On Mon, 2009-03-23 at 11:13 +0100, Heiko Schlittermann wrote: > If your users have a well working MUA and deliver the mails via SMTP > you never ever should see BCC headers. And I'd say, even for local > delivery you can't rely on the MUA setting a BCC header.
In fact you shouldn't rely on the header existing at all. RFC5322 sect 3.6.3 (Destination Address Fields) says: There are three ways in which the "Bcc:" field is used. In the first case, when a message containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is removed... In the second case, recipients specified in the "To:" and "Cc:" lines each are sent a copy of the message with the "Bcc:" line removed as above... Finally, since a "Bcc:" field may contain no addresses, a "Bcc:" field can be sent without any addresses indicating to the recipients that blind copies were sent to someone. It is, however, worth noting the comments in sect 5 (Security Considerations). In any case, the simple fact is that you cannot rely on the sender or recipient information as revealed by the From:, To:, Cc: (or Bcc: if it exists) headers since they are *not* guaranteed to be the same as the envelope sender or recipient(s). Mailing list messages are a case in point - the one I'm replying to has the following information contained within it: Received: from tahini.csx.cam.ac.uk ([131.111.8.192]) by boom.graemef.net with esmtp (Exim 4.69) (envelope-from <[email protected]>) id 1LlhEn-0007LK-1J for [email protected]; Mon, 23 Mar 2009 10:18:34 +0000 To: [email protected] From: Heiko Schlittermann <[email protected]> So the envelope sender is not the same as the From:, and the envelope recipient is not the same as the To:. The fact that no Bcc: header exists could, or could not, indicate that I've actually been Bcc'd on this message. I accept that this is a slightly contrived example :) In short, you can only trust the MAIL FROM and RCPT TO parts of the envelope (ie. the list of recipients and/or sender(s) set at the time of the transaction). Everything else is simply data. Graeme -- ## List details at http://lists.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
