[opensuse] Re: Is there a leak?
Carlos E. R. wrote:
It is this first SMTP server the one that sends to the blind recipients and removes the info.
In theory, yes; in practice, No.
Yes, your SMTP server would probably remove a Bcc header field.
(E.g., Postfix does.) But then it would never sent an email to that
Bcc recipient if that recipient is not also listed in the mail
envelope recipient list.
In practice, your email client (Thunderbird, Kmail2, etc.) removes
the Bcc: header field, at least for those recipients that are in
To: and Cc: headers. It constructs a mail envelope with a recipient
list that includes the Bcc recipients. Your first SMTP server
records that recipient list from the envelope, and uses that
information to relay the email to the next SMTP server, who records
it again, and so on, until the final Mail Transfer Agent (MTA) is
reached and the message is passed to the Mail Delivery Agent (MDA)
part of an SMTP server.
When acting as an MTA, SMTP servers never look at mail content for
routing decisions, only at mail envelopes.
You might want to entertain yourself by using wireshark to trace
your client behaviour and look at the actual SMTP protocol content.
I have looked at too many of those protocols and I can assure you
that mail clients remove the Bcc header right from the start.
You can also test yourself that an SMTP server does not act on the
Bcc line itself: Use telnet and type in SMTP, it's not too difficult:
-----------------------------------------------------------
puma:direkt $ telnet mail smtp
Trying 192.168.129.3...
Connected to mail.
Escape character is '^]'.
220 mail.npc.de ESMTP Postfix NPC GmbH
MAIL FROM:
participants (1)
-
Joachim Schrod