[Top] [All Lists]

Re: "for" clause on Received: header field

2007-04-30 06:18:34

--On Monday, 30 April, 2007 10:23 +0200 Frank Ellermann
<nobody(_at_)xyzzy(_dot_)claranet(_dot_)de> wrote:

Previous standards (RFC 821, 822) did not allowed several
addresses, so is these multiple mailboxes on "for" clause
never implemented?

If it's implemented it's not better than Apparently-To, as
noted in 2821 4.4, but the Apparently-To got a "SHOULD NOT".
Why allow an in essence identical damage in the for-clause ?

Whether one has a single address in a "for" clause or three, the
information disclosure risk is identical.   If the address(es)
in "for" are identical to, or a subset of, the forward-pointing
addresses in the headers, then there is no information
disclosure and no problem whether there is one address or more
than that.  If anything in the "for" is not in the
forward-pointing address set in the headers, then there is a
disclosure that could be problematic.

At least judging from the DRUMS discussion, the problem with
Apparently-to is that it was supplied on precisely those
occasions on which the forward-pointing envelope address did not
match any of the forward-pointing header addresses, so, almost
by definition, it was a disclosure problem.