A method for dynamic access control management of emails

By extending the MIME protocol, the sending end defines permission rules, and the transmission link verifies and the terminal executes them, thus solving the problem of uncontrolled email permissions and realizing dynamic permission management and enhanced information security throughout the entire lifecycle.

CN121940371BActive Publication Date: 2026-06-30KYLIN CORP

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
KYLIN CORP
Filing Date
2026-03-30
Publication Date
2026-06-30

AI Technical Summary

Technical Problem

Existing email access control systems have limitations, such as the inability of senders to maintain subsequent access control over sent emails, leading to information security risks. In particular, access control becomes invalid and easily bypassed during cross-domain transmissions and offline operations.

Method used

By extending the MIME protocol, the sender defines permission rules, verifies all nodes in the transmission link, and enforces them on the terminal device, thus achieving dynamic control of email permissions throughout their entire lifecycle, including embedding and verifying limit address ranges and over-limit processing permission flags.

Benefits of technology

It achieves dynamic access control throughout the entire email lifecycle, prevents the illegal dissemination of sensitive information, provides multi-level access management, is compatible with existing email protocols, reduces deployment costs, and avoids access bypass vulnerabilities.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN121940371B_ABST
    Figure CN121940371B_ABST
Patent Text Reader

Abstract

This invention relates to a dynamic access control management method for emails, applied to the sending end, transmission link, and receiving terminal of emails, including the following steps: S10: The sender defines a limited address range for the email based on the target sender-recipient list, and simultaneously selects an over-limit processing permission flag that matches the limited address range; S20: During the routing and transmission stage of the email between server sites, the first extended field and the second extended field in the email are parsed in real time through the MAT service to check whether the sender-recipient addresses of this transmission exceed the limited address range, and to determine whether an over-limit transmission has occurred; S30: The terminal device executes the corresponding email operation permission control according to the permission flag corresponding to the second extended field, blocking unauthorized email operation behavior. The main purpose of this invention is to extend the standard MIME protocol to strongly bind email permissions to the original sender-recipient list, thereby achieving dynamic access control throughout the entire lifecycle.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of email communication technology, and specifically relates to a dynamic permission control management method for emails. Background Technology

[0002] Email is one of the core tools for business communication and information exchange on the Internet today. Mainstream email systems are based on standard protocols such as SMTP, POP3, IMAP, and MIME to realize the composition, transmission, reception, and management of emails.

[0003] Existing technologies for email access control have inherent flaws: after the sender sends an email, the recipient has unrestricted and complete operational permissions, freely performing operations such as forwarding, downloading, printing, editing, and redistributing the email. The sender cannot subsequently control access or limit the dissemination scope of the sent email. This flaw brings significant information security risks: First, confidential business emails and internal sensitive emails are easily forwarded and disseminated illegally, causing information leaks; second, attackers can illegally configure automatic forwarding rules for target email addresses, silently forwarding emails to designated email addresses and stealing sensitive information, and this behavior is difficult to detect and block in a timely manner; third, existing email access control solutions are mostly single-point control on the terminal side, failing to implement mandatory verification of all nodes in the transmission link. In scenarios such as cross-email service provider and cross-domain transmission, and offline terminal operation, access rules are easily bypassed, making true mandatory control impossible. Summary of the Invention

[0004] The main objective of this invention is to provide a dynamic permission control management method for emails. By extending the standard MIME protocol, email permissions are strongly bound to the original sender and recipient lists, realizing dynamic permission control throughout the entire lifecycle of "sender definition rules → transmission link verification → terminal behavior control". This solves the problems of uncontrolled permissions for sent emails, unrestricted propagation range, invalid cross-domain transmission permissions, and easy illegal bypassing in existing technologies. At the same time, it ensures the compatibility of the solution with existing email protocols and reduces deployment costs.

[0005] To achieve the above objectives, this invention provides a dynamic access control management method for emails, applied to the sending end, transmission link, and receiving terminal of emails, including the following steps:

[0006] S10: Sender Permission Configuration and Validation Steps:

[0007] When composing an email, the sender defines a limited address range based on the target sender and recipient list, and selects an over-limit processing permission flag that matches the limited address range; the first extended field containing the limited address range and the second extended field containing the over-limit processing permission flag are embedded in the email's MIME header or email attachment attributes; the limited address range and the over-limit processing permission flag are fixed when the email is sent and cannot be modified.

[0008] S20: Transmission Link Full Node Verification and Execution Steps:

[0009] During the routing and transmission of emails between server sites, the MAT service parses the first and second extended fields in the email in real time to check whether the sender and recipient addresses of this transmission exceed the limited address range and determine whether an over-limit transmission has occurred. If an over-limit transmission occurs, the MAT service executes the corresponding transmission control operation based on the over-limit processing permission flag corresponding to the second extended field.

[0010] S30: Steps for forcibly inheriting and executing terminal permissions:

[0011] The terminal device for emails is required to inherit the first and second extended fields fixed in the email. The terminal device includes the email client and the IMAP server. The terminal device performs corresponding email operation permission control based on the permission flag corresponding to the second extended field, blocking unauthorized email operation behaviors.

[0012] Preferably, the first extended field is the X-PurviewAddress field, which is used to record the list of limited sender and recipient addresses of the original email, serving as the sole basis for verifying the scope of permissions; the second extended field is the X-Purview field, which is used to define the processing rules corresponding to the over-limit transmission behavior.

[0013] Further preferred, when the X-Purview field is set to release, the MAT service determines that the email has no permission constraints and allows it to pass directly, and the terminal device does not set any operation restrictions on the email.

[0014] Further preferably, when the X-Purview field is set to scopeLock, if the MAT service determines that the transmission has exceeded the limit, it will allow the transmission to proceed, enabling recipients outside the limited address range to receive the email; at the same time, it will trigger the access control of the recipient's terminal device, implementing read-only access control for the email, allowing only the user to read the email content.

[0015] Further preferred, when the X-Purview field is set to scopeWarn, if the MAT service determines that the current transmission has exceeded the limit, it will directly terminate and discard the current transmission that exceeded the limit, and at the same time silently send a notification to the original sender, informing the initiator, target recipient and trigger time of the transmission that exceeded the limit.

[0016] Further preferably, when the X-Purview field is valued as scopeDestruct, if the MAT service determines that the current transmission has exceeded the limit, the following operations are performed:

[0017] S100: Directly terminate and discard this excessive transmission;

[0018] S200: Silently send a notification message to the original sender, informing the initiator, target recipient, and trigger time of the excessive transmission behavior;

[0019] S300: Sends an email cleanup request to the IMAP server corresponding to the sender who initiated this over-limit transmission behavior. After receiving the request, the IMAP server deletes the original email in the sender's mailbox and records the operation log.

[0020] Preferably, in step S20, when emails are routed and transmitted across email service providers across domains, each hop of the email server site in the transmission link parses and performs limit checks on the extended fields of the email through the MAT service, ensuring the mandatory inheritance and execution of permission rules in cross-domain transmission scenarios.

[0021] Preferably, in step S30, the terminal device performs permission control based on the locally cached extended fields in the offline state to avoid permission bypass vulnerabilities in offline scenarios.

[0022] Preferably, in step S10, the sender can select multiple over-limit processing permission flags for combination configuration. The system has preset priority rules for multiple flag combinations, with scopeDestruct having higher priority than scopeWarn, scopeWarn having higher priority than scopeLock, and scopeLock having higher priority than release.

[0023] Preferably, in step S10, an anti-tampering mechanism is used to ensure that the field cannot be modified when the field is solidified. The anti-tampering mechanism is as follows: a digital signature is generated for the contents of the first extended field and the second extended field, and the digital signature is embedded in the MIME protocol header. When the MAT service and the terminal device are verifying, they first verify whether the field content has been tampered with through the digital signature. If the verification fails, the highest level of over-limit control operation is directly executed.

[0024] The beneficial effects of this invention are as follows:

[0025] 1. Implemented dynamic permission control throughout the entire email lifecycle, resolving the issue of "uncontrolled permissions for sent emails":

[0026] This invention, through a closed-loop architecture of sender-side rule definition, full-node verification of the transmission link, and mandatory execution on the terminal side, enables senders to have complete and continuous access control over sent emails, accurately limiting the scope of email dissemination and effectively preventing the illegal spread of sensitive information.

[0027] 2. Provides fine-grained, multi-scenario access control capabilities to adapt to email requirements with different security levels:

[0028] This invention uses four permission flags—release, scopeLock, scopeWarn, and scopeDestruct—to achieve multi-level control, ranging from unrestricted release, read-only locking for exceeding limits, interception and alarm for exceeding limits, to self-destruction and cleanup for exceeding limits. It supports senders to configure and combine these flags as needed, covering all scenarios such as ordinary emails, internal confidential emails, and highly sensitive business emails.

[0029] 3. High compatibility and low deployment cost:

[0030] This invention extends the standard MIME protocol without changing the basic architecture of the existing email protocol. The MAT service can be directly integrated into the existing Mail Transfer Agent (MTA), and is compatible with existing mainstream email service providers and email clients. It does not require large-scale modification of the existing email system and has strong practicality.

[0031] 4. High security; no privilege-to-bypass vulnerability exists:

[0032] This invention employs triple protection—full node verification during cross-domain transmission, local permission execution in offline states, and tamper-proof digital signatures for extended fields—to prevent permission bypassing issues in scenarios such as cross-domain transmission, offline operations, and unauthorized field tampering. Simultaneously, through alarms for exceeding limits, log recording, and automatic cleanup mechanisms, it enables the traceability and handling of risky behaviors, thereby enhancing the information security protection capabilities of the email system. Attached Figure Description

[0033] The present invention will now be described in further detail with reference to the accompanying drawings and specific embodiments.

[0034] Figure 1 This is a schematic diagram of the email management process corresponding to the scopeWarn permission flag in an embodiment of the present invention;

[0035] Figure 2 This is a schematic diagram of the email management process corresponding to the scopeDestruct permission flag in an embodiment of the present invention. Detailed Implementation

[0036] The technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings. Many specific details are set forth in the following description to provide a thorough understanding of the present invention. However, the present invention may also be implemented in other ways different from those described herein. Those skilled in the art can make similar extensions without departing from the spirit of the present invention. Therefore, the present invention is not limited to the specific embodiments disclosed below.

[0037] This embodiment provides a dynamic access control management method for emails, implemented based on standard SMTP, IMAP, and MIME protocols. The MAT service is an email transmission permission verification service integrated into the email server site, deployed during the routing and transmission of emails between server sites. It is used to parse email extended fields, verify excessive behavior, and execute corresponding control actions. The core extended fields of this invention include two types: the first extended field is the X-PurviewAddress field, used to record the restricted sender and recipient address list of the original email, serving as the sole verification basis for the scope of permission coverage; the second extended field is the X-Purview field, used to define the processing rules corresponding to excessive transmission behavior, with optional values ​​including release, scopeLock, scopeWarn, and scopeDestruct.

[0038] Example 1

[0039] This embodiment is a complete and general logical embodiment of the present invention, covering the entire process execution rules for four types of permission flags, and specifically includes the following core steps:

[0040] S10. Sender Permission Configuration and Consolidation Steps:

[0041] When composing an email in an email client, the sender first defines a limited address range based on the target sender and recipient list and fills this range into the X-PurviewAddress field. At the same time, according to the email's security level requirements, the sender selects an over-limit processing permission flag that matches the limited address range and fills it into the X-Purview field. The email client embeds the above two fields into the email's MIME header or email attachment attributes. The field content is fixed when the email is sent and cannot be modified by any subject throughout the process. Furthermore, it must be forcibly inherited during email forwarding and secondary transmission.

[0042] S20. Transmission link full node verification and execution steps:

[0043] After an email enters the routing and transmission stage between server sites, the MAT service of each mail server will parse the X-PurviewAddress and X-Purview fields in the email in real time to check whether the sender and recipient addresses of this transmission exceed the address range limited by the X-PurviewAddress field, and determine whether an over-limit transmission has occurred. If the address range is within the limit, the MAT service will directly allow the email to pass; if an over-limit transmission occurs, the MAT service will execute the corresponding control action according to the value of the X-Purview field. The specific execution rules for the four types of fields are as follows:

[0044] When the X-Purview field is set to release, the MAT service determines that the email has no permission constraints and allows it to pass directly regardless of whether it exceeds the limited address range, without performing any transmission control operations.

[0045] When the X-Purview field is set to scopeLock, the MAT service determines that the transmission has exceeded the limit and allows the transmission to proceed, so that recipients outside the limited address range can receive the email normally. At the same time, it sends a read-only permission control instruction to the recipient's terminal device.

[0046] When the X-Purview field is set to scopeWarn, the MAT service determines that the transmission has exceeded the limit, terminates and discards the transmission, and silently generates a notification message to send to the original sender, informing the initiator, target recipient and trigger time of the transmission.

[0047] When the X-Purview field is set to scopeDestruct, the MAT service determines that the transmission has exceeded the limit. It first terminates and discards the transmission, then silently generates a notification email and sends it to the original sender. Finally, it sends a standardized email cleanup request to the IMAP server corresponding to the sender who initiated the transmission.

[0048] S30. Terminal Permission Mandatory Inheritance and Execution Steps

[0049] The email terminal devices (including email clients and IMAP servers) are required to inherit the X-PurviewAddress and X-Purview fields embedded in the email, and to perform corresponding email operation permission control based on the field values. The specific terminal execution rules for the four types of fields are as follows:

[0050] When the X-Purview field is set to release, the terminal device does not set any operation restrictions on the email, and the user can perform complete reading, downloading, printing, editing and forwarding operations on the email;

[0051] When the X-Purview field is set to scopeLock, the terminal device implements read-only permission control for emails received beyond the limit, allowing users to read only the email body and prohibiting all operations such as downloading, printing, editing, forwarding, and saving as an .eml file to the email and its attachments.

[0052] When the X-Purview field is set to scopeWarn or scopeDestruct, the terminal device grants full operation permissions to legitimate recipients within the specified address range. For the scopeDestruct flag, the IMAP server needs to receive and execute the email cleanup request issued by the MAT service, delete the original email in the mailbox of the violator, and retain the operation log.

[0053] Example 2: ScopeWarn Out-of-Scope Warning Permission Management Example

[0054] This embodiment corresponds to the attached Figure 1 The email management process, with the following specific steps:

[0055] S10. Sender Permission Configuration and Consolidation:

[0056] When the sender composes an email through terminal 1, they define the limited address range for this email and select the scopeWarn flag for handling exceeding the limit. The X-PurviewAddress field, which contains the limited address range, and the X-Purview field, which contains the scopeWarn flag, are embedded in the MIME header of the email. These fields are fixed when the email is sent and cannot be modified.

[0057] S20, Legitimate Transmission and Receipt:

[0058] When an email enters the routing and transmission stage of the mail server site, the MAT service parses the extended fields in the email's MIME header, verifies that the recipient's address in this transmission is within the address range specified by the X-PurviewAddress field, determines that no over-limit transmission has occurred, and allows the email to pass through; the email is transmitted normally to the recipient's terminal 2, and the recipient can receive and read the email normally.

[0059] S30, Control and Implementation of Over-limit Forwarding:

[0060] When the recipient of Terminal 2 attempts to forward the email to another recipient outside the limited address range, the forwarded email automatically inherits the fixed extended fields in the MIME protocol header of the original email; after the forwarded email enters the transmission stage of the mail server site, the MAT service parses the extended fields, checks whether the recipient address of this forwarding exceeds the limit range of the X-PurviewAddress field, and determines that an over-limit transmission behavior has occurred.

[0061] Based on the scopeWarn flag in the X-Purview field, the MAT service directly terminates and discards the current over-limit forwarding transmission, and silently sends a notification to the original sender, informing them of the initiator and target recipient information of this over-limit transmission.

[0062] Example 3: Example of scopeDestruct out-of-scope self-destruct permission control

[0063] This embodiment corresponds to the attached Figure 2 The email management process, with the following specific steps:

[0064] S10. Sender Permission Configuration and Consolidation

[0065] When the sender composes an email through terminal 1, they define the limited address range for this email and select the scopeDestruct flag for handling exceeding the limit. The X-PurviewAddress field, which contains the limited address range, and the X-Purview field, which contains the scopeDestruct flag, are embedded in the MIME header of the email. These fields are fixed when the email is sent and cannot be modified.

[0066] S20, Legitimate Transmission and Receipt:

[0067] When an email enters the routing and transmission stage of the mail server site, the MAT service parses the extended fields in the email's MIME header, verifies that the recipient's address in this transmission is within the address range specified by the X-PurviewAddress field, determines that no over-limit transmission has occurred, and allows the email to pass through; the email is transmitted normally to the recipient's terminal 2, and the recipient can receive and read the email normally.

[0068] S30, Control and Implementation of Over-limit Forwarding:

[0069] When the recipient of Terminal 2 attempts to forward the email to another recipient outside the specified address range, the forwarded email automatically inherits the fixed extended fields in the original email's MIME header. After the forwarded email enters the mail server site transmission stage, the MAT service parses the extended fields, checks whether the recipient address of this forwarding exceeds the limit range of the X-PurviewAddress field, and determines that an over-limit transmission behavior has occurred.

[0070] The MAT service performs the following operations based on the scopeDestruct flag of the X-Purview field:

[0071] S100: Directly terminate and discard this over-limit forwarding transmission;

[0072] S200: Silently send a notification message to the original sender, informing them of the initiator and target recipient information of this over-limit transmission behavior;

[0073] S300: Sends a mail cleanup request to the IMAP server corresponding to the sender who initiated this over-limit transmission behavior. After receiving the request, the IMAP server deletes the original emails in the sender's mailbox.

[0074] Obviously, the described embodiments are only some, not all, of the embodiments of the present invention. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without inventive effort are within the scope of protection of the present invention.

Claims

1. A dynamic access control management method for emails, applied to the sending end, transmission link, and receiving terminal of emails, characterized in that, Includes the following steps: S10: Sender Permission Configuration and Validation Steps: When composing an email, the sender defines a limited address range based on the target sender and recipient list, and selects an over-limit processing permission flag that matches the limited address range; the first extended field containing the limited address range and the second extended field containing the over-limit processing permission flag are embedded in the email's MIME header or email attachment attributes; the limited address range and the over-limit processing permission flag are fixed when the email is sent and cannot be modified. The first extended field is the X-PurviewAddress field, which is used to record the list of limited sender and recipient addresses of the original email, serving as the sole basis for verifying the scope of permissions. The second extended field is the X-Purview field, which is used to define the processing rules corresponding to the over-limit transmission behavior; S20: Transmission Link Full Node Verification and Execution Steps: During the routing and transmission of emails between server sites, the MAT service parses the first and second extended fields in the email in real time to check whether the sender and recipient addresses of this transmission exceed the limited address range and to determine whether an over-limit transmission has occurred. If an excessive transmission occurs, the MAT service will perform the corresponding transmission control operation based on the excessive processing permission flag corresponding to the second extended field. S30: Steps for forcibly inheriting and executing terminal permissions: The terminal device for emails is required to inherit the first and second extended fields fixed in the email. The terminal device includes the email client and the IMAP server. The terminal device performs corresponding email operation permission control based on the permission flag corresponding to the second extended field, blocking unauthorized email operation behaviors.

2. The dynamic access control management method for emails according to claim 1, characterized in that, When the X-Purview field is set to "release", the MAT service determines that the email has no permission restrictions and allows it to pass directly. The terminal device does not set any operation restrictions on the email.

3. The dynamic access control management method for emails according to claim 2, characterized in that, When the X-Purview field is set to scopeLock, if the MAT service determines that the transmission has exceeded the limit, it will allow the transmission to proceed, so that recipients outside the limited address range can receive the email. At the same time, it triggers the permission control of the recipient's terminal device, implementing read-only permission control for the email, allowing only the user to read the email content.

4. The dynamic access control management method for emails according to claim 3, characterized in that, When the X-Purview field is set to scopeWarn, if the MAT service determines that the current transmission has exceeded the limit, it will directly terminate and discard the transmission that exceeded the limit, and at the same time silently send a notification to the original sender, informing the initiator, the target recipient and the trigger time of the transmission that exceeded the limit.

5. The dynamic access control management method for emails according to claim 4, characterized in that, When the X-Purview field is set to scopeDestruct, if the MAT service determines that the current transmission has exceeded the limit, the following actions will be taken: S100: Directly terminate and discard this excessive transmission; S200: Silently send a notification message to the original sender, informing the initiator, target recipient, and trigger time of the excessive transmission behavior; S300: Sends an email cleanup request to the IMAP server corresponding to the sender who initiated this over-limit transmission behavior. After receiving the request, the IMAP server deletes the original email in the sender's mailbox and records the operation log.

6. The dynamic access control management method for emails according to claim 1, characterized in that, In step S20, when emails are routed across domains across email service providers, each hop in the transmission link's email server site parses and performs limit checks on the email's extended fields through the MAT service.

7. The method for dynamic access control management of emails according to claim 1, characterized in that, In step S30, the terminal device performs permission control based on the extended fields cached locally while offline.

8. The dynamic access control management method for emails according to claim 5, characterized in that, In step S10, the sender selects multiple over-limit processing permission flags for combination configuration. The system has preset priority rules for multiple flag combinations: scopeDestruct has higher priority than scopeWarn, scopeWarn has higher priority than scopeLock, and scopeLock has higher priority than release.

9. The dynamic access control management method for emails according to claim 1, characterized in that, In step S10, an anti-tampering mechanism is used to ensure that the fields cannot be modified when the fields are solidified. The anti-tampering mechanism is as follows: digital signatures are generated for the contents of the first extended field and the second extended field, and the digital signatures are embedded in the MIME protocol header. When the MAT service and the terminal device are verifying, they first verify whether the field content has been tampered with through the digital signature. If the verification fails, the highest level of over-limit control operation is directly executed.