John C Klensin <john+smtp(_at_)jck(_dot_)com> writes in gmane.ietf.smtp:
--On Monday, 30 April, 2007 10:23 +0200 Frank Ellermann
<nobody(_at_)xyzzy(_dot_)claranet(_dot_)de> wrote:
...
Previous standards (RFC 821, 822) did not allowed several
addresses, so is these multiple mailboxes on "for" clause
never implemented?
If it's implemented it's not better than Apparently-To, as
noted in 2821 4.4, but the Apparently-To got a "SHOULD NOT".
Why allow an in essence identical damage in the for-clause ?
Whether one has a single address in a "for" clause or three, the
information disclosure risk is identical. If the address(es)
in "for" are identical to, or a subset of, the forward-pointing
addresses in the headers, then there is no information
disclosure and no problem whether there is one address or more
than that. If anything in the "for" is not in the
forward-pointing address set in the headers, then there is a
disclosure that could be problematic.
Looking from another angle:
If mail have just one envelope recipient and
that is copied to "for" clause, that does not disclose
possible Bcc: recipients (only possible BCC recipient
for that copy of mail is just that recipient of mail.)
If there is several envelope recipients on mail and
these are copied to "for" clause, possible BCC recipients
are disclosed. Avoiding of that requires that
envelope recipients are matched to addresses on header
section.
At least judging from the DRUMS discussion, the problem with
Apparently-to is that it was supplied on precisely those
occasions on which the forward-pointing envelope address did not
match any of the forward-pointing header addresses, so, almost
by definition, it was a disclosure problem.
john
Apparently-To: was generated when mail was no address headers.
/ Kari Hurtta