]> Fastmail US LLC

1429 Walnut Street, Suite 1201 Philadelphia PA 19102 United States of America murch@fastmailteam.com

Fastmail US LLC

1429 Walnut Street, Suite 1201 Philadelphia PA 19102 United States of America rjbs@fastmailteam.com

Fastmail US LLC

1429 Walnut Street, Suite 1201 Philadelphia PA 19102 United States of America alh@fastmailteam.com

ART extra Sieve This document describes the "processcalendar" extension to the Sieve email filtering language. The "processcalendar" extension gives Sieve the ability to process machine-readable calendar data that is encapsulated in an email message using Multipurpose Internet Mail Extensions (MIME).

Introduction Users frequently receive invites, replies, and cancellations for events, tasks, etc. via Internet mail messages. It is sometimes desirable to have such messages automatically parsed and the enclosed calendar data added to, updated on, or deleted from the user's calendars. Typically, such messages are based on the iCalendar Message-Based Interoperability Protocol (iMIP) . However, sometimes the enclosed iCalendar data does not include an iCalendar Transport-Independent Interoperability Protocol (iTIP) method property (see ), or the enclosed data may be in some other machine-readable format (e.g., JSCalendar ). This document defines an extension to the Sieve language that enables scripts to process machine-readable calendar data that is encapsulated in an email message using MIME . Specifically, this extension provides the ability to alter items on a user's calendars that are referenced in the encapsulated calendar data.

Conventions Used in This Document Conventions for notations are as in , including use of the "Usage:" label for the definition of action and tagged arguments syntax. This document uses terminology and concepts from iCalendar and iTIP to describe the processing of calendar data, but this extension can be used with any machine-readable calendar data format that can express similar concepts. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Capability Identifier Sieve interpreters that implement this extension MUST have an identifier of "processcalendar" for use with the capability mechanism.

Process Calendar Action ] [ :updatesonly / :calendarid ] [ :deletecancelled ] [ :organizers ] [ :outcome ] [ :reason ] ]]> The "processcalendar" action is used to parse encapsulated calendar data and perform the appropriate action based on the content. If the calendar data is malformed in any way, it MUST be ignored and no action is taken. Otherwise, calendar objects may be created, updated, or deleted from a given calendar. This action can be used with or without the "extlists" extension . When the "extlists" extension is enabled in a script using <require "extlists">, the script can use the :organizers argument () in the "processcalendar" action as described below. When the "extlists" extension is not enabled, the :organizers argument MUST NOT be used and MUST cause an error according to . This action can be used with or without the "variables" extension . When the "variables" extension is enabled in a script using <require "variables">, the script can use the :outcome () and :reason () arguments in the "processcalendar" action as described below. When the "variables" extension is not enabled, the :outcome and :reason arguments MUST NOT be used and MUST cause an error according to . If a mail message contains calendar data in multiple MIME parts, this action MUST verify that the calendar data in each part are semantically equivalent to one another. If the data is found to be semantically different, the action MUST NOT process the message. Otherwise, the action MUST only process one representation of the data. This action MUST NOT make any changes to the participant status of the recipient when processing the calendar data. The mechanism for a recipient to change their participant status to an event is out of scope for this document. This action SHOULD remove alarms from calendar data before applying it to a calendar. Failure to do so could result in unwelcome notifications being triggered for the recipient.

Allow Public Argument The optional :allowpublic argument is used to tell the implementation that it can process calendar data that does not contain any ATTENDEE properties, such as iTIP messages where the METHOD is PUBLISH or non-iTIP messages where the calendar data does not contain METHOD and/or ORGANIZER properties. If used in conjunction with the :organizers argument (), the implementation MUST NOT process non-iTIP messages. If :allowpublic is omitted, the implementation MUST NOT process calendar data unless is it is a well-formed iTIP message and one of the recipient user's email addresses matches the Calendar User Address (see ) of the intended target of the message, as determined by the iTIP method (see ) of the message:

• "REPLY": Value of the ORGANIZER property (see )
• "REQUEST", "CANCEL", "ADD": Value of one of the ATTENDEE properties (see )

The recipient user's email address matches the Calendar User Address of the target if the Calendar User Address is in the form of a mailto URI and the email address matches the "addr-spec" of the URI. An email address is considered to belong to the recipient if it is one of the following:

• an email address known by the implementation to be associated with the recipient,
• the final envelope recipient address if it's available to the implementation, or
• an address specified by the script writer via the :addresses argument ().

Addresses Argument The optional :addresses argument is used to specify email addresses that belong to the recipient in addition to the addresses known to the implementation.

Updates Only Argument The optional :updatesonly argument is used to limit the messages processed to those targeting existing calendar objects only. If the message contains a new calendar object (its unique identifier does not exist on any of the user's calendars), the implementation MUST NOT add the object to a calendar. If :updatesonly is omitted, new calendar objects may be added to one of the user's calendars. The :updatesonly and :calendarid () arguments are incompatible with each other. It is an error if both arguments are used in the same "processcalendar" action.

Calendar ID Argument The optional :calendarid argument specifies the identifier of the calendar onto which new calendar objects should be placed. If :calendarid is omitted, new calendar objects will be placed on the user's "default" calendar as determined by the implementation. The :updatesonly () and :calendarid arguments are incompatible with each other. It is an error if both arguments are used in the same "processcalendar" action.

Delete Cancelled Argument The optional :deletecancelled argument is used to tell the implementation that if it receives a cancellation message, it SHOULD remove the associated calendar object from the calendar. If :deletecancelled is omitted, the status of the associated calendar object will be set to cancelled and will remain on the calendar.

Organizers Argument The optional :organizers argument is used to specify an external list of email addresses from which the recipient is willing to accept public events, invites, updates, and cancellations. Implementations MUST NOT process calendar data unless is it is a well-formed iTIP message and one of the addresses in the external list matches the Calendar User Address of the ORGANIZER property. An email address in the external list matches the Calendar User Address of the ORGANIZER property if it is in the form of a mailto URI and the email address matches the "addr-spec" of the URI. If :organizers is omitted, no validation of the ORGANIZER property is performed.

Outcome Argument The optional :outcome argument specifies the name of a variable into which one of the following strings specifying the outcome of the action will be stored:

"no_action":

No action was performed (e.g., the message didn't contain calendar data, or the set of provided options prevented the message from being processed).

"added":

A new calendar object was added to a calendar.

"updated":

A calendar object was updated, cancelled, or removed from the calendar.

"error":

The message would have been processed but encountered an error in doing so.

Reason Argument The optional :reason argument specifies the name of a variable into which a string describing the reason for the outcome will be stored. If no reason for the outcome is available, implementations MUST set the variable to the empty string. For example, an outcome of "no_action" may have a reason of "only processing updates", or an outcome of "error" may have a reason of "missing unique identifier".

Interaction with Other Sieve Actions The "processcalendar" action does not cancel Sieve's implicit keep action. The "processcalendar" action can only be executed once per script. A script MUST fail with an appropriate error if it attempts to execute two or more "processcalendar" actions. The "processcalendar" action is incompatible with the Sieve "reject" and "ereject" actions .

Examples The following example specifies email addresses belonging to the user and the identifier of the calendar onto which to place new calendar objects: The following example tells the interpreter to process flight itineraries from a particular airline: The following example adds headers to the message if calendar data isn't processed :

Security Considerations This document describes a method for altering an electronic calendar without user interaction. As such, unless proper precautions are undertaken, it can be used as a vector for calendar abuse. It is critical that implementations correctly implement the behavior and restrictions described throughout this document. Security issues associated with processing unsolicited calendar data and methods for mitigating them are discussed in . Specifically:

• The "processcalendar" extension MUST NOT process any calendar data enclosed in a message flagged as spam and/or malicious. The "spamtest" and "virustest" extensions (or the header test if messages are scanned outside of the Sieve interpreter) can be used to make "processcalendar" conditional on "safe" content.
• The "processcalendar" extension SHOULD NOT process calendar data received from a potentially malicious sender. The address and envelope tests (optionally along with the "extlists" extension ) can be used to create a "deny list" and make "processcalendar" conditional on the sender not being a member of that list.
• Similarly, the "processcalendar" extension SHOULD only process calendar data received from a known sender. The address and envelope tests (optionally along with the "extlists" extension ) can be used to create an "allow list" and make "processcalendar" conditional on the sender being a member of that list.
• The "processcalendar" extension SHOULD NOT process calendar data received from an untrustworthy sender. Trustworthiness may depend on whether the message has a valid signature (see ) and/or on whether one or more of the following passes or fails on the message: Sender Policy Framework (SPF) , DomainKeys Identified Mail (DKIM) Signatures , and Domain-based Message Authentication, Reporting, and Conformance (DMARC) . The mechanism by which a Sieve interpreter accesses the results of such checks is outside the scope of this document, but if the results are available in the message's header fields, the header test can be used to make "processcalendar" conditional on the sender being trustworthy.

Additionally, if the calendar data has embedded (a.k.a. inline) attachments, implementations SHOULD:

• Decode the embedded attachment, if necessary.
• Scan the (decoded) attachment for malicious content.

If an attachment is found to be malicious, "processcalendar" MUST NOT process the calendar data.

Privacy Considerations It is believed that this extension doesn't introduce any privacy considerations beyond those in .

IANA Considerations

Registration of Sieve Extension This document defines the following new Sieve extension, which IANA has added to the "Sieve Extensions" registry. The registry is defined in .

Capability name:

processcalendar

Description:

Adds the "processcalendar" action command to add and update items on a user's calendars.

RFC number:

RFC 9671

Contact address:

Sieve discussion list <sieve@ietf.org>

Registration of Sieve Action This document defines the following new Sieve action, which IANA has added to the "Sieve Actions" registry . The registry is defined in .

Name:

processcalendar

Description:

Add and update items on a user's calendars

References:

RFC 9671

Capabilities:

"processcalendar", "variables", "extlists"

Action Interactions:

This action is incompatible with the "reject" and "ereject" actions.

Cancels Implicit Keep?

No

Can Use with IMAP Events?

No

References Normative References The Calendaring and Scheduling Consortium Informative References

Acknowledgments The authors would like to thank the following individuals for contributing their ideas and support for writing this specification: and .