On Wed, 20 Sep 2000, Philip Hazel wrote:
> 1. Their argument:
> Users' expectations nowadays are that no Bcc: header lines are ever
> transmitted in headers. Therefore, Exim should remove them, always.
Ummm... no. If they agree that Bcc: header lines should *never* be transmitted,
then perhaps their MUA should never transmit them either. Exim should never see
Bcc: lines in this case, but then I am being pedantic I suppose. :-)
> 3. What does Sendmail do? (The book doesn't seem to say.)
According to pages 793 and 794 of my copy of the O'Reilly Sendmail book (I have
a copy for use as door wedge and paper stop), it states:
Bcc: (RFC822)
------------------------------------------------------------------------------
35.10.4 Blind Carbon copy
A blind carbon copy is a copy of the mail message that is sent to one or more
recipients without the knowledge of the primary recipients. Primary recipients
are listed in the To: and Cc: lines. When there are multiple blind carbon copy
recipients, knowledge of each other is also hidden.
When run with a -t command-line switch (to gether recipients from the headers),
the sendmail program achieves this end by saving a list of all the blind carbon
copy recipients, deleting the Bcc: header line, and then delivering to each
blind carbon copy recipient. (See the Apparently-To: header)
<snip>
Now, my understanding of this is that sendmail should only delete the Bcc: line
when given the -t switch. Otherwise, it should according to the above paragraph
retain it, but I expect that it does indeed rip it out anyway because that's
the sort of silly behaviour to expect from sendmail.
Whilst we're on the subject, Apparently-To: has to be the biggest MTA kludge
for a broken MUA I've ever seen. Never mentioned in an RFC, sendmail sticks it
in there when there isn't anything in the To: or Cc: header fields or they are
absent completely. Just out of curiosity, is mutt so broken it allows people to
send mail with only Bcc: filled in? :-)
> 4. What do other MTAs do? I will collect and publish a
> summary of any information collected.
I'm sure if you ask the qmail guys they will guarantee the accuracy of their
answer with a $1000 reward. :-)
Ok, I take that back. From what I can find:
qmail: According to the qmail-header(5) man page - qmail-inject looks for
recipient address lists in the following fields: To, Cc, Bcc, Apparently-To,
Resent-To, Resent-Cc, Resent-Bcc.
Every message must contain at least one To or Cc or Bcc. qmail-inject
deletes any Bcc field. If there is no To or Cc field, qmail-inject adds a line
Cc: recipient list not shown: ;
This complies with RFC 822; it also works around some strange sendmail
behavior, in case the message is passed through sendmail on another machine.
Sounds like it is sendmail-friendly in this respect. <cue shaking of head
whilst staring at those Resent- fields>.
Postfix: From a mailing list archive I found, a fix was described as having the
following effect - When requested to extract recipients from message headers,
Postfix now insists that no message header exceeds the header size limit. This
prevents Postfix from inadvertently disclosing Bcc: addresses.
Now that sentence to me just doesn't make any sense. Perhaps I'm missing
something, but does anybody else think that the postifx developers are betraying
their taste for Acid and other Class A drugs in this statement? :-)
MS Exchange: Who cares?! :-) Seriously though the most technically complete
documentation I could find was:
Q: What happens if a user of Microsoft Exchange Server includes a user of
Microsoft Mail 3.x as a BCC recipient?
A: The Microsoft Mail 3.x user will receive the message but without any other
addressees noted on the "TO" or "CC" line.
I kid you not. That's it. Fantastic. And who said that Technet was no good?
I think the best way to settle this one is to setup each of these MTAs in a
test environment and try it.
Personally, I don't use Bcc and think it's rude when people do and I also
think it should be the work of the MUA to work out what is going on, but the
idea of being able to optionally specify the behaviour or exim in this
respect is not going to cause any harm. It may confuse newer admins however who
tend to just wack a copy of redhat onto a PC, type in /usr/sbin/sendmail -bd
-q30m and then walk away until 3 months later when they need to close the open
relaying. :-)
I hope the above has helped you in some way. It's certianly wasted a half hour
of my time. :-)
--
Paul Robinson - Internet Services @ Akita -
http://www.akita.co.uk
------------------------------------------------------------------
Sales:- T: 01869 337088 F: 01869 337488 E: sales@???
Techs:- T: 0161 228 6388 F: 0161 228 6389 E: root@???
------------------------------------------------------------------