JMAP for Sieve Scripts

JMAP for Sieve Scripts Fastmail US LLC

1429 Walnut Street - Suite 1201 Philadelphia PA 19102 USA murch@fastmailteam.com

ART JMAP JMAP JSON Sieve This document specifies a data model for managing Sieve scripts on a server using the JSON Meta Application Protocol (JMAP). Clients can use this protocol to efficiently search, access, organize, and validate Sieve scripts.

Introduction JMAP (JSON Meta Application Protocol) is a generic protocol for synchronizing data, such as mail, calendars or contacts, between a client and a server. It is optimized for mobile and web environments, and aims to provide a consistent interface to different data types. This specification defines a data model for managing Sieve scripts on a server using JMAP. The data model is designed to allow a server to provide consistent access to the same scripts via ManageSieve as well as JMAP.

Notational Conventions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. Type signatures, examples, and property descriptions in this document follow the conventions established in . This document also uses data types and terminology established in Sections - of . The term SieveScript (with this specific capitalization) is used to refer to the data type defined in this document and instances of those data types. Servers MUST support all properties specified for the data type defined in this document. For brevity, JMAP API (see ) examples only show the "methodCalls" property of the Request object, and the "methodResponses" property of the Response object. All other examples are shown using the HTTP 1.1 protocol.

Addition to the Capabilities Object The capabilities object is returned as part of the JMAP Session object; see . This document defines one additional capability URI.

urn:ietf:params:jmap:sieve The urn:ietf:params:jmap:sieve URI represents support for the SieveScript data type and associated API methods. The value of this property in the JMAP Session capabilities property is an object that MUST contain the following information on server capabilities:

implementation: String The name and version of the Sieve implementation.

The value of this property in an account's accountCapabilities property is an object that MUST contain the following information on per-account server capabilities:

maxSizeScriptName: UnsignedInt The maximum length, in octets, allowed for the name of a SieveScript. For compatibility with ManageSieve, this MUST be at least 512 (up to 128 Unicode characters).
maxSizeScript: UnsignedInt|null The maximum size (in octets) of a Sieve script the server is willing to store for the user, or null for no limit.
maxNumberScripts: UnsignedInt|null The maximum number of Sieve scripts the server is willing to store for the user, or null for no limit.
maxNumberRedirects: UnsignedInt|null The maximum number of Sieve "redirect" actions a script can perform during a single evaluation or null for no limit. Note that this is different from the total number of "redirect" actions a script can contain.
sieveExtensions: String[] A list of case-sensitive Sieve capability strings (as listed in Sieve "require" action; see ) indicating the extensions supported by the Sieve engine.
notificationMethods: String[]|null A list of URI schema parts for notification methods supported by the Sieve "enotify" extension, or null if the extension is not supported by the Sieve engine.
externalLists: String[]|null A list of URI schema parts for externally stored list types supported by the Sieve "extlists" extension, or null if the extension is not supported by the Sieve engine.

Example A JMAP Session object showing a user that has access to their own Sieve scripts with support for a few Sieve extensions:

Sieve Scripts A SieveScript object represents a single Sieve script for filtering email messages at time of final delivery.

Sieve Script Properties A SieveScript object has the following properties:

id: Id (immutable; server-set) The id of the script.
name: String|null (optional; default is server-dependent) User-visible name for the SieveScript. If non-null, this MUST be a Net-Unicode string of at least 1 character in length, subject to the maximum size given in the capability object. For compatibility with ManageSieve, servers MUST reject names that contain any of the following Unicode characters: U+0000 - U+001F, U+007F - U+009F, U+2028, U+2029. Servers MAY reject names that violate server policy (e.g., names containing slash (/)). The name MUST be unique among all SieveScripts within an account.
blobId: Id The id of the blob containing the raw octets of the script.
isActive: Boolean (server-set; default: false) Indicator that the SieveScript is actively filtering incoming messages. A user may have at most one active script. The SieveScript/set method is used for changing the active script or disabling Sieve processing.

Sieve Script Content A script MUST be UTF-8 content of at least 1 character in length, subject to the syntax of Sieve. A script MUST NOT contain any "require" statement(s) mentioning Sieve capability strings not present in the capability object. Note that if the Sieve "ihave" capability string is present in the capability object, the script MAY mention unrecognized/unsupported extensions in the "ihave" test. Script content is treated as a binary blob and uploaded/downloaded via the mechanisms in Sections / respectively and/or via the JMAP Blob management methods in Sections / respectively. Downloading script content via the JMAP downloadUrl or the Blob/get method provides equivalent functionality to the GETSCRIPT command in .

SieveScript/get This is a standard "/get" method as described in . The ids argument may be null to fetch all scripts at once. This method provides equivalent functionality to the LISTSCRIPTS command in .

Examples List all scripts: Download the script content via the JMAP downloadUrl as advertised in : Fetch script properties and content in a single JMAP API request using the JMAP Blob management extension:

SieveScript/set This is a standard "/set" method as described in but with the following additional optional request arguments:

onSuccessActivateScript: Id The id of the SieveScript to activate if and only if all of the creations, modifications, and destructions (if any) succeed. (For references to SieveScript creations, this is equivalent to a creation-reference, so the id will be the creation id prefixed with a "#".) The currently active SieveScript (if any) will be deactivated before activating the specified SieveScript. If omitted, or if the id is either invalid or nonexistent, it MUST be ignored and the currently active SieveScript (if any) will remain as such. The id of any activated SieveScript MUST be reported in either the "created" or "updated" argument in the response as appropriate, including a value of "true" for the "isActive" property. The id of any deactivated SieveScript MUST be reported in the "updated" argument in the response, including a value of "false" for the "isActive" property.
onSuccessDeactivateScript: Boolean If true, the currently active SieveScript (if any) will be deactivated if and only if all of the creations, modifications, and destructions (if any) succeed. If false or omitted, the currently active SieveScript (if any) will remain as such. The id of any deactivated SieveScript MUST be reported in the "updated" argument in the response, including a value of "false" for the "isActive" property.

If both the onSuccessActivateScript and onSuccessDeactivateScript arguments are present in the request, then onSuccessDeactivateScript MUST be processed first. If neither argument is present in the request, the currently active SieveScript (if any) will remain as such. This method provides equivalent functionality to the PUTSCRIPT, DELETESCRIPT, RENAMESCRIPT, and SETACTIVE commands in . Script content must first be uploaded as per prior to referencing it in a SieveScript/set call. If the SieveScript can not be created or updated because it would result in two SieveScripts with the same name, the server MUST reject the request with an "alreadyExists" SetError. An "existingId" property of type "Id" MUST be included on the SetError object with the id of the existing SieveScript. If the SieveScript can not be created or updated because its size exceeds the "maxSizeScript" limit, the server MUST reject the request with a "tooLarge" SetError. If the SieveScript can not be created because it would exceed the "maxNumberScripts" limit or would exceed a server-imposed storage limit, the server MUST reject the request with an "overQuota" SetError. The active SieveScript MUST NOT be destroyed unless it is first deactivated in a separate SieveScript/set method call. The following extra SetError types are defined: For "create" and "update":

invalidSieve: The SieveScript content violates the Sieve grammar and/or one or more extensions mentioned in the script's "require" statement(s) are not supported by the Sieve interpreter. The description property on the SetError object SHOULD contain a specific error message giving at least the line number of the first error.

For "destroy":

sieveIsActive: The SieveScript is active.

Examples Upload a script requiring the Imap4Flags Extension using the JMAP uploadUrl as advertised in : Create and activate a script using the uploaded blob. Note that the response shows that an existing active script has been deactivated in lieu of the newly created script being activated. Update the script content using the JMAP Blob management extension: Update the script name and deactivate it: Reactivate the script: Deactivate and destroy the active script:

SieveScript/query This is a standard "/query" method as described in . A FilterCondition object has the following properties, either of which may be omitted:

name: String The SieveScript "name" property contains the given string.
isActive: Boolean The "isActive" property of the SieveScript must be identical to the value given to match the condition.

The following SieveScript properties MUST be supported for sorting:

name
isActive

SieveScript/validate This method is used by the client to verify Sieve script validity without storing the script on the server, providing equivalent functionality to the CHECKSCRIPT command in . The method takes the following arguments:

accountId: Id The id of the account to use.
blobId: Id The id of the blob containing the raw octets of the script to validate, subject to the same requirements in .

The response has the following arguments:

accountId: Id The id of the account used for this call.
error: SetError|null An "invalidSieve" SetError object if the script content is invalid (see ), or null if the script content is valid.

As with the SieveScript/set method, script content must first be uploaded as a blob using either the standard upload mechanism (see ) or the JMAP Blob management extension (see ).

Quotas Servers SHOULD impose quotas on Sieve scripts to prevent malicious users from exceeding available storage. Administration of such quotas is outside of the scope of this specification, however defines a data model for users to obtain quota details over JMAP. The mechanism for handling SieveScript requests that would place a user over a quota setting is discussed in .

Compatibility with JMAP Vacation Response defines a VacationResponse object to represent an autoresponder to incoming email messages. Servers that implement the VacationResponse as a Sieve script that resides amongst other user scripts are subject to the following requirements:

MUST allow the VacationResponse Sieve script to be fetched by the SieveScript/get method.
MUST allow the VacationResponse Sieve script to be [de]activated via the "onSuccessActivateScript" argument to the SieveScript/set method.
MUST NOT allow the VacationResponse Sieve script to be destroyed or have its content updated by the SieveScript/set method. Any such request MUST be rejected with a "forbidden" SetError. A "description" property MAY be present with an explanation that the script can only be modified by a VacationResponse/set method.

Security Considerations All security considerations of JMAP and Sieve apply to this specification. Additionally, implementations MUST treat Sieve script content as untrusted data. As such, script parsers MUST fail gracefully in the face of syntactically invalid or malicious content and MUST be prepared to deal with resource exhaustion (E.g., allocation of enormous strings, lists, or command blocks).

IANA Considerations

JMAP Capability Registration for "sieve" IANA will register the "sieve" JMAP Capability as follows: Capability Name: urn:ietf:params:jmap:sieve Specification document: this document Intended use: common Change Controller: IETF Security and privacy considerations: this document,

JMAP Data Type Registration for "SieveScript" IANA will register the "SieveScript" JMAP Data Type as follows: Type Name: SieveScript Can Reference Blobs: yes Can Use for State Change: yes Capability: urn:ietf:params:jmap:sieve Specification document: this document

JMAP Error Codes Registry The following sub-sections register two new error codes in the JMAP Error Codes registry, as defined in .

invalidSieve JMAP Error Code: invalidSieve Intended use: common Change controller: IETF Reference: This document, Description: The SieveScript violates the Sieve grammar and/or one or more extensions mentioned in the script's "require" statement(s) are not supported by the Sieve interpreter.

sieveIsActive JMAP Error Code: sieveIsActive Intended use: common Change controller: IETF Reference: This document, Description: The client tried to destroy the active SieveScript.

Acknowledgments The concepts in this document are based largely on those in . The author would like to thank the authors of that document for providing both inspiration and some borrowed text for this document. The author would also like to thank the following individuals for contributing their ideas and support for writing this specification: Joris Baum, Mauro De Gennaro, Bron Gondwana, Neil Jenkins, Alexey Melnikov, and Ricardo Signes.

References Normative References Informative References

Change History (To be removed by RFC Editor before publication) Changes since ietf-20:

Listed Unicode characters prohibited in script names.
Cleaned up the language of the optional /set arguments.
Added security considerations about parsing Sieve script content.
Miscellaneous editorial changes.

Changes since ietf-19:

Tweaked the example captions.

Changes since ietf-18:

Edited JMAP API examples for brevity to match other JMAP specs, and added explanatory text to 1.1.
Updated <xref> elements to to use "section" and "sectionFormat" attributes.

Changes since ietf-17:

Several editorial changes resulting from IESG review comments.
Added a section discussuing quotas.

Changes since ietf-16:

Renamed the "invalidScript" and "scriptIsActive" SetErrors to "invalidSieve" and "sieveIsActive" respectively.

Changes since ietf-15:

Added registration for SieveScript JMAP Data Type.
Miscellaneous editorial changes.

Changes since ietf-14:

Updated reference for JMAP Blobs.

Changes since ietf-13:

Added implementation argument to capabilities.
Miscellaneous editorial changes.

Changes since ietf-12:

Added onSuccessDeactivateScipt argument to /set method.
Clarified that the "isActive" property must be included in the created/uodated/destroyed arguments in a response of the active script is changed and/or deactivated.
Miscellaneous editorial changes.

Changes since ietf-11:

Fixed examples to be proper JSON and JMAP.

Changes since ietf-10:

Fixed SieveScript/set response deactivating script example.
Fixed line line nit in Blob/get request.
Removed unused references.

Changes since ietf-09:

Fixed Blob/upload request in example.

Changes since ietf-08:

Fixed Blob/upload response in example.
Removed SieveScript/test method (to be written as an extension document).

Changes since ietf-07:

Updated example to use Blob/upload rather than Blob/set.

Changes since ietf-06:

None (refreshed to avoid expiration).

Changes since ietf-05:

Converted source from xml2rfc v2 to v3.
Added examples for SieveScript/get.
Miscellaneous editorial changes.

Changes since ietf-04:

SieveScript/test: Switched from using a JSON array for each completed action and its args to a JSON object.
Switched to referencing draft-ietf-jmap-blob.
Miscellaneous editorial changes.

Changes since ietf-03:

SieveScript/test: Moved positional arguments into their own array (because the specfications don't use a consistent method for defining the action syntax or naming of positional arguments).

Changes since ietf-02:

Removed open issues.
Reverted back to using only blob ids for script content.
Added "rateLimit" and "requestTooLarge" to the list of possible error codes for /set method.
Added Compatibility with JMAP Vacation Response section.
Added RFC5228 to Security Considerations.
Miscellaneous editorial changes.

Changes since ietf-01:

Removed normative references to ManageSieve (RFC 5804).
Added the 'maxSizeScriptName' capability.
Made the 'name' property in the SieveScript object optional.
Added requirements for the 'name' property in the SieveScript object.
Removed the 'blobId' property from the SieveScript object.
Removed the 'replaceOnCreate' argument from the /set method.
Removed the 'blobId' argument from the /validate method.
Removed the 'scriptBlobId' argument from, and added the 'scriptContent' argument to, the /test method.
Editorial fixes from Neil Jenkins and Ricardo Signes.
Other miscellaneous text reorganization and editorial fixes.

Changes since ietf-00:

Specified that changes made by onSuccessActivateScript MUST be reported in the /set response as created and/or updated as appropriate.
Reworked and specified more of the /test response based on implementation experience.

Changes since murchison-01:

Explicitly stated that Sieve capability strings are case-sensitive.
errorDescription is now String|null.
Added /query method.
Added /test method.

Changes since murchison-00:

Added IANA registration for "scriptIsActive" JMAP error code.
Added open issue about /set{create} with an existing script name.