The qmail-send Bounce Message Format (QSBMF) D. J. Bernstein, djb@pobox.com 19970201 1. Introduction When a message transport agent (MTA) finds itself permanently unable to deliver a mail message, it generates a new message, generally known as a bounce message, back to the envelope sender. Bounce messages produced by the qmail-send program display the list of failed recipient addresses, an explanation for each address, and a copy of the original message, in a format that is easy for both humans and programs to read. For example: Date: 17 Mar 1996 03:54:40 -0000 From: MAILER-DAEMON@silverton.berkeley.edu To: djb@silverton.berkeley.edu Subject: failure notice Hi. This is the qmail-send program at silverton.berkeley.edu. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. <god@heaven.af.mil>: Sorry, I couldn't find any host by that name. --- Below this line is a copy of the message. Return-Path: <djb@silverton.berkeley.edu> Received: (qmail 317 invoked by uid 7); 17 Mar 1996 03:54:38 -0000 Date: 17 Mar 1996 03:54:38 -0000 Message-ID: <19960317035438.316.qmail@silverton.berkeley.edu> From: djb@silverton.berkeley.edu (D. J. Bernstein) To: god@heaven.af.mil Subject: are you there? Just checking. This document defines qmail-send's format for bounce messages. In this document, a string of 8-bit bytes may be written in two different forms: as a series of hexadecimal numbers between angle brackets, or as a sequence of ASCII characters between double quotes. For example, <68 65 6c 6c 6f 20 77 6f 72 6c 64 21> is a string of length 12; it is the same as the string "hello world!". 2. Format A bounce message may be recognized as QSBMF as follows: its body begins with the characters "Hi. This is the" exactly as shown. The body of the message has four pieces: an introductory paragraph, zero or more recipient paragraphs, a break paragraph, and the original message. Each paragraph is a series of non-blank lines followed by a single blank line. The break paragraph begins with the character "-". All other paragraphs begin with characters other than "-". The break paragraph is human-readable but provides no interesting information. The introductory paragraph is human-readable. It gives the name and human-comprehensible location of the MTA, but parsers should not attempt to use this information. The only type of recipient paragraph described here is a failure paragraph, which begins with the character "<". Paragraphs beginning with other characters are reserved for future extensions. The first line of a failure paragraph ends with the characters ">:". Everything between the leading "<" and the trailing ">:" is an (unquoted) Internet mail address. A failure paragraph asserts that the MTA was permanently unable to deliver the message to the mail address shown on the first line; the MTA will not attempt further deliveries to that address. The remaining lines of the paragraph give a human-readable description of the reason for failure. Descriptions beginning with <20>, and descriptions containing "#", are reserved for future extensions. The envelope sender might not have sent his message to the address shown. There are two reasons for this. First, the MTA may freely replace unprintable characters with "_". Second, the original recipient address may have been an alias for the address shown. The original message is an exact copy of the message received by the MTA, including both header and body, preceded by a Return-Path field showing the envelope sender. 3. Comparison with 1892/1894 RFC 1892 and RFC 1894 together describe a format for delivery status notifications. I have decided not to use that format, because I believe that its complexity will prevent wide implementation and increase the burden on people who manage mailing lists. QSBMF is dedicated to failure reports, whereas RFC 1894 allows success reports and deferral reports. Although it would be possible to add deferral paragraphs and success paragraphs to QSBMF, it would be even easier to design separate formats for such notices. I have trouble reading mixed failure/deferral reports. QSBMF always returns the entire original message. RFC 1892 allows the MTA to return nothing or to return just the headers; it states ``Return of content may be wasteful of network bandwidth.'' However, failure notices are very rare, so the overall loss of bandwidth in this case is insignificant. A much more important issue is storage space: someone who manages a big mailing list does not want to have to store several copies of each message in the form of bounces. The best solution is to have each bounce automatically fed through a program that stores only the critical information. I expect such programs to spring up quickly for QSBMF. RFC 1894 provides language-independent error messages, as described by RFC 1893. One can achieve the same results more easily by adding structure to the human-readable failure descriptions, for example with HCMSSC. RFC 1894 is able to communicate an ``envelope ID'' and the original envelope recipient address specified by the sender. Unfortunately, this information will almost never be available, since it requires support by every intermediate MTA. All of the applications of this information can be handled reliably, right now, with VERPs; this requires support from the sender's MTA but not from other hosts. RFC 1894 includes several pieces of information that might be of human interest but can be seen just as easily from Received lines: the name of the MTA where delivery failed, the name of the previous MTA, timestamps, etc. All of these RFC 1894 features have a cost: complexity. A program cannot parse an 1894 report without parsing RFC 822 header fields and understanding quite a bit of MIME. This will limit the availability of parsing software. In the meantime, such reports are annoying to mailing list maintainers, since they are full of uninteresting information and are difficult to parse visually. 4. Security considerations Bounce messages may be forged. Never remove someone from a mailing list without sending him a message stating that you are doing so, even if the reason for removal is a series of apparent bounce messages from his address. If you send a message along a secret path, you should change the envelope sender address of the message to yourself, so that a bounce will not reveal anything to the original sender. In other words: for secret forwarding, use a mailing list, not a forwarder. See RFC 1894 for further discussion of these points.