[sylpheed:37319] Re: Email standard for BCC behaviour

Javier sylfiger at gmx.com
Fri Jul 26 06:30:12 JST 2024 

On Thu, 25 Jul 2024 15:53:34 -0000
Paul <claws at thewildbeast.co.uk> wrote:

> On Thu, 25 Jul 2024 08:52:48 -0600
> "Gene Goldenfeld" <genegold at fastmail.com> wrote:
>
> > So this is determined by the sender's program, e.g., Sylpheed and
> > Gmail, and not the recipients'?
>
> No, it's the server's job. The MUA sets the Bcc header, the MTA
> deals with it. A server that reveals the Bcc header to any
> recipient is a broken server.


Hi,

let me reply from this message even though I could do elsewhere in
the thread.


You are missing the point and how mail is actually sent.


That RFC just talks about THE MAIL FORMAT.

To understand the whole thing you'll need to read the SMTP RFC:
https://www.rfc-editor.org/rfc/rfc5321.html


In short and to be clear, the MUAs, the mail clients as we know, when
they help us to send a message to various recipients, they don't care
if the recipients are "To:", "Cc:" or "Bcc:". Yeah, believe it or
not, they don't care.

When they contact the MTA, the SMTP mail server, ALL ADDRESSES are
sent as recipients, so as "To:", and so are told and commanded to the
server so the mail is being sent to every mail address input in your
MUA.


Now, what happens then?


When you write a mail from sender at example.com to
recipient at example.com and a bunch of "Bcc:", the MUA sends this
(except equals that I wrote just to differentiate the explanation):
===
From: sender at example.com
To: recipient at example.com
Date: whateverdate
Subject: whateversubject

This is the message text

=== (final dot omitted to avoid misinterpretation by my SMTP server)


What is commanded to the server is:
===
MAIL FROM:<sender at example.com>
RCPT TO:<recipient at example.com>
RCPT TO:<bcc1 at example.com>
RCPT TO:<bcc2 at example.com>
RCPT TO:<bcc3 at example.com>
...
...
===

That would also help to understand why is possible to spoof mail
addresses, as the server is commanded to do something, but the actual
message that is being sent is another. In fact, "From:" and "To:" can
be anything else in the message body (yes, I said body, your MUA only
uses your input to command the SMTP server). And it is important,
because those addresses presentations are what will then use the MUA
to display the "From:" and "To:" fields.



And, in regard RFC 5322, what is being told, specially in section 5
(security considerations), is that some MUAs may wrongly append the
"Bcc:" to the mail body as additional text (think in the example
above), they may even copy a "Bcc:" to the body with multiple
addresses. And as MUAs will interpret the mail format as is, they
would display them, if not as part of the header, at least as
additional message text.

https://www.rfc-editor.org/rfc/rfc5322


What it clarifies is that, even though the above example is what
actually happens, one mail, several recipients, some MUAs may decide
to send a mail for each recipient address in the "Bcc:" field and
append a "Bcc:" with each address or, even wrongly, a "Bcc:" with
all Bcc addresses.


From me, to date, I haven't seen that.

Hope it helps to clarify it.

Regards.

More information about the Sylpheed mailing list