Re: [exim] access to bcc headers

Top Page
This message is part of the following thread:
M--\the complete thread tree sorted by date
M+\M\Raphael Bauduin at <-
MMMMMBrett Parker at ->
Delete this message
Reply to this message
Author: Graeme Fowler
Date:  
To: exim-users
Subject: Re: [exim] access to bcc headers
On Mon, 2009-03-23 at 11:13 +0100, Heiko Schlittermann wrote:
> If your users have a well working MUA and deliver the mails via SMTP
> you never ever should see BCC headers. And I'd say, even for local
> delivery you can't rely on the MUA setting a BCC header.

In fact you shouldn't rely on the header existing at all. RFC5322 sect
3.6.3 (Destination Address Fields) says:

There are three ways in which the "Bcc:" field is used. In the first
case, when a message containing a "Bcc:" field is prepared to be sent,
the "Bcc:" line is removed... In the second case, recipients specified
in the "To:" and "Cc:" lines each are sent a copy of the message with
the "Bcc:" line removed as above... Finally, since a "Bcc:" field may
contain no addresses, a "Bcc:" field can be sent without any addresses
indicating to the recipients that blind copies were sent to someone.

It is, however, worth noting the comments in sect 5 (Security
Considerations).

In any case, the simple fact is that you cannot rely on the sender or
recipient information as revealed by the From:, To:, Cc: (or Bcc: if it
exists) headers since they are *not* guaranteed to be the same as the
envelope sender or recipient(s). Mailing list messages are a case in
point - the one I'm replying to has the following information contained
within it:

Received: from tahini.csx.cam.ac.uk ([131.111.8.192]) by
boom.graemef.net
with esmtp (Exim 4.69) (envelope-from
<exim-users-bounces+graemef.net@???>) id 1LlhEn-0007LK-1J for
graeme@???; Mon, 23 Mar 2009 10:18:34 +0000

To: exim-users@???
From: Heiko Schlittermann <hs@???>

So the envelope sender is not the same as the From:, and the envelope
recipient is not the same as the To:. The fact that no Bcc: header
exists could, or could not, indicate that I've actually been Bcc'd on
this message.

I accept that this is a slightly contrived example :)

In short, you can only trust the MAIL FROM and RCPT TO parts of the
envelope (ie. the list of recipients and/or sender(s) set at the time of
the transaction). Everything else is simply data.

Graeme


This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] access to bcc headersRe: [exim] access to bcc headers->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)