ARMWARE RFC Archive <- RFC Index (5201..5300)

RFC 5228

Obsoletes RFC 3028
Updated by RFC 5229, RFC 5429, RFC 6785, RFC 9042

Network Working Group                                   P. Guenther, Ed.
Request for Comments: 5228                                Sendmail, Inc.
Obsoletes: 3028                                        T. Showalter, Ed.
Category: Standards Track                                   January 2008

                   Sieve: An Email Filtering Language

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Abstract

   This document describes a language for filtering email messages at
   time of final delivery.  It is designed to be implementable on either
   a mail client or mail server.  It is meant to be extensible, simple,
   and independent of access protocol, mail architecture, and operating
   system.  It is suitable for running on a mail server where users may
   not be allowed to execute arbitrary programs, such as on black box
   Internet Message Access Protocol (IMAP) servers, as the base language
   has no variables, loops, or ability to shell out to external
   programs.

Guenther & Showalter        Standards Track                     [Page 1]



RFC 5228           Sieve: An Email Filtering Language       January 2008

Table of Contents

   1. Introduction ....................................................4
      1.1. Conventions Used in This Document ..........................4
      1.2. Example Mail Messages ......................................5
   2. Design ..........................................................6
      2.1. Form of the Language .......................................6
      2.2. Whitespace .................................................7
      2.3. Comments ...................................................7
      2.4. Literal Data ...............................................7
           2.4.1. Numbers .............................................7
           2.4.2. Strings .............................................8
                  2.4.2.1. String Lists ...............................9
                  2.4.2.2. Headers ....................................9
                  2.4.2.3. Addresses .................................10
                  2.4.2.4. Encoding Characters Using
                           "encoded-character" .......................10
      2.5. Tests .....................................................11
           2.5.1. Test Lists .........................................12
      2.6. Arguments .................................................12
           2.6.1. Positional Arguments ...............................12
           2.6.2. Tagged Arguments ...................................12
           2.6.3. Optional Arguments .................................13
           2.6.4. Types of Arguments .................................13
      2.7. String Comparison .........................................13
           2.7.1. Match Type .........................................14
           2.7.2. Comparisons across Character Sets ..................15
           2.7.3. Comparators ........................................15
           2.7.4. Comparisons against Addresses ......................16
      2.8. Blocks ....................................................17
      2.9. Commands ..................................................17
      2.10. Evaluation ...............................................18
           2.10.1. Action Interaction ................................18
           2.10.2. Implicit Keep .....................................18
           2.10.3. Message Uniqueness in a Mailbox ...................19
           2.10.4. Limits on Numbers of Actions ......................19
           2.10.5. Extensions and Optional Features ..................19
           2.10.6. Errors ............................................20
           2.10.7. Limits on Execution ...............................20
   3. Control Commands ...............................................21
      3.1. Control if ................................................21
      3.2. Control require ...........................................22
      3.3. Control stop ..............................................22
   4. Action Commands ................................................23
      4.1. Action fileinto ...........................................23
      4.2. Action redirect ...........................................23
      4.3. Action keep ...............................................24
      4.4. Action discard ............................................25

Guenther & Showalter        Standards Track                     [Page 2]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   5. Test Commands ..................................................26
      5.1. Test address ..............................................26
      5.2. Test allof ................................................27
      5.3. Test anyof ................................................27
      5.4. Test envelope .............................................27
      5.5. Test exists ...............................................28
      5.6. Test false ................................................28
      5.7. Test header ...............................................29
      5.8. Test not ..................................................29
      5.9. Test size .................................................29
      5.10. Test true ................................................30
   6. Extensibility ..................................................30
      6.1. Capability String .........................................31
      6.2. IANA Considerations .......................................31
           6.2.1. Template for Capability Registrations ..............32
           6.2.2. Handling of Existing Capability Registrations ......32
           6.2.3. Initial Capability Registrations ...................32
      6.3. Capability Transport ......................................33
   7. Transmission ...................................................33
   8. Parsing ........................................................34
      8.1. Lexical Tokens ............................................34
      8.2. Grammar ...................................................36
      8.3. Statement Elements ........................................36
   9. Extended Example ...............................................37
   10. Security Considerations .......................................38
   11. Acknowledgments ...............................................39
   12. Normative References ..........................................39
   13. Informative References ........................................40
   14. Changes from RFC 3028 .........................................41

Guenther & Showalter        Standards Track                     [Page 3]



RFC 5228           Sieve: An Email Filtering Language       January 2008

1.  Introduction

   This memo documents a language that can be used to create filters for
   electronic mail.  It is not tied to any particular operating system
   or mail architecture.  It requires the use of [IMAIL]-compliant
   messages, but should otherwise generalize to many systems.

   The language is powerful enough to be useful but limited in order to
   allow for a safe server-side filtering system.  The intention is to
   make it impossible for users to do anything more complex (and
   dangerous) than write simple mail filters, along with facilitating
   the use of graphical user interfaces (GUIs) for filter creation and
   manipulation.  The base language was not designed to be Turing-
   complete: it does not have a loop control structure or functions.

   Scripts written in Sieve are executed during final delivery, when the
   message is moved to the user-accessible mailbox.  In systems where
   the Mail Transfer Agent (MTA) does final delivery, such as
   traditional Unix mail, it is reasonable to filter when the MTA
   deposits mail into the user's mailbox.

   There are a number of reasons to use a filtering system.  Mail
   traffic for most users has been increasing due to increased usage of
   email, the emergence of unsolicited email as a form of advertising,
   and increased usage of mailing lists.

   Experience at Carnegie Mellon has shown that if a filtering system is
   made available to users, many will make use of it in order to file
   messages from specific users or mailing lists.  However, many others
   did not make use of the Andrew system's FLAMES filtering language
   [FLAMES] due to difficulty in setting it up.

   Because of the expectation that users will make use of filtering if
   it is offered and easy to use, this language has been made simple
   enough to allow many users to make use of it, but rich enough that it
   can be used productively.  However, it is expected that GUI-based
   editors will be the preferred way of editing filters for a large
   number of users.

1.1.  Conventions Used in This Document

   In the sections of this document that discuss the requirements of
   various keywords and operators, the following conventions have been
   adopted.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [KEYWORDS].

Guenther & Showalter        Standards Track                     [Page 4]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   Each section on a command (test, action, or control) has a line
   labeled "Usage:".  This line describes the usage of the command,
   including its name and its arguments.  Required arguments are listed
   inside angle brackets ("<" and ">").  Optional arguments are listed
   inside square brackets ("[" and "]").  Each argument is followed by
   its type, so "<key: string>" represents an argument called "key" that
   is a string.  Literal strings are represented with double-quoted
   strings.  Alternatives are separated with slashes, and parentheses
   are used for grouping, similar to [ABNF].

   In the "Usage:" line, there are three special pieces of syntax that
   are frequently repeated, MATCH-TYPE, COMPARATOR, and ADDRESS-PART.
   These are discussed in sections 2.7.1, 2.7.3, and 2.7.4,
   respectively.

   The formal grammar for these commands is defined in section 8 and is
   the authoritative reference on how to construct commands, but the
   formal grammar does not specify the order, semantics, number or types
   of arguments to commands, or the legal command names.  The intent is
   to allow for extension without changing the grammar.

1.2.  Example Mail Messages

   The following mail messages will be used throughout this document in
   examples.

   Message A
   -----------------------------------------------------------
   Date: Tue, 1 Apr 1997 09:06:31 -0800 (PST)
   From: coyote@desert.example.org
   To: roadrunner@acme.example.com
   Subject: I have a present for you

   Look, I'm sorry about the whole anvil thing, and I really
   didn't mean to try and drop it on you from the top of the
   cliff.  I want to try to make it up to you.  I've got some
   great birdseed over here at my place--top of the line
   stuff--and if you come by, I'll have it all wrapped up
   for you.  I'm really sorry for all the problems I've caused
   for you over the years, but I know we can work this out.
   --
   Wile E. Coyote   "Super Genius"   coyote@desert.example.org
   -----------------------------------------------------------

Guenther & Showalter        Standards Track                     [Page 5]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   Message B
   -----------------------------------------------------------
   From: youcouldberich!@reply-by-postal-mail.invalid
   Sender: b1ff@de.res.example.com
   To: rube@landru.example.com
   Date:  Mon, 31 Mar 1997 18:26:10 -0800
   Subject: $$$ YOU, TOO, CAN BE A MILLIONAIRE! $$$

   YOU MAY HAVE ALREADY WON TEN MILLION DOLLARS, BUT I DOUBT
   IT!  SO JUST POST THIS TO SIX HUNDRED NEWSGROUPS!  IT WILL
   GUARANTEE THAT YOU GET AT LEAST FIVE RESPONSES WITH MONEY!
   MONEY! MONEY! COLD HARD CASH!  YOU WILL RECEIVE OVER
   $20,000 IN LESS THAN TWO MONTHS!  AND IT'S LEGAL!!!!!!!!!
   !!!!!!!!!!!!!!!!!!111111111!!!!!!!11111111111!!1  JUST
   SEND $5 IN SMALL, UNMARKED BILLS TO THE ADDRESSES BELOW!
   -----------------------------------------------------------

2.  Design

2.1.  Form of the Language

   The language consists of a set of commands.  Each command consists of
   a set of tokens delimited by whitespace.  The command identifier is
   the first token and it is followed by zero or more argument tokens.
   Arguments may be literal data, tags, blocks of commands, or test
   commands.

   With the exceptions of strings and comments, the language is limited
   to US-ASCII characters.  Strings and comments may contain octets
   outside the US-ASCII range.  Specifically, they will normally be in
   UTF-8, as specified in [UTF-8].  NUL (US-ASCII 0) is never permitted
   in scripts, while CR and LF can only appear as the CRLF line ending.

      Note: While this specification permits arbitrary octets to appear
      in Sieve scripts inside strings and comments, this has made it
      difficult to robustly handle Sieve scripts in programs that are
      sensitive to the encodings used.  The "encoded-character"
      capability (section 2.4.2.4) provides an alternative means of
      representing such octets in strings using just US-ASCII
      characters.  As such, the use of non-UTF-8 text in scripts should
      be considered a deprecated feature that may be abandoned.

   Tokens other than strings are considered case-insensitive.

Guenther & Showalter        Standards Track                     [Page 6]



RFC 5228           Sieve: An Email Filtering Language       January 2008

2.2.  Whitespace

   Whitespace is used to separate tokens.  Whitespace is made up of
   tabs, newlines (CRLF, never just CR or LF), and the space character.
   The amount of whitespace used is not significant.

2.3.  Comments

   Two types of comments are offered.  Comments are semantically
   equivalent to whitespace and can be used anyplace that whitespace is
   (with one exception in multi-line strings, as described in the
   grammar).

   Hash comments begin with a "#" character that is not contained within
   a string and continue until the next CRLF.

   Example:  if size :over 100k { # this is a comment
                discard;
             }

   Bracketed comments begin with the token "/*" and end with "*/"
   outside of a string.  Bracketed comments may span multiple lines.
   Bracketed comments do not nest.

   Example:  if size :over 100K { /* this is a comment
                this is still a comment */ discard /* this is a comment
                */ ;
             }

2.4.  Literal Data

   Literal data means data that is not executed, merely evaluated "as
   is", to be used as arguments to commands.  Literal data is limited to
   numbers, strings, and string lists.

2.4.1.  Numbers

   Numbers are given as ordinary decimal numbers.  As a shorthand for
   expressing larger values, such as message sizes, a suffix of "K",
   "M", or "G" MAY be appended to indicate a multiple of a power of two.
   To be comparable with the power-of-two-based versions of SI units
   that computers frequently use, "K" specifies kibi-, or 1,024 (2^10)
   times the value of the number; "M" specifies mebi-, or 1,048,576
   (2^20) times the value of the number; and "G" specifies gibi-, or
   1,073,741,824 (2^30) times the value of the number [BINARY-SI].

Guenther & Showalter        Standards Track                     [Page 7]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   Implementations MUST support integer values in the inclusive range
   zero to 2,147,483,647 (2^31 - 1), but MAY support larger values.

   Only non-negative integers are permitted by this specification.

2.4.2.  Strings

   Scripts involve large numbers of string values as they are used for
   pattern matching, addresses, textual bodies, etc.  Typically, short
   quoted strings suffice for most uses, but a more convenient form is
   provided for longer strings such as bodies of messages.

   A quoted string starts and ends with a single double quote (the <">
   character, US-ASCII 34).  A backslash ("\", US-ASCII 92) inside of a
   quoted string is followed by either another backslash or a double
   quote.  These two-character sequences represent a single backslash or
   double quote within the value, respectively.

   Scripts SHOULD NOT escape other characters with a backslash.

   An undefined escape sequence (such as "\a" in a context where "a" has
   no special meaning) is interpreted as if there were no backslash (in
   this case, "\a" is just "a"), though that may be changed by
   extensions.

   Non-printing characters such as tabs, CRLF, and control characters
   are permitted in quoted strings.  Quoted strings MAY span multiple
   lines.  An unencoded NUL (US-ASCII 0) is not allowed in strings; see
   section 2.4.2.4 for how it can be encoded.

   As message header data is converted to [UTF-8] for comparison (see
   section 2.7.2), most string values will use the UTF-8 encoding.
   However, implementations MUST accept all strings that match the
   grammar in section 8.  The ability to use non-UTF-8 encoded strings
   matches existing practice and has proven to be useful both in tests
   for invalid data and in arguments containing raw MIME parts for
   extension actions that generate outgoing messages.

   For entering larger amounts of text, such as an email message, a
   multi-line form is allowed.  It starts with the keyword "text:",
   followed by a CRLF, and ends with the sequence of a CRLF, a single
   period, and another CRLF.  The CRLF before the final period is
   considered part of the value.  In order to allow the message to
   contain lines with a single dot, lines are dot-stuffed.  That is,
   when composing a message body, an extra '.' is added before each line
   that begins with a '.'.  When the server interprets the script, these
   extra dots are removed.  Note that a line that begins with a dot
   followed by a non-dot character is not interpreted as dot-stuffed;

Guenther & Showalter        Standards Track                     [Page 8]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   that is, ".foo" is interpreted as ".foo".  However, because this is
   potentially ambiguous, scripts SHOULD be properly dot-stuffed so such
   lines do not appear.

   Note that a hashed comment or whitespace may occur in between the
   "text:" and the CRLF, but not within the string itself.  Bracketed
   comments are not allowed here.

2.4.2.1.  String Lists

   When matching patterns, it is frequently convenient to match against
   groups of strings instead of single strings.  For this reason, a list
   of strings is allowed in many tests, implying that if the test is
   true using any one of the strings, then the test is true.

   For instance, the test 'header :contains ["To", "Cc"]
   ["me@example.com", "me00@landru.example.com"]' is true if either a To
   header or Cc header of the input message contains either of the email
   addresses "me@example.com" or "me00@landru.example.com".

   Conversely, in any case where a list of strings is appropriate, a
   single string is allowed without being a member of a list: it is
   equivalent to a list with a single member.  This means that the test
   'exists "To"' is equivalent to the test 'exists ["To"]'.

2.4.2.2.  Headers

   Headers are a subset of strings.  In the Internet Message
   Specification [IMAIL], each header line is allowed to have whitespace
   nearly anywhere in the line, including after the field name and
   before the subsequent colon.  Extra spaces between the header name
   and the ":" in a header field are ignored.

   A header name never contains a colon.  The "From" header refers to a
   line beginning "From:" (or "From   :", etc.).  No header will match
   the string "From:" due to the trailing colon.

   Similarly, no header will match a syntactically invalid header name.
   An implementation MUST NOT cause an error for syntactically invalid
   header names in tests.

   Header lines are unfolded as described in [IMAIL] section 2.2.3.
   Interpretation of header data SHOULD be done according to [MIME3]
   section 6.2 (see section 2.7.2 below for details).

Guenther & Showalter        Standards Track                     [Page 9]



RFC 5228           Sieve: An Email Filtering Language       January 2008

2.4.2.3.  Addresses

   A number of commands call for email addresses, which are also a
   subset of strings.  When these addresses are used in outbound
   contexts, addresses must be compliant with [IMAIL], but are further
   constrained within this document.  Using the symbols defined in
   [IMAIL], section 3, the syntax of an address is:

   sieve-address = addr-spec                ; simple address
                 / phrase "<" addr-spec ">" ; name & addr-spec

   That is, routes and group syntax are not permitted.  If multiple
   addresses are required, use a string list.  Named groups are not
   permitted.

   It is an error for a script to execute an action with a value for use
   as an outbound address that doesn't match the "sieve-address" syntax.

2.4.2.4.  Encoding Characters Using "encoded-character"

   When the "encoded-character" extension is in effect, certain
   character sequences in strings are replaced by their decoded value.
   This happens after escape sequences are interpreted and dot-
   unstuffing has been done.  Implementations SHOULD support "encoded-
   character".

   Arbitrary octets can be embedded in strings by using the syntax
   encoded-arb-octets.  The sequence is replaced by the octets with the
   hexadecimal values given by each hex-pair.

   blank                = WSP / CRLF
   encoded-arb-octets   = "${hex:" hex-pair-seq "}"
   hex-pair-seq         = *blank hex-pair *(1*blank hex-pair) *blank
   hex-pair             = 1*2HEXDIG

   Where WSP and HEXDIG non-terminals are defined in Appendix B.1 of
   [ABNF].

   It may be inconvenient or undesirable to enter Unicode characters
   verbatim, and for these cases the syntax encoded-unicode-char can be
   used.  The sequence is replaced by the UTF-8 encoding of the
   specified Unicode characters, which are identified by the hexadecimal
   value of unicode-hex.

   encoded-unicode-char = "${unicode:" unicode-hex-seq "}"
   unicode-hex-seq      = *blank unicode-hex
                          *(1*blank unicode-hex) *blank
   unicode-hex          = 1*HEXDIG

Guenther & Showalter        Standards Track                    [Page 10]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   It is an error for a script to use a hexadecimal value that isn't in
   either the range 0 to D7FF or the range E000 to 10FFFF.  (The range
   D800 to DFFF is excluded as those character numbers are only used as
   part of the UTF-16 encoding form and are not applicable to the UTF-8
   encoding that the syntax here represents.)

      Note: Implementations MUST NOT raise an error for an out-of-range
      Unicode value unless the sequence containing it is well-formed
      according to the grammar.

   The capability string for use with the require command is "encoded-
   character".

   In the following script, message B is discarded, since the specified
   test string is equivalent to "$$$".

   Example:  require "encoded-character";
             if header :contains "Subject" "$${hex:24 24}" {
                discard;
             }
   The following examples demonstrate valid and invalid encodings and
   how they are handled:

     "$${hex:40}"         -> "$@"
     "${hex: 40 }"        -> "@"
     "${HEX: 40}"         -> "@"
     "${hex:40"           -> "${hex:40"
     "${hex:400}"         -> "${hex:400}"
     "${hex:4${hex:30}}"  -> "${hex:40}"
     "${unicode:40}"      -> "@"
     "${ unicode:40}"     -> "${ unicode:40}"
     "${UNICODE:40}"      -> "@"
     "${UnICoDE:0000040}" -> "@"
     "${Unicode:40}"      -> "@"
     "${Unicode:Cool}"    -> "${Unicode:Cool}"
     "${unicode:200000}"  -> error
     "${Unicode:DF01}     -> error

2.5.  Tests

   Tests are given as arguments to commands in order to control their
   actions.  In this document, tests are given to if/elsif to decide
   which block of code is run.

Guenther & Showalter        Standards Track                    [Page 11]



RFC 5228           Sieve: An Email Filtering Language       January 2008

2.5.1.  Test Lists

   Some tests ("allof" and "anyof", which implement logical "and" and
   logical "or", respectively) may require more than a single test as an
   argument.  The test-list syntax element provides a way of grouping
   tests as a comma-separated list in parentheses.

   Example:  if anyof (not exists ["From", "Date"],
                   header :contains "from" "fool@example.com") {
                discard;
             }

2.6.  Arguments

   In order to specify what to do, most commands take arguments.  There
   are three types of arguments: positional, tagged, and optional.

   It is an error for a script, on a single command, to use conflicting
   arguments or to use a tagged or optional argument more than once.

2.6.1.  Positional Arguments

   Positional arguments are given to a command that discerns their
   meaning based on their order.  When a command takes positional
   arguments, all positional arguments must be supplied and must be in
   the order prescribed.

2.6.2.  Tagged Arguments

   This document provides for tagged arguments in the style of
   CommonLISP.  These are also similar to flags given to commands in
   most command-line systems.

   A tagged argument is an argument for a command that begins with ":"
   followed by a tag naming the argument, such as ":contains".  This
   argument means that zero or more of the next tokens have some
   particular meaning depending on the argument.  These next tokens may
   be literal data, but they are never blocks.

   Tagged arguments are similar to positional arguments, except that
   instead of the meaning being derived from the command, it is derived
   from the tag.

   Tagged arguments must appear before positional arguments, but they
   may appear in any order with other tagged arguments.  For simplicity
   of the specification, this is not expressed in the syntax definitions

Guenther & Showalter        Standards Track                    [Page 12]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   with commands, but they still may be reordered arbitrarily provided
   they appear before positional arguments.  Tagged arguments may be
   mixed with optional arguments.

   Tagged arguments SHOULD NOT take tagged arguments as arguments.

2.6.3.  Optional Arguments

   Optional arguments are exactly like tagged arguments except that they
   may be left out, in which case a default value is implied.  Because
   optional arguments tend to result in shorter scripts, they have been
   used far more than tagged arguments.

   One particularly noteworthy case is the ":comparator" argument, which
   allows the user to specify which comparator [COLLATION] will be used
   to compare two strings, since different languages may impose
   different orderings on UTF-8 [UTF-8] strings.

2.6.4.  Types of Arguments

   Abstractly, arguments may be literal data, tests, or blocks of
   commands.  In this way, an "if" control structure is merely a command
   that happens to take a test and a block as arguments and may execute
   the block of code.

   However, this abstraction is ambiguous from a parsing standpoint.

   The grammar in section 8.2 presents a parsable version of this:
   Arguments are string lists (string-lists), numbers, and tags, which
   may be followed by a test or a test list (test-list), which may be
   followed by a block of commands.  No more than one test or test list,
   or more than one block of commands, may be used, and commands that
   end with a block of commands do not end with semicolons.

2.7.  String Comparison

   When matching one string against another, there are a number of ways
   of performing the match operation.  These are accomplished with three
   types of matches: an exact match, a substring match, and a wildcard
   glob-style match.  These are described below.

   In order to provide for matches between character sets and case
   insensitivity, Sieve uses the comparators defined in the Internet
   Application Protocol Collation Registry [COLLATION].

Guenther & Showalter        Standards Track                    [Page 13]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   However, when a string represents the name of a header, the
   comparator is never user-specified.  Header comparisons are always
   done with the "i;ascii-casemap" operator, i.e., case-insensitive
   comparisons, because this is the way things are defined in the
   message specification [IMAIL].

2.7.1.  Match Type

   Commands that perform string comparisons may have an optional match
   type argument.  The three match types in this specification are
   ":contains", ":is", and ":matches".

   The ":contains" match type describes a substring match.  If the value
   argument contains the key argument as a substring, the match is true.
   For instance, the string "frobnitzm" contains "frob" and "nit", but
   not "fbm".  The empty key ("") is contained in all values.

   The ":is" match type describes an absolute match; if the contents of
   the first string are absolutely the same as the contents of the
   second string, they match.  Only the string "frobnitzm" is the string
   "frobnitzm".  The empty key ("") only ":is" matches with the empty
   value.

   The ":matches" match type specifies a wildcard match using the
   characters "*" and "?"; the entire value must be matched.  "*"
   matches zero or more characters in the value and "?" matches a single
   character in the value, where the comparator that is used (see
   section 2.7.3) defines what a character is.  For example, the
   comparators "i;octet" and "i;ascii-casemap" define a character to be
   a single octet, so "?"  will always match exactly one octet when one
   of those comparators is in use.  In contrast, a Unicode-based
   comparator would define a character to be any UTF-8 octet sequence
   encoding one Unicode character and thus "?" may match more than one
   octet.  "?" and "*" may be escaped as "\\?" and "\\*" in strings to
   match against themselves.  The first backslash escapes the second
   backslash; together, they escape the "*".  This is awkward, but it is
   commonplace in several programming languages that use globs and
   regular expressions.

   In order to specify what type of match is supposed to happen,
   commands that support matching take optional arguments ":matches",
   ":is", and ":contains".  Commands default to using ":is" matching if
   no match type argument is supplied.  Note that these modifiers
   interact with comparators; in particular, only comparators that
   support the "substring match" operation are suitable for matching
   with ":contains" or ":matches".  It is an error to use a comparator
   with ":contains" or ":matches" that is not compatible with it.

Guenther & Showalter        Standards Track                    [Page 14]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   It is an error to give more than one of these arguments to a given
   command.

   For convenience, the "MATCH-TYPE" syntax element is defined here as
   follows:

   Syntax:   ":is" / ":contains" / ":matches"

2.7.2.  Comparisons across Character Sets

   Messages may involve a number of character sets.  In order for
   comparisons to work across character sets, implementations SHOULD
   implement the following behavior:

      Comparisons are performed on octets.  Implementations convert text
      from header fields in all charsets [MIME3] to Unicode, encoded as
      UTF-8, as input to the comparator (see section 2.7.3).
      Implementations MUST be capable of converting US-ASCII, ISO-8859-
      1, the US-ASCII subset of ISO-8859-* character sets, and UTF-8.
      Text that the implementation cannot convert to Unicode for any
      reason MAY be treated as plain US-ASCII (including any [MIME3]
      syntax) or processed according to local conventions.  An encoded
      NUL octet (character zero) SHOULD NOT cause early termination of
      the header content being compared against.

   If implementations fail to support the above behavior, they MUST
   conform to the following:

      No two strings can be considered equal if one contains octets
      greater than 127.

2.7.3.  Comparators

   In order to allow for language-independent, case-independent matches,
   the match type may be coupled with a comparator name.  The Internet
   Application Protocol Collation Registry [COLLATION] provides the
   framework for describing and naming comparators.

   All implementations MUST support the "i;octet" comparator (simply
   compares octets) and the "i;ascii-casemap" comparator (which treats
   uppercase and lowercase characters in the US-ASCII subset of UTF-8 as
   the same).  If left unspecified, the default is "i;ascii-casemap".

   Some comparators may not be usable with substring matches; that is,
   they may only work with ":is".  It is an error to try to use a
   comparator with ":matches" or ":contains" that is not compatible with
   it.

Guenther & Showalter        Standards Track                    [Page 15]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   Sieve treats a comparator result of "undefined" the same as a result
   of "no-match".  That is, this base specification does not provide any
   means to directly detect invalid comparator input.

   A comparator is specified by the ":comparator" option with commands
   that support matching.  This option is followed by a string providing
   the name of the comparator to be used.  For convenience, the syntax
   of a comparator is abbreviated to "COMPARATOR", and (repeated in
   several tests) is as follows:

   Syntax:   ":comparator" <comparator-name: string>

   So in this example,

   Example:  if header :contains :comparator "i;octet" "Subject"
                   "MAKE MONEY FAST" {
                discard;
             }

   would discard any message with subjects like "You can MAKE MONEY
   FAST", but not "You can Make Money Fast", since the comparator used
   is case-sensitive.

   Comparators other than "i;octet" and "i;ascii-casemap" must be
   declared with require, as they are extensions.  If a comparator
   declared with require is not known, it is an error, and execution
   fails.  If the comparator is not declared with require, it is also an
   error, even if the comparator is supported.  (See section 2.10.5.)

   Both ":matches" and ":contains" match types are compatible with the
   "i;octet" and "i;ascii-casemap" comparators and may be used with
   them.

   It is an error to give more than one of these arguments to a given
   command.

2.7.4.  Comparisons against Addresses

   Addresses are one of the most frequent things represented as strings.
   These are structured, and being able to compare against the local-
   part or the domain of an address is useful, so some tests that act
   exclusively on addresses take an additional optional argument that
   specifies what the test acts on.

   These optional arguments are ":localpart", ":domain", and ":all",
   which act on the local-part (left side), the domain-part (right
   side), and the whole address.

Guenther & Showalter        Standards Track                    [Page 16]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   If an address is not syntactically valid, then it will not be matched
   by tests specifying ":localpart" or ":domain".

   The kind of comparison done, such as whether or not the test done is
   case-insensitive, is specified as a comparator argument to the test.

   If an optional address-part is omitted, the default is ":all".

   It is an error to give more than one of these arguments to a given
   command.

   For convenience, the "ADDRESS-PART" syntax element is defined here as
   follows:

   Syntax:   ":localpart" / ":domain" / ":all"

2.8.  Blocks

   Blocks are sets of commands enclosed within curly braces and supplied
   as the final argument to a command.  Such a command is a control
   structure: when executed it has control over the number of times the
   commands in the block are executed.

   With the commands supplied in this memo, there are no loops.  The
   control structures supplied--if, elsif, and else--run a block either
   once or not at all.

2.9.  Commands

   Sieve scripts are sequences of commands.  Commands can take any of
   the tokens above as arguments, and arguments may be either tagged or
   positional arguments.  Not all commands take all arguments.

   There are three kinds of commands: test commands, action commands,
   and control commands.

   The simplest is an action command.  An action command is an
   identifier followed by zero or more arguments, terminated by a
   semicolon.  Action commands do not take tests or blocks as arguments.
   The actions referenced in this document are:

    - keep, to save the message in the default location
    - fileinto, to save the message in a specific mailbox
    - redirect, to forward the message to another address
    - discard, to silently throw away the message

Guenther & Showalter        Standards Track                    [Page 17]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   A control command is a command that affects the parsing or the flow
   of execution of the Sieve script in some way.  A control structure is
   a control command that ends with a block instead of a semicolon.

   A test command is used as part of a control command.  It is used to
   specify whether or not the block of code given to the control command
   is executed.

2.10.  Evaluation

2.10.1.  Action Interaction

   Some actions cannot be used with other actions because the result
   would be absurd.  These restrictions are noted throughout this memo.

   Extension actions MUST state how they interact with actions defined
   in this specification.

2.10.2.  Implicit Keep

   Previous experience with filtering systems suggests that cases tend
   to be missed in scripts.  To prevent errors, Sieve has an "implicit
   keep".

   An implicit keep is a keep action (see section 4.3) performed in
   absence of any action that cancels the implicit keep.

   An implicit keep is performed if a message is not written to a
   mailbox, redirected to a new address, or explicitly thrown out.  That
   is, if a fileinto, a keep, a redirect, or a discard is performed, an
   implicit keep is not.

   Some actions may be defined to not cancel the implicit keep.  These
   actions may not directly affect the delivery of a message, and are
   used for their side effects.  None of the actions specified in this
   document meet that criteria, but extension actions may.

   For instance, with any of the short messages offered above, the
   following script produces no actions.

   Example:  if size :over 500K { discard; }

   As a result, the implicit keep is taken.

Guenther & Showalter        Standards Track                    [Page 18]



RFC 5228           Sieve: An Email Filtering Language       January 2008

2.10.3.  Message Uniqueness in a Mailbox

   Implementations SHOULD NOT deliver a message to the same mailbox more
   than once, even if a script explicitly asks for a message to be
   written to a mailbox twice.

   The test for equality of two messages is implementation-defined.

   If a script asks for a message to be written to a mailbox twice, it
   MUST NOT be treated as an error.

2.10.4.  Limits on Numbers of Actions

   Site policy MAY limit the number of actions taken and MAY impose
   restrictions on which actions can be used together.  In the event
   that a script hits a policy limit on the number of actions taken for
   a particular message, an error occurs.

   Implementations MUST allow at least one keep or one fileinto.  If
   fileinto is not implemented, implementations MUST allow at least one
   keep.

2.10.5.  Extensions and Optional Features

   Because of the differing capabilities of many mail systems, several
   features of this specification are optional.  Before any of these
   extensions can be executed, they must be declared with the "require"
   action.

   If an extension is not enabled with "require", implementations MUST
   treat it as if they did not support it at all.  This protects scripts
   from having their behavior altered by extensions that the script
   author might not have even been aware of.

   Implementations MUST NOT execute any Sieve script test or command
   subsequent to "require" if one of the required extensions is
   unavailable.

      Note: The reason for this restriction is that prior experiences
      with languages such as LISP and Tcl suggest that this is a
      workable way of noting that a given script uses an extension.

   Extensions that define actions MUST state how they interact with
   actions discussed in the base specification.

Guenther & Showalter        Standards Track                    [Page 19]



RFC 5228           Sieve: An Email Filtering Language       January 2008

2.10.6.  Errors

   In any programming language, there are compile-time and run-time
   errors.

   Compile-time errors are ones in syntax that are detectable if a
   syntax check is done.

   Run-time errors are not detectable until the script is run.  This
   includes transient failures like disk full conditions, but also
   includes issues like invalid combinations of actions.

   When an error occurs in a Sieve script, all processing stops.

   Implementations MAY choose to do a full parse, then evaluate the
   script, then do all actions.  Implementations might even go so far as
   to ensure that execution is atomic (either all actions are executed
   or none are executed).

   Other implementations may choose to parse and run at the same time.
   Such implementations are simpler, but have issues with partial
   failure (some actions happen, others don't).

   Implementations MUST perform syntactic, semantic, and run-time checks
   on code that is actually executed.  Implementations MAY perform those
   checks or any part of them on code that is not reached during
   execution.

   When an error happens, implementations MUST notify the user that an
   error occurred and which actions (if any) were taken, and do an
   implicit keep.

2.10.7.  Limits on Execution

   Implementations may limit certain constructs.  However, this
   specification places a lower bound on some of these limits.

   Implementations MUST support fifteen levels of nested blocks.

   Implementations MUST support fifteen levels of nested test lists.

Guenther & Showalter        Standards Track                    [Page 20]



RFC 5228           Sieve: An Email Filtering Language       January 2008

3.  Control Commands

   Control structures are needed to allow for multiple and conditional
   actions.

3.1.  Control if

   There are three pieces to if: "if", "elsif", and "else".  Each is
   actually a separate command in terms of the grammar.  However, an
   elsif or else MUST only follow an if or elsif.  An error occurs if
   these conditions are not met.

   Usage:   if <test1: test> <block1: block>

   Usage:   elsif <test2: test> <block2: block>

   Usage:   else <block3: block>

   The semantics are similar to those of any of the many other
   programming languages these control structures appear in.  When the
   interpreter sees an "if", it evaluates the test associated with it.
   If the test is true, it executes the block associated with it.

   If the test of the "if" is false, it evaluates the test of the first
   "elsif" (if any).  If the test of "elsif" is true, it runs the
   elsif's block.  An elsif may be followed by an elsif, in which case,
   the interpreter repeats this process until it runs out of elsifs.

   When the interpreter runs out of elsifs, there may be an "else" case.
   If there is, and none of the if or elsif tests were true, the
   interpreter runs the else's block.

   This provides a way of performing exactly one of the blocks in the
   chain.

   In the following example, both messages A and B are dropped.

   Example:  require "fileinto";
             if header :contains "from" "coyote" {
                discard;
             } elsif header :contains ["subject"] ["$$$"] {
                discard;
             } else {
                fileinto "INBOX";
             }

Guenther & Showalter        Standards Track                    [Page 21]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   When the script below is run over message A, it redirects the message
   to acm@example.com; message B, to postmaster@example.com; any other
   message is redirected to field@example.com.

   Example:  if header :contains ["From"] ["coyote"] {
                redirect "acm@example.com";
             } elsif header :contains "Subject" "$$$" {
                redirect "postmaster@example.com";
             } else {
                redirect "field@example.com";
             }

   Note that this definition prohibits the "... else if ..." sequence
   used by C.  This is intentional, because this construct produces a
   shift-reduce conflict.

3.2.  Control require

   Usage:   require <capabilities: string-list>

   The require action notes that a script makes use of a certain
   extension.  Such a declaration is required to use the extension, as
   discussed in section 2.10.5.  Multiple capabilities can be declared
   with a single require.

   The require command, if present, MUST be used before anything other
   than a require can be used.  An error occurs if a require appears
   after a command other than require.

   Example:  require ["fileinto", "reject"];

   Example:  require "fileinto";
             require "vacation";

3.3.  Control stop

   Usage:   stop

   The "stop" action ends all processing.  If the implicit keep has not
   been cancelled, then it is taken.

Guenther & Showalter        Standards Track                    [Page 22]



RFC 5228           Sieve: An Email Filtering Language       January 2008

4.  Action Commands

   This document supplies four actions that may be taken on a message:
   keep, fileinto, redirect, and discard.

   Implementations MUST support the "keep", "discard", and "redirect"
   actions.

   Implementations SHOULD support "fileinto".

   Implementations MAY limit the number of certain actions taken (see
   section 2.10.4).

4.1.  Action fileinto

   Usage:   fileinto <mailbox: string>

   The "fileinto" action delivers the message into the specified
   mailbox.  Implementations SHOULD support fileinto, but in some
   environments this may be impossible.  Implementations MAY place
   restrictions on mailbox names; use of an invalid mailbox name MAY be
   treated as an error or result in delivery to an implementation-
   defined mailbox.  If the specified mailbox doesn't exist, the
   implementation MAY treat it as an error, create the mailbox, or
   deliver the message to an implementation-defined mailbox.  If the
   implementation uses a different encoding scheme than UTF-8 for
   mailbox names, it SHOULD reencode the mailbox name from UTF-8 to its
   encoding scheme.  For example, the Internet Message Access Protocol
   [IMAP] uses modified UTF-7, such that a mailbox argument of "odds &
   ends" would appear in IMAP as "odds &- ends".

   The capability string for use with the require command is "fileinto".

   In the following script, message A is filed into mailbox
   "INBOX.harassment".

   Example:  require "fileinto";
             if header :contains ["from"] "coyote" {
                fileinto "INBOX.harassment";
             }

4.2.  Action redirect

   Usage:   redirect <address: string>

   The "redirect" action is used to send the message to another user at
   a supplied address, as a mail forwarding feature does.  The
   "redirect" action makes no changes to the message body or existing

Guenther & Showalter        Standards Track                    [Page 23]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   headers, but it may add new headers.  In particular, existing
   Received headers MUST be preserved and the count of Received headers
   in the outgoing message MUST be larger than the same count on the
   message as received by the implementation.  (An implementation that
   adds a Received header before processing the message does not need to
   add another when redirecting.)

   The message is sent back out with the address from the redirect
   command as an envelope recipient.  Implementations MAY combine
   separate redirects for a given message into a single submission with
   multiple envelope recipients.  (This is not a Mail User Agent (MUA)-
   style forward, which creates a new message with a different sender
   and message ID, wrapping the old message in a new one.)

   The envelope sender address on the outgoing message is chosen by the
   sieve implementation.  It MAY be copied from the message being
   processed.  However, if the message being processed has an empty
   envelope sender address the outgoing message MUST also have an empty
   envelope sender address.  This last requirement is imposed to prevent
   loops in the case where a message is redirected to an invalid address
   when then returns a delivery status notification that also ends up
   being redirected to the same invalid address.

   A simple script can be used for redirecting all mail:

   Example:  redirect "bart@example.com";

   Implementations MUST take measures to implement loop control,
   possibly including adding headers to the message or counting Received
   headers as specified in section 6.2 of [SMTP].  If an implementation
   detects a loop, it causes an error.

   Implementations MUST provide means of limiting the number of
   redirects a Sieve script can perform.  See section 10 for more
   details.

   Implementations MAY ignore a redirect action silently due to policy
   reasons.  For example, an implementation MAY choose not to redirect
   to an address that is known to be undeliverable.  Any ignored
   redirect MUST NOT cancel the implicit keep.

4.3.  Action keep

   Usage:   keep

   The "keep" action is whatever action is taken in lieu of all other
   actions, if no filtering happens at all; generally, this simply means
   to file the message into the user's main mailbox.  This command

Guenther & Showalter        Standards Track                    [Page 24]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   provides a way to execute this action without needing to know the
   name of the user's main mailbox, providing a way to call it without
   needing to understand the user's setup or the underlying mail system.

   For instance, in an implementation where the IMAP server is running
   scripts on behalf of the user at time of delivery, a keep command is
   equivalent to a fileinto "INBOX".

   Example:  if size :under 1M { keep; } else { discard; }

   Note that the above script is identical to the one below.

   Example:  if not size :under 1M { discard; }

4.4.  Action discard

   Usage:   discard

   Discard is used to silently throw away the message.  It does so by
   simply canceling the implicit keep.  If discard is used with other
   actions, the other actions still happen.  Discard is compatible with
   all other actions.  (For instance, fileinto+discard is equivalent to
   fileinto.)

   Discard MUST be silent; that is, it MUST NOT return a non-delivery
   notification of any kind ([DSN], [MDN], or otherwise).

   In the following script, any mail from "idiot@example.com" is thrown
   out.

   Example:  if header :contains ["from"] ["idiot@example.com"] {
                discard;
             }

   While an important part of this language, "discard" has the potential
   to create serious problems for users: Students who leave themselves
   logged in to an unattended machine in a public computer lab may find
   their script changed to just "discard".  In order to protect users in
   this situation (along with similar situations), implementations MAY
   keep messages destroyed by a script for an indefinite period, and MAY
   disallow scripts that throw out all mail.

Guenther & Showalter        Standards Track                    [Page 25]



RFC 5228           Sieve: An Email Filtering Language       January 2008

5.  Test Commands

   Tests are used in conditionals to decide which part(s) of the
   conditional to execute.

   Implementations MUST support these tests: "address", "allof",
   "anyof", "exists", "false", "header", "not", "size", and "true".

   Implementations SHOULD support the "envelope" test.

5.1.  Test address

   Usage:   address [COMPARATOR] [ADDRESS-PART] [MATCH-TYPE]
            <header-list: string-list> <key-list: string-list>

   The "address" test matches Internet addresses in structured headers
   that contain addresses.  It returns true if any header contains any
   key in the specified part of the address, as modified by the
   comparator and the match keyword.  Whether there are other addresses
   present in the header doesn't affect this test; this test does not
   provide any way to determine whether an address is the only address
   in a header.

   Like envelope and header, this test returns true if any combination
   of the header-list and key-list arguments match and returns false
   otherwise.

   Internet email addresses [IMAIL] have the somewhat awkward
   characteristic that the local-part to the left of the at-sign is
   considered case sensitive, and the domain-part to the right of the
   at-sign is case insensitive.  The "address" command does not deal
   with this itself, but provides the ADDRESS-PART argument for allowing
   users to deal with it.

   The address primitive never acts on the phrase part of an email
   address or on comments within that address.  It also never acts on
   group names, although it does act on the addresses within the group
   construct.

   Implementations MUST restrict the address test to headers that
   contain addresses, but MUST include at least From, To, Cc, Bcc,
   Sender, Resent-From, and Resent-To, and it SHOULD include any other
   header that utilizes an "address-list" structured header body.

   Example:  if address :is :all "from" "tim@example.com" {
                discard;
             }

Guenther & Showalter        Standards Track                    [Page 26]



RFC 5228           Sieve: An Email Filtering Language       January 2008

5.2.  Test allof

   Usage:   allof <tests: test-list>

   The "allof" test performs a logical AND on the tests supplied to it.

   Example:  allof (false, false)  =>   false
             allof (false, true)   =>   false
             allof (true,  true)   =>   true

   The allof test takes as its argument a test-list.

5.3.  Test anyof

   Usage:   anyof <tests: test-list>

   The "anyof" test performs a logical OR on the tests supplied to it.

   Example:  anyof (false, false)  =>   false
             anyof (false, true)   =>   true
             anyof (true,  true)   =>   true

5.4.  Test envelope

   Usage:   envelope [COMPARATOR] [ADDRESS-PART] [MATCH-TYPE]
            <envelope-part: string-list> <key-list: string-list>

   The "envelope" test is true if the specified part of the [SMTP] (or
   equivalent) envelope matches the specified key.  This specification
   defines the interpretation of the (case insensitive) "from" and "to"
   envelope-parts.  Additional envelope-parts may be defined by other
   extensions; implementations SHOULD consider unknown envelope parts an
   error.

   If one of the envelope-part strings is (case insensitive) "from",
   then matching occurs against the FROM address used in the SMTP MAIL
   command.  The null reverse-path is matched against as the empty
   string, regardless of the ADDRESS-PART argument specified.

   If one of the envelope-part strings is (case insensitive) "to", then
   matching occurs against the TO address used in the SMTP RCPT command
   that resulted in this message getting delivered to this user.  Note
   that only the most recent TO is available, and only the one relevant
   to this user.

   The envelope-part is a string list and may contain more than one
   parameter, in which case all of the strings specified in the key-list
   are matched against all parts given in the envelope-part list.

Guenther & Showalter        Standards Track                    [Page 27]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   Like address and header, this test returns true if any combination of
   the envelope-part list and key-list arguments match and returns false
   otherwise.

   All tests against envelopes MUST drop source routes.

   If the SMTP transaction involved several RCPT commands, only the data
   from the RCPT command that caused delivery to this user is available
   in the "to" part of the envelope.

   If a protocol other than SMTP is used for message transport,
   implementations are expected to adapt this command appropriately.

   The envelope command is optional.  Implementations SHOULD support it,
   but the necessary information may not be available in all cases.  The
   capability string for use with the require command is "envelope".

   Example:  require "envelope";
             if envelope :all :is "from" "tim@example.com" {
                discard;
             }

5.5.  Test exists

   Usage:   exists <header-names: string-list>

   The "exists" test is true if the headers listed in the header-names
   argument exist within the message.  All of the headers must exist or
   the test is false.

   The following example throws out mail that doesn't have a From header
   and a Date header.

   Example:  if not exists ["From","Date"] {
                discard;
             }

5.6.  Test false

   Usage:   false

   The "false" test always evaluates to false.

Guenther & Showalter        Standards Track                    [Page 28]



RFC 5228           Sieve: An Email Filtering Language       January 2008

5.7.  Test header

   Usage:   header [COMPARATOR] [MATCH-TYPE]
            <header-names: string-list> <key-list: string-list>

   The "header" test evaluates to true if the value of any of the named
   headers, ignoring leading and trailing whitespace, matches any key.
   The type of match is specified by the optional match argument, which
   defaults to ":is" if not specified, as specified in section 2.6.

   Like address and envelope, this test returns true if any combination
   of the header-names list and key-list arguments match and returns
   false otherwise.

   If a header listed in the header-names argument exists, it contains
   the empty key ("").  However, if the named header is not present, it
   does not match any key, including the empty key.  So if a message
   contained the header

           X-Caffeine: C8H10N4O2

   these tests on that header evaluate as follows:

           header :is ["X-Caffeine"] [""]         => false
           header :contains ["X-Caffeine"] [""]   => true

   Testing whether a given header is either absent or doesn't contain
   any non-whitespace characters can be done using a negated "header"
   test:

           not header :matches "Cc" "?*"

5.8.  Test not

   Usage:   not <test1: test>

   The "not" test takes some other test as an argument, and yields the
   opposite result.  "not false" evaluates to "true" and "not true"
   evaluates to "false".

5.9.  Test size

   Usage:   size <":over" / ":under"> <limit: number>

   The "size" test deals with the size of a message.  It takes either a
   tagged argument of ":over" or ":under", followed by a number
   representing the size of the message.

Guenther & Showalter        Standards Track                    [Page 29]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   If the argument is ":over", and the size of the message is greater
   than the number provided, the test is true; otherwise, it is false.

   If the argument is ":under", and the size of the message is less than
   the number provided, the test is true; otherwise, it is false.

   Exactly one of ":over" or ":under" must be specified, and anything
   else is an error.

   The size of a message is defined to be the number of octets in the
   [IMAIL] representation of the message.

   Note that for a message that is exactly 4,000 octets, the message is
   neither ":over" nor ":under" 4000 octets.

5.10.  Test true

   Usage:   true

   The "true" test always evaluates to true.

6.  Extensibility

   New control commands, actions, and tests can be added to the
   language.  Sites must make these features known to their users; this
   document does not define a way to discover the list of extensions
   supported by the server.

   Any extensions to this language MUST define a capability string that
   uniquely identifies that extension.  Capability string are case-
   sensitive; for example, "foo" and "FOO" are different capabilities.
   If a new version of an extension changes the functionality of a
   previously defined extension, it MUST use a different name.
   Extensions may register a set of related capabilities by registering
   just a unique prefix for them.  The "comparator-" prefix is an
   example of this.  The prefix MUST end with a "-" and MUST NOT overlap
   any existing registrations.

   In a situation where there is a script submission protocol and an
   extension advertisement mechanism aware of the details of this
   language, scripts submitted can be checked against the mail server to
   prevent use of an extension that the server does not support.

   Extensions MUST state how they interact with constraints defined in
   section 2.10, e.g., whether they cancel the implicit keep, and which
   actions they are compatible and incompatible with.  Extensions MUST
   NOT change the behavior of the "require" control command or alter the
   interpretation of the argument to the "require" control.

Guenther & Showalter        Standards Track                    [Page 30]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   Extensions that can submit new email messages or otherwise generate
   new protocol requests MUST consider loop suppression, at least to
   document any security considerations.

6.1.  Capability String

   Capability strings are typically short strings describing what
   capabilities are supported by the server.

   Capability strings beginning with "vnd." represent vendor-defined
   extensions.  Such extensions are not defined by Internet standards or
   RFCs, but are still registered with IANA in order to prevent
   conflicts.  Extensions starting with "vnd." SHOULD be followed by the
   name of the vendor and product, such as "vnd.acme.rocket-sled".

   The following capability strings are defined by this document:

   encoded-character The string "encoded-character" indicates that the
               implementation supports the interpretation of
               "${hex:...}" and "${unicode:...}" in strings.

   envelope    The string "envelope" indicates that the implementation
               supports the "envelope" command.

   fileinto    The string "fileinto" indicates that the implementation
               supports the "fileinto" command.

   comparator- The string "comparator-elbonia" is provided if the
               implementation supports the "elbonia" comparator.
               Therefore, all implementations have at least the
               "comparator-i;octet" and "comparator-i;ascii-casemap"
               capabilities.  However, these comparators may be used
               without being declared with require.

6.2.  IANA Considerations

   In order to provide a standard set of extensions, a registry is
   maintained by IANA.  This registry contains both vendor-controlled
   capability names (beginning with "vnd.") and IETF-controlled
   capability names.  Vendor-controlled capability names may be
   registered on a first-come, first-served basis, by applying to IANA
   with the form in the following section.  Registration of capability
   prefixes that do not begin with "vnd." REQUIRES a standards track or
   IESG-approved experimental RFC.

   Extensions designed for interoperable use SHOULD use IETF-controlled
   capability names.

Guenther & Showalter        Standards Track                    [Page 31]



RFC 5228           Sieve: An Email Filtering Language       January 2008

6.2.1.  Template for Capability Registrations

   The following template is to be used for registering new Sieve
   extensions with IANA.

   To: iana@iana.org
   Subject: Registration of new Sieve extension

   Capability name: [the string for use in the 'require' statement]
   Description:     [a brief description of what the extension adds
                     or changes]
   RFC number:      [for extensions published as RFCs]
   Contact address: [email and/or physical address to contact for
                     additional information]

6.2.2.  Handling of Existing Capability Registrations

   In order to bring the existing capability registrations in line with
   the new template, IANA has modified each as follows:

   1. The "capability name" and "capability arguments" fields have been
      eliminated
   2. The "capability keyword" field have been renamed to "Capability
      name"
   3. An empty "Description" field has been added
   4. The "Standards Track/IESG-approved experimental RFC number" field
      has been renamed to "RFC number"
   5. The "Person and email address to contact for further information"
      field should be renamed to "Contact address"

6.2.3.  Initial Capability Registrations

   This RFC updates the following entries in the IANA registry for Sieve
   extensions.

   Capability name: encoded-character
   Description:     changes the interpretation of strings to allow
                    arbitrary octets and Unicode characters to be
                    represented using US-ASCII
   RFC number:      RFC 5228 (Sieve base spec)
   Contact address: The Sieve discussion list <ietf-mta-filters@imc.org>

   Capability name: fileinto
   Description:     adds the 'fileinto' action for delivering to a
                    mailbox other than the default
   RFC number:      RFC 5228 (Sieve base spec)
   Contact address: The Sieve discussion list <ietf-mta-filters@imc.org>

Guenther & Showalter        Standards Track                    [Page 32]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   Capability name: envelope
   Description:     adds the 'envelope' test for testing the message
                    transport sender and recipient address
   RFC number:      RFC 5228 (Sieve base spec)
   Contact address: The Sieve discussion list <ietf-mta-filters@imc.org>

   Capability name: comparator-* (anything starting with "comparator-")
   Description:     adds the indicated comparator for use with the
                    :comparator argument
   RFC number:      RFC 5228 (Sieve base spec) and [COLLATION]
   Contact address: The Sieve discussion list <ietf-mta-filters@imc.org>

6.3.  Capability Transport

   A method of advertising which capabilities an implementation supports
   is difficult due to the wide range of possible implementations.  Such
   a mechanism, however, should have the property that the
   implementation can advertise the complete set of extensions that it
   supports.

7.  Transmission

   The [MIME] type for a Sieve script is "application/sieve".

   The registration of this type for RFC 2048 requirements is updated as
   follows:

    Subject: Registration of MIME media type application/sieve

    MIME media type name: application
    MIME subtype name: sieve
    Required parameters: none
    Optional parameters: none
    Encoding considerations: Most Sieve scripts will be textual,
       written in UTF-8.  When non-7bit characters are used,
       quoted-printable is appropriate for transport systems
       that require 7bit encoding.
    Security considerations: Discussed in section 10 of this RFC.
    Interoperability considerations: Discussed in section 2.10.5
       of this RFC.
    Published specification: this RFC.
    Applications that use this media type: sieve-enabled mail
      servers and clients
    Additional information:
      Magic number(s):
      File extension(s): .siv .sieve
      Macintosh File Type Code(s):

Guenther & Showalter        Standards Track                    [Page 33]



RFC 5228           Sieve: An Email Filtering Language       January 2008

    Person & email address to contact for further information:
       See the discussion list at ietf-mta-filters@imc.org.
    Intended usage:
       COMMON
    Author/Change controller:
       The SIEVE WG, delegated by the IESG.

8.  Parsing

   The Sieve grammar is separated into tokens and a separate grammar as
   most programming languages are.  Additional rules are supplied here
   for common arguments to various language facilities.

8.1.  Lexical Tokens

   Sieve scripts are encoded in UTF-8.  The following assumes a valid
   UTF-8 encoding; special characters in Sieve scripts are all US-ASCII.

   The following are tokens in Sieve:

           - identifiers
           - tags
           - numbers
           - quoted strings
           - multi-line strings
           - other separators

   Identifiers, tags, and numbers are case-insensitive, while quoted
   strings and multi-line strings are case-sensitive.

   Blanks, horizontal tabs, CRLFs, and comments ("whitespace") are
   ignored except as they separate tokens.  Some whitespace is required
   to separate otherwise adjacent tokens and in specific places in the
   multi-line strings.  CR and LF can only appear in CRLF pairs.

   The other separators are single individual characters and are
   mentioned explicitly in the grammar.

   The lexical structure of sieve is defined in the following grammar
   (as described in [ABNF]):

   bracket-comment    = "/*" *not-star 1*STAR
                        *(not-star-slash *not-star 1*STAR) "/"
                          ; No */ allowed inside a comment.
                          ; (No * is allowed unless it is the last
                          ; character, or unless it is followed by a
                          ; character that isn't a slash.)

Guenther & Showalter        Standards Track                    [Page 34]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   comment            = bracket-comment / hash-comment

   hash-comment       = "#" *octet-not-crlf CRLF

   identifier         = (ALPHA / "_") *(ALPHA / DIGIT / "_")

   multi-line         = "text:" *(SP / HTAB) (hash-comment / CRLF)
                        *(multiline-literal / multiline-dotstart)
                        "." CRLF

   multiline-literal  = [ octet-not-period *octet-not-crlf ] CRLF

   multiline-dotstart = "." 1*octet-not-crlf CRLF
                          ; A line containing only "." ends the
                          ; multi-line.  Remove a leading '.' if
                          ; followed by another '.'.

   not-star           = CRLF / %x01-09 / %x0B-0C / %x0E-29 / %x2B-FF
                          ; either a CRLF pair, OR a single octet
                          ; other than NUL, CR, LF, or star

   not-star-slash     = CRLF / %x01-09 / %x0B-0C / %x0E-29 / %x2B-2E /
                        %x30-FF
                          ; either a CRLF pair, OR a single octet
                          ; other than NUL, CR, LF, star, or slash

   number             = 1*DIGIT [ QUANTIFIER ]

   octet-not-crlf     = %x01-09 / %x0B-0C / %x0E-FF
                          ; a single octet other than NUL, CR, or LF

   octet-not-period   = %x01-09 / %x0B-0C / %x0E-2D / %x2F-FF
                          ; a single octet other than NUL,
                          ; CR, LF, or period

   octet-not-qspecial = %x01-09 / %x0B-0C / %x0E-21 / %x23-5B / %x5D-FF
                          ; a single octet other than NUL,
                          ; CR, LF, double-quote, or backslash

   QUANTIFIER         = "K" / "M" / "G"

   quoted-other       = "\" octet-not-qspecial
                          ; represents just the octet-no-qspecial
                          ; character.  SHOULD NOT be used

   quoted-safe        = CRLF / octet-not-qspecial
                          ; either a CRLF pair, OR a single octet other
                          ; than NUL, CR, LF, double-quote, or backslash

Guenther & Showalter        Standards Track                    [Page 35]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   quoted-special     = "\" (DQUOTE / "\")
                          ; represents just a double-quote or backslash

   quoted-string      = DQUOTE quoted-text DQUOTE

   quoted-text        = *(quoted-safe / quoted-special / quoted-other)

   STAR               = "*"

   tag                = ":" identifier

   white-space        = 1*(SP / CRLF / HTAB) / comment

8.2.  Grammar

   The following is the grammar of Sieve after it has been lexically
   interpreted.  No whitespace or comments appear below.  The start
   symbol is "start".

   argument     = string-list / number / tag

   arguments    = *argument [ test / test-list ]

   block        = "{" commands "}"

   command      = identifier arguments (";" / block)

   commands     = *command

   start        = commands

   string       = quoted-string / multi-line

   string-list  = "[" string *("," string) "]" / string
                    ; if there is only a single string, the brackets
                    ; are optional

   test         = identifier arguments

   test-list    = "(" test *("," test) ")"

8.3.  Statement Elements

   These elements are collected from the "Syntax" sections elsewhere in
   this document, and are provided here in [ABNF] syntax so that they
   can be modified by extensions.

   ADDRESS-PART = ":localpart" / ":domain" / ":all"

Guenther & Showalter        Standards Track                    [Page 36]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   COMPARATOR   = ":comparator" string

   MATCH-TYPE   = ":is" / ":contains" / ":matches"

9.  Extended Example

   The following is an extended example of a Sieve script.  Note that it
   does not make use of the implicit keep.

    #
    # Example Sieve Filter
    # Declare any optional features or extension used by the script
    #
    require ["fileinto"];

    #
    # Handle messages from known mailing lists
    # Move messages from IETF filter discussion list to filter mailbox
    #
    if header :is "Sender" "owner-ietf-mta-filters@imc.org"
            {
            fileinto "filter";  # move to "filter" mailbox
            }
    #
    # Keep all messages to or from people in my company
    #
    elsif address :DOMAIN :is ["From", "To"] "example.com"
            {
            keep;               # keep in "In" mailbox
            }

    #
    # Try and catch unsolicited email.  If a message is not to me,
    # or it contains a subject known to be spam, file it away.
    #
    elsif anyof (NOT address :all :contains
                   ["To", "Cc", "Bcc"] "me@example.com",
                 header :matches "subject"
                   ["*make*money*fast*", "*university*dipl*mas*"])
            {
            fileinto "spam";   # move to "spam" mailbox
            }
    else
            {
            # Move all other (non-company) mail to "personal"
            # mailbox.
            fileinto "personal";
            }

Guenther & Showalter        Standards Track                    [Page 37]



RFC 5228           Sieve: An Email Filtering Language       January 2008

10.  Security Considerations

   Users must get their mail.  It is imperative that whatever
   implementations use to store the user-defined filtering scripts
   protect them from unauthorized modification, to preserve the
   integrity of the mail system.  An attacker who can modify a script
   can cause mail to be discarded, rejected, or forwarded to an
   unauthorized recipient.  In addition, it's possible that Sieve
   scripts might expose private information, such as mailbox names, or
   email addresses of favored (or disfavored) correspondents.  Because
   of that, scripts SHOULD also be protected from unauthorized
   retrieval.

   Several commands, such as "discard", "redirect", and "fileinto",
   allow for actions to be taken that are potentially very dangerous.

   Use of the "redirect" command to generate notifications may easily
   overwhelm the target address, especially if it was not designed to
   handle large messages.

   Allowing a single script to redirect to multiple destinations can be
   used as a means of amplifying the number of messages in an attack.
   Moreover, if loop detection is not properly implemented, it may be
   possible to set up exponentially growing message loops.  Accordingly,
   Sieve implementations:

   (1) MUST implement facilities to detect and break message loops.  See
       section 6.2 of [SMTP] for additional information on basic loop
       detection strategies.

   (2) MUST provide the means for administrators to limit the ability of
       users to abuse redirect.  In particular, it MUST be possible to
       limit the number of redirects a script can perform.
       Additionally, if no use cases exist for using redirect to
       multiple destinations, this limit SHOULD be set to 1.  Additional
       limits, such as the ability to restrict redirect to local users,
       MAY also be implemented.

   (3) MUST provide facilities to log use of redirect in order to
       facilitate tracking down abuse.

   (4) MAY use script analysis to determine whether or not a given
       script can be executed safely.  While the Sieve language is
       sufficiently complex that full analysis of all possible scripts
       is computationally infeasible, the majority of real-world scripts
       are amenable to analysis.  For example, an implementation might

Guenther & Showalter        Standards Track                    [Page 38]



RFC 5228           Sieve: An Email Filtering Language       January 2008

       allow scripts that it has determined are safe to run unhindered,
       block scripts that are potentially problematic, and subject
       unclassifiable scripts to additional auditing and logging.

   Allowing redirects at all may not be appropriate in situations where
   email accounts are freely available and/or not trackable to a human
   who can be held accountable for creating message bombs or other
   abuse.

   As with any filter on a message stream, if the Sieve implementation
   and the mail agents 'behind' Sieve in the message stream differ in
   their interpretation of the messages, it may be possible for an
   attacker to subvert the filter.  Of particular note are differences
   in the interpretation of malformed messages (e.g., missing or extra
   syntax characters) or those that exhibit corner cases (e.g., NUL
   octets encoded via [MIME3]).

11.  Acknowledgments

   This document has been revised in part based on comments and
   discussions that took place on and off the SIEVE mailing list.
   Thanks to Sharon Chisholm, Cyrus Daboo, Ned Freed, Arnt Gulbrandsen,
   Michael Haardt, Kjetil Torgrim Homme, Barry Leiba, Mark E. Mallett,
   Alexey Melnikov, Eric Rescorla, Rob Siemborski, and Nigel Swinson for
   reviews and suggestions.

12.  Normative References

   [ABNF]      Crocker, D., Ed., and P. Overell, "Augmented BNF for
               Syntax Specifications: ABNF", RFC 4234, October 2005.

   [COLLATION] Newman, C., Duerst, M., and A. Gulbrandsen, "Internet
               Application Protocol Collation Registry", RFC 4790, March
               2007.

   [IMAIL]     Resnick, P., Ed., "Internet Message Format", RFC 2822,
               April 2001.

   [KEYWORDS]  Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", BCP 14, RFC 2119, March 1997.

   [MIME]      Freed, N. and N. Borenstein, "Multipurpose Internet Mail
               Extensions (MIME) Part One: Format of Internet Message
               Bodies", RFC 2045, November 1996.

   [MIME3]     Moore, K., "MIME (Multipurpose Internet Mail Extensions)
               Part Three: Message Header Extensions for Non-ASCII
               Text", RFC 2047, November 1996.

Guenther & Showalter        Standards Track                    [Page 39]



RFC 5228           Sieve: An Email Filtering Language       January 2008

   [SMTP]      Klensin, J., Ed., "Simple Mail Transfer Protocol", RFC
               2821, April 2001.

   [UTF-8]     Yergeau, F., "UTF-8, a transformation format of ISO
               10646", STD 63, RFC 3629, November 2003.

13.  Informative References

   [BINARY-SI] "Standard IEC 60027-2: Letter symbols to be used in
               electrical technology - Part 2: Telecommunications and
               electronics", January 1999.

   [DSN]       Moore, K. and G. Vaudreuil, "An Extensible Message Format
               for Delivery Status Notifications", RFC 3464, January
               2003.

   [FLAMES]    Borenstein, N, and C. Thyberg, "Power, Ease of Use, and
               Cooperative Work in a Practical Multimedia Message
               System", Int. J.  of Man-Machine Studies, April, 1991.
               Reprinted in Computer-Supported Cooperative Work and
               Groupware, Saul Greenberg, editor, Harcourt Brace
               Jovanovich, 1991.  Reprinted in Readings in Groupware and
               Computer-Supported Cooperative Work, Ronald Baecker,
               editor, Morgan Kaufmann, 1993.

   [IMAP]      Crispin, M., "Internet Message Access Protocol - version
               4rev1", RFC 3501, March 2003.

   [MDN]       Hansen, T., Ed., and G. Vaudreuil, Ed., "Message
               Disposition Notification", RFC 3798, May 2004.

   [RFC3028]   Showalter, T., "Sieve: A Mail Filtering Language", RFC
               3028, January 2001.

Guenther & Showalter        Standards Track                    [Page 40]



RFC 5228           Sieve: An Email Filtering Language       January 2008

14.  Changes from RFC 3028

   This following list is a summary of the changes that have been made
   in the Sieve language base specification from [RFC3028].

    1. Removed ban on tests having side-effects
    2. Removed reject extension (will be specified in a separate RFC)
    3. Clarified description of comparators to match [COLLATION], the
       new base specification for them
    4. Require stripping of leading and trailing whitespace in "header"
       test
    5. Clarified or tightened handling of many minor items, including:
       - invalid [MIME3] encoding
       - invalid addresses in headers
       - invalid header field names in tests
       - 'undefined' comparator result
       - unknown envelope parts
       - null return-path in "envelope" test
    6. Capability strings are case-sensitive
    7. Clarified that fileinto should reencode non-ASCII mailbox
       names to match the mailstore's conventions
    8. Errors in the ABNF were corrected
    9. The references were updated and split into normative and
       informative
   10. Added encoded-character capability and deprecated (but did not
       remove) use of arbitrary binary octets in Sieve scripts.
   11. Updated IANA registration template, and added IANA
       considerations to permit capability prefix registrations.
   12. Added .sieve as a valid extension for Sieve scripts.

Editors' Addresses

   Philip Guenther
   Sendmail, Inc.
   6425 Christie St. Ste 400
   Emeryville, CA 94608
   EMail: guenther@sendmail.com

   Tim Showalter
   EMail: tjs@psaux.com

Guenther & Showalter        Standards Track                    [Page 41]



RFC 5228           Sieve: An Email Filtering Language       January 2008

Full Copyright Statement

   Copyright (C) The IETF Trust (2008).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
   THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
   OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
   THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at
   ietf-ipr@ietf.org.

Guenther & Showalter        Standards Track                    [Page 42]