
   165 
   166                          Sieve External Programs            October 2012
   167 
   168 
   169    correspond to a file system path or otherwise have the ability to
   170    point to arbitrary programs on the system.  The list of valid program
   171    names MUST be limited, subject to administrator configuration.
   172 
   173    A program name is a sequence of Unicode characters encoded in UTF-8
   174    [UTF-8].  A program name MUST comply with Net-Unicode Definition
   175    (Section 2 of [NET-UNICODE]), with the additional restriction of
   176    prohibiting the following Unicode characters:
   177 
   178    o  0000-001F; [CONTROL CHARACTERS]
   179 
   180    o  002F; SLASH
   181 
   182    o  007F; DELETE
   183 
   184    o  0080-009F; [CONTROL CHARACTERS]
   185 
   186    o  2028; LINE SEPARATOR
   187 
   188    o  2029; PARAGRAPH SEPARATOR
   189 
   190    Program names MUST be at least one octet (and hence Unicode
   191    character) long.  Implementations MUST allow names of up to 128
   192    Unicode characters in length (which can take up to 512 octets when
   193    encoded in UTF-8, not counting the terminating NUL), and MAY allow
   194    longer names.  A server that receives a program name longer than its
   195    internal limit MUST reject the corresponding operation, in particular
   196    it MUST NOT truncate the program name.
   197 
   198    Implementations MUST NOT allow variables to be expanded into the
   199    program names; in other words, the "program-name" value MUST be a
   200    constant string as defined in [VARIABLES], Section 3.
   201 
   202 
   203 4.  Arguments for External Programs
   204 
   205    Optionally, arguments can be passed to an external program.  The
   206    arguments are specified as a Sieve string list and are passed to the
   207    external program in sequence.  Implementations SHOULD NOT impose any
   208    structure for these arguments; validity checks are the responsibility
   209    of the external program.
   210 
   211    However, implementations SHOULD limit the maximum number of arguments
   212    and the length of each argument.  Implementations MUST accept at
   213    least 16 arguments with a length of at least 1024 octets each, and
   214    MAY allow more and longer arguments.  Additionally, implementations
   215    MAY restrict the use of certain control characters such as CR and LF,
   216    if these can cause unexpected behavior or raise security concerns.
   217 
   218 
   219 
   220 Bosch                                                           [Page 4]
   221 
   222                          Sieve External Programs            October 2012
   223 
   224 
   225    Note that implementations MAY also implicitly pass other data, such
   226    as the message envelope, to all executed programs avoiding the need
   227    to pass this information explicitly through program arguments.
   228 
   229 
   230 5.  Action "pipe"
   231 
   232    Usage: "pipe" [":try"] <program-name: string>
   233                  [<arguments: string-list>]
   234 
   235    The "pipe" action executes the external program identified by the
   236    "program-name" argument and pipes the message to it.  Much like the
   237    "fileinto" and "redirect" actions [SIEVE], this action is a
   238    disposition-type action (it is intended to deliver the message) and
   239    therefore it cancels Sieve's implicit keep (see Section 2.10.2 of
   240    [SIEVE]) by default.
   241 
   242    The specified "program-name" argument MUST conform to the syntax and
   243    restrictions defined in Section 3.  A script MUST fail with an
   244    appropriate error if it attempts to use the "filter" action with an
   245    invalid, restricted or unknown program name.  The optional
   246    "arguments" argument lists the arguments that are passed to the
   247    external program, as explained in Section 4.
   248 
   249    If the external program invoked by the "pipe" action fails to execute
   250    or finishes execution with an error, script execution MUST fail with
   251    an appropriate error (causing an implicit "keep" action to be
   252    executed), unless the ":try" tag is specified.
   253 
   254    When the ":try" tag is specified, the "pipe" instruction will attempt
   255    execution of the external program, but failure will not cause the
   256    whole Sieve script execution to fail with an error.  Instead, the
   257    Sieve processing continues as if the "pipe" action was never
   258    triggered.
   259 
   260    If the execution of the external program is unsuccessful, the "pipe"
   261    action MUST NOT cancel the implicit keep.
   262 
   263 5.1.  Interactions with Other Sieve Actions
   264 
   265    By default, the "pipe" action cancels the implicit keep, thereby
   266    handing the responsibility for the message over to the external
   267    program.  This behavior can be overridden using the Sieve "copy"
   268    extension [RFC3894] as described in Section 5.2.
   269 
   270    The "pipe" action can only be executed once per script for a
   271    particular external program.  A script MUST fail with an appropriate
   272    error if it attempts to "pipe" messages to the same program multiple
   273 
   274 
   275 
   276 Bosch                                                           [Page 5]
   277 
   278                          Sieve External Programs            October 2012
   279 
   280 
   281    times.
   282 
   283    The "pipe" action is incompatible with the Sieve "reject" and
   284    "ereject" actions [RFC5429].
   285 
   286 5.2.  Interaction with the Sieve "copy" Extension
   287 
   288    The Sieve "copy" extension [RFC3894] adds an optional ":copy" tagged
   289    argument to the "fileinto" and "redirect" action commands.  When this
   290    tag is specified, these commands do not cancel the implicit "keep".
   291    Instead, the requested action is performed in addition to whatever
   292    else is happening to the message.
   293 
   294    When the "vnd.dovecot.pipe" extension is active, the "copy" extension
   295    also adds the optional ":copy" tag to the "pipe" action command.
   296    This has the familiar effect that when the ":copy" tag is specified,
   297    the implicit "keep" will not be canceled by the "pipe" action.  When
   298    the "copy" extension is active, the syntax of the "pipe" action is
   299    represented as follows:
   300 
   301    Usage: "pipe" [":copy"] [":try"] <program-name: string>
   302                  [<arguments: string-list>]
   303 
   304 
   305 6.  Action "filter"
   306 
   307    Usage: "filter" <program-name: string> [<arguments: string-list>]
   308 
   309    The "filter" action executes the external program identified by the
   310    "program-name" argument and filters the message through it.  This
   311    means that the message is provided as input to the external program
   312    and that the output of the external program is used as the new
   313    message.  This way, the entire message can be altered using the
   314    external program.  The "filter" action does not affect Sieve's
   315    implicit keep.
   316 
   317    The specified "program-name" argument MUST conform to the syntax and
   318    restrictions defined in Section 3.  A script MUST fail with an
   319    appropriate error if it attempts to use the "filter" action with an
   320    invalid, restricted or unknown program name.  The optional
   321    "arguments" argument lists the arguments that are passed to the
   322    external program, as explained in Section 4.
   323 
   324    If the external program fails to execute, finishes execution with an
   325    error, or fails to provide message output, the "filter" action MUST
   326    terminate and leave the message unchanged.  No error condition is
   327    raised, script processing continues, and prior or subsequent "filter"
   328    actions are not affected.
   329 
   330 
   331 
   332 Bosch                                                           [Page 6]
   333 
   334                          Sieve External Programs            October 2012
   335 
   336 
   337 6.1.  Interaction with Other Tests and Actions
   338 
   339    A successful "filter" action effectively changes the message,
   340    potentially substituting the message in its entirety with a new
   341    version.  However, actions such as "reject" and "vacation" that
   342    generate [MDN], [DSN], or similar disposition messages MUST do so
   343    using the original, unmodified message.  Similarly, if an error
   344    terminates processing of the script, the original message MUST be
   345    used when doing the implicit keep required by Section 2.10.6 of
   346    [SIEVE].  All other actions that store, send, or alter the message
   347    MUST do so with the current version of the message.  This includes
   348    the "filter" action itself.
   349 
   350    When a disposition-type action, such as "fileinto", "redirect" or
   351    "pipe", is encountered, the current version of the message is "locked
   352    in" for that disposition-type action.  Whether the implementation
   353    performs the action at that point or batches it for later, it MUST
   354    perform the action on the message as it stood at the time, and MUST
   355    NOT include subsequent changes encountered later in the script
   356    processing.
   357 
   358    In addition, any tests done on the message and its parts will test
   359    the message after all prior "filter" actions have been performed.
   360    Because the implicit keep, if it is in effect, acts on the final
   361    state of the message, all "filter" actions are performed before any
   362    implicit keep.
   363 
   364    The "filter" action does not affect the applicability of other
   365    actions; any action that was applicable before the "filter"
   366    invocation is equally applicable to the changed message afterward.
   367 
   368 
   369 7.  Action "execute"
   370 
   371    Usage: "execute" [":input" <input-data: string> / ":pipe"]
   372                     [":output" <varname: string>]
   373                     <program-name: string> [<arguments: string-list>]
   374 
   375    The "execute" action executes the external program identified by the
   376    "program-name" argument.  Input to the program can be provided using
   377    the ":input" or ":pipe" tags.  If used in combination with the
   378    "variables" extension [VARIABLES], the "execute" action can redirect
   379    output from the program to the variable specified using the ":output"
   380    tag.  This way, string data can be passed to and retrieved from an
   381    external program.  The "execute" action does not change the message
   382    in any way and it never affects Sieve's implicit keep.
   383 
   384    The specified "program-name" argument MUST conform to the syntax and
   385 
   386 
   387 
   388 Bosch                                                           [Page 7]
   389 
   390                          Sieve External Programs            October 2012
   391 
   392 
   393    restrictions defined in Section 3.  A script MUST fail with an
   394    appropriate error if it attempts to use the "execute" action with an
   395    invalid, restricted or unknown program name.  The optional
   396    "arguments" argument lists the arguments that are passed to the
   397    external program, as explained in Section 4.
   398 
   399    The ":input" and ":pipe" tags are mutually exclusive, because these
   400    both specify input that is passed to the external program.
   401    Specifying both for a single "execute" command MUST trigger a compile
   402    error.  The ":input" tag specifies a string that is passed to the
   403    external script as input.  This string may also contain variable
   404    substitutions when the "variables" extension is active.  If instead
   405    the ":pipe" tag is specified, the current version of the message
   406    itself is passed to the external program.  If the ":input" and
   407    ":pipe" tags are both omitted, no input is provided to the external
   408    program.
   409 
   410    The ":output" tag specifies the variable to which the output of the
   411    external program is to be redirected.  If the ":output" tag is
   412    omitted, any output from the external program is discarded.  The
   413    ":output" tag requires the "variables" [VARIABLES] extension to be
   414    active.  The use of the ":output" tag for the "execute" action
   415    without the "variables" extension in the require line MUST trigger a
   416    compile error.
   417 
   418    The "varname" parameter of the ":output" tag specifies the name of
   419    the variable.  It MUST be a constant string and it MUST conform to
   420    the syntax of "variable-name" as defined in [VARIABLES], Section 3.
   421    An invalid name MUST be detected as a syntax error.  The referenced
   422    variable MUST be compatible with the "set" command as described in
   423    [VARIABLES], Section 4.  This means that match variables cannot be
   424    specified and that variable namespaces are only allowed when their
   425    specification explicitly indicates compatibility with the "set"
   426    command.  Use of an incompatible variable MUST trigger a compile
   427    error.
   428 
   429    The data actually stored in the variable MAY be truncated to conform
   430    to an implementation-specific limit on variable length.  If the
   431    execution of the external program fails, the contents of the variable
   432    referenced with ":output" MUST remain unchanged.
   433 
   434 
   435 8.  Actions "filter" and "execute" as Tests
   436 
   437    To simplify checking the successful invocation of the external
   438    program, the "filter" and "execute" actions can also be used as
   439    tests.  As such, these will attempt to execute the requested external
   440    program, and will evaluate to "true" if the program executed
   441 
   442 
   443 
   444 Bosch                                                           [Page 8]
   445 
   446                          Sieve External Programs            October 2012
   447 
   448 
   449    successfully and, if applicable, output was retrieved from it
   450    successfully.  The usage as a test is exactly the same as the usage
   451    as an action: as a test it doubles as an action and a test of the
   452    action's result at the same time.
   453 
   454    For the "execute" test, a "false" result is not necessarily equal to
   455    actual failure: it may just mean that the executed program returned a
   456    "false" result, e.g. an exit code higher than zero on Unix systems.
   457    Note that any output from the external program is discarded when it
   458    yields a "false" result.  Similarly, for the "filter" test, programs
   459    may return a "false" result to indicate that the message was not
   460    changed.  In that case the Sieve interpreter will not replace the
   461    active message with an identical one, which is beneficial for
   462    efficiency.  The exact semantics of these tests thus partly depends
   463    on the program being executed.
   464 
   465    To handle missing programs gracefully, implementations MAY let the
   466    "filter" and "execute" tests evaluate to "false" if an unknown
   467    program name is specified, instead of failing the script with an
   468    error as would happen if used as an action.  In any other case and
   469    irrespective of whether the command is used as an action or a test,
   470    passing invalid arguments to the "filter" or "execute" commands, such
   471    as a syntactically invalid or restricted program name, MUST always
   472    cause the script to fail with an appropriate error.
   473 
   474 
   475 9.  Sieve Capability Strings
   476 
   477    A Sieve implementation that defines the "pipe" action command will
   478    advertise the capability string "vnd.dovecot.pipe".
   479 
   480    A Sieve implementation that defines the "filter" action command will
   481    advertise the capability string "vnd.dovecot.filter".
   482 
   483    A Sieve implementation that defines the "execute" command will
   484    advertise the capability string "vnd.dovecot.execute".
   485 
   486 
   487 10.  Examples
   488 
   489    The examples outlined in this section all refer to some external
   490    program.  These programs are imaginary and are only available when
   491    the administrator would provide them.
   492 
   493 10.1.  Example 1
   494 
   495    The following example passes messages directed to a
   496    "user-request@example.com" address to an external program called
   497 
   498 
   499 
   500 Bosch                                                           [Page 9]
   501 
   502                          Sieve External Programs            October 2012
   503 
   504 
   505    "request-handler".  The "-request" part of the recipient address is
   506    identified using the "subaddress" extension [SUBADDRESS].  If the
   507    program is executed successfully, the message is considered delivered
   508    and does not end up in the user's inbox.
   509 
   510    require [ "vnd.dovecot.pipe", "subaddress", "envelope" ];
   511 
   512    if envelope :detail "to" "request"
   513    {
   514      pipe "request-handler";
   515    }
   516 
   517 10.2.  Example 2
   518 
   519    The following example copies messages addressed to a particular
   520    recipient to a program called "printer".  This program sends the
   521    message to some printer.  In this case it is configured for "A4" page
   522    format and "draft" quality using the two arguments.  Irrespective of
   523    whether the message is printed or not, it is also always stored in
   524    the user's inbox through Sieve's implicit keep action (which is not
   525    canceled due to the specified :copy tag).
   526 
   527    require [ "vnd.dovecot.pipe", "copy" ];
   528 
   529    if address "to" "snailmail@example.com"
   530    {
   531      pipe :copy "printer" ["A4", "draft"];
   532    }
   533 
   534 10.3.  Example 3
   535 
   536    The following example translates a message from Dutch to English if
   537    appropriate.  If the message's content language is indicated to be
   538    Dutch, the message is filtered through an external program called
   539    "translator" with arguments that request Dutch to English
   540    translation.  Dutch messages are translated and filed into a special
   541    folder called "Translated".  Other messages are delivered to the
   542    user's inbox.
   543 
   544    require [ "vnd.dovecot.filter", "fileinto" ];
   545 
   546    if header "content-language" "nl"
   547    {
   548      filter "translator" ["nl", "en"];
   549      fileinto "Translated";
   550      stop;
   551    }
   552 
   553 
   554 
   555 
   556 Bosch                                                          [Page 10]
   557 
   558                          Sieve External Programs            October 2012
   559 
   560 
   561    Note that (formerly) Dutch messages are filed into the "Translated"
   562    folder, even when the "translator" program fails.  In the following
   563    modified example this is prevented by using the filter action as a
   564    test:
   565 
   566    require [ "vnd.dovecot.filter", "fileinto" ];
   567 
   568    if header "content-language" "nl"
   569    {
   570      if filter "translator" ["nl", "en"]
   571      {
   572        fileinto "Translated";
   573        stop;
   574      }
   575    }
   576 
   577    This way, messages only end up in the "Translated" folder when
   578    translation was actually successful.
   579 
   580 10.4.  Example 4
   581 
   582    The following example determines whether the user is on vacation by
   583    querying an external source.  The vacation message is obtained from
   584    the external source as well.  The program that queries the external
   585    source is called "onvacation" and it has one argument: the localpart
   586    of the recipient address.  The execute action is used as a test,
   587    which will evaluate to "true" when the user is determined to be on
   588    vacation.  This means that the external program "onvacation" exits
   589    with a failure when the user is not on vacation.  Of course, a
   590    vacation response is also not sent when the "onvacation" program
   591    truly fails somehow.
   592 
   593    require [ "vnd.dovecot.execute", "vacation", "variables",
   594              "envelope" ];
   595 
   596    if envelope :localpart :matches "to" "*"
   597    {
   598      set "recipient" "${1}";
   599    }
   600 
   601    if execute :output "vacation_message" "onvacation" "${recipient}"
   602    {
   603      vacation "${vacation_message}";
   604    }
   605 
   606 
   607 
   608 
   609 
   610 
   611 
   612 Bosch                                                          [Page 11]
   613 
   614                          Sieve External Programs            October 2012
   615 
   616 
   617 11.  Security Considerations
   618 
   619    Allowing users to execute programs external to the Sieve filter can
   620    be a significant security risk, therefore the extensions presented in
   621    this specification must be implemented with great care.  The external
   622    programs should execute with no more privileges than needed.
   623 
   624    Particularly the arguments passed to the external programs (see
   625    Section 4) need to be handled with scrutiny.  The external programs
   626    need to check the arguments for validity and SHOULD NOT pass these to
   627    system tools directly, as this may introduce the possibility of
   628    various kinds of insertion attacks.  External programs that work with
   629    message content or string input from the Sieve script may have
   630    similar security concerns.
   631 
   632    Unlike the Sieve interpreter itself, an external program can easily
   633    consume a large amount of resources if not implemented carefully.
   634    This can be triggered by coincidence or intentionally by an attacker.
   635    Therefore, amount of resources available to the external programs
   636    SHOULD be limited appropriately.  For one, external programs MUST NOT
   637    be allowed to execute indefinitely.
   638 
   639    For improved security, implementations MAY restrict the use of this
   640    extension to administrator-controlled global Sieve scripts.  In such
   641    setups, the external programs are never called directly from the
   642    user's personal script.  For example, using the "include" extension
   643    [INCLUDE], the user's personal script can include global scripts that
   644    contain the actual external program invocations.  This both abstracts
   645    the details of external program invocation from the user's view and
   646    it limits access to external programs to whatever the administrator
   647    defines.
   648 
   649 
   650 12.  References
   651 
   652 12.1.  Normative References
   653 
   654    [KEYWORDS]
   655               Bradner, S., "Key words for use in RFCs to Indicate
   656               Requirement Levels", BCP 14, RFC 2119, March 1997.
   657 
   658    [NET-UNICODE]
   659               Klensin, J. and M. Padlipsky, "Unicode Format for Network
   660               Interchange", RFC 5198, March 2008.
   661 
   662    [RFC3894]  Degener, J., "Sieve Extension: Copying Without Side
   663               Effects", RFC 3894, October 2004.
   664 
   665 
   666 
   667 
   668 Bosch                                                          [Page 12]
   669 
   670                          Sieve External Programs            October 2012
   671 
   672 
   673    [SIEVE]    Guenther, P. and T. Showalter, "Sieve: An Email Filtering
   674               Language", RFC 5228, January 2008.
   675 
   676    [UTF-8]    Yergeau, F., "UTF-8, a transformation format of ISO
   677               10646", STD 63, RFC 3629, November 2003.
   678 
   679    [VARIABLES]
   680               Homme, K., "Sieve Email Filtering: Variables Extension",
   681               RFC 5229, January 2008.
   682 
   683 12.2.  Informative References
   684 
   685    [DSN]      Moore, K. and G. Vaudreuil, "An Extensible Message Format
   686               for Delivery Status Notifications", RFC 3464,
   687               January 2003.
   688 
   689    [INCLUDE]  Daboo, C. and A. Stone, "Sieve Email Filtering: Include
   690               Extension", RFC 6609, May 2012.
   691 
   692    [MDN]      Hansen, T. and G. Vaudreuil, "Message Disposition
   693               Notification", RFC 3798, May 2004.
   694 
   695    [RFC5429]  Stone, A., "Sieve Email Filtering: Reject and Extended
   696               Reject Extensions", RFC 5429, March 2009.
   697 
   698    [SUBADDRESS]
   699               Murchison, K., "Sieve Email Filtering -- Subaddress
   700               Extension", RFC 3598, September 2003.
   701 
   702 
   703 Author's Address
   704 
   705    Stephan Bosch
   706    Enschede
   707    NL
   708 
   709    Email: stephan@rename-it.nl
   710 
   711 
   712 
   713 
   714 
   715 
   716 
   717 
   718 
   719 
   720 
   721 
   722 
   723 
   724 Bosch                                                          [Page 13]
   725 
   726 
   727