At 08:19 -0700 on 05/26/2008, ned+ietf-smtp(_at_)mrochek(_dot_)com wrote about
Re: Proposal for Adjusted DATA Timeout:
More specifically, there can be legal requirements for all message recipients
to be listed in the header. Just putting in the address of a mailing list is
unaccepatable because the content of that list can vary over time.
Depending on
the specific requirements in a given jurisdiction, it may be necessary to
expand the list into the header - alternative schemes such as
keeping a precide
revision history for the list, or accurate logs of message traffic, while
technically OK, may not be allosed. (These systems typically also impose
draconian restrictions on forwarding, but that's a separate matter.)
Depending on if these SMTP Servers are accepting Email from anyone
who wants to use them and has this "List All Recipients" requirement
or a restricted set of senders (who can thus use a special MUA), a
modification of the old "Apparently-To" Header injection bug (which
happened if the To and Cc were empty and only Bcc/Envelope-Rcpt-To
supplied the recipients) might work. The SMTP sends a EHLO
220-X-List-All response and the MUA suppresses the To and Cc list
(having only a "To: (List Follows)" header) along with a X-List-All
command. The SMTP server then injects X-List-All (with Recipient
addresses) headers into the RECEIVED message's headers. The headers
are comments anyway and can be created from the Rcpt-To command data
instead of duplicating the Rcpt-To list in the To/Cc headers sent by
the MUA.