On Tue, Aug 17, 2021 at 11:03:50AM -0400, John C Klensin wrote:
Once upon a time, "for" was very heavily used, not just in
single-recipient messages but to trace address transformations.
The issue disappears once we correctly define single-recipient.
Provided single-recipient means single *input* envelope address, (e.g.
single "RCPT TO" in SMTP or SUBMIT), no extant MTA I'm aware of adds a
"for" clause recording one of many or multiple envelope recipients of
the same message (envelope) that then ends up disclosing "Bcc"
recipients to other recipients, ...
Of course the "single" recipient might subsequently expand to multiple
recipients that all receive copies of the original "single-recipient"
message, that's fine and expected.
Do you have any evidence of extant MTAs recording "for" clauses that
violate the above? If you find misguided use of "for" in a vintage MTA
snapshot from the 1980s, I might not be surprised...
It was, however, never very popular for multi-recipient
messages.
The "for" clause should never appear for messages with multiple envelope
recipients, unless "for" is added on delivery (after the envelope
splits) rather than on input (prior to envelope split). It should never
record any recipient address that wasn't the address that caused the
message to be routed to the receiving user.
That was mostly at a time when we didn't pay much attention to
privacy of envelope information
Discloure of unrelated Bcc addresses that did not lead to the recipient
reading the mesage is not a privacy issue, it violates the expected
semantics of the message, and is a bug in any MTA that does it.
As sensitivity to privacy of that information increased, the use of
"for" decreased.
Perhaps because Microsoft never implemented it in Exchange, rather than
any privacy concern.
Coming back to the document after that long digression, if we
think that confusion between the intended use of "for" and the
intended use of "Delivered-to:" is important, it might be useful
to include somewhat more text than is now present to explain the
difference between the intent and application of the two. I'll
leave to others whether that is worth the trouble in a
to-be-Experimental text that has been kicking around this long.
If "for" should be clarified, let's do it in a document that is separate
from "Delivered-To". This feels like proper scope for 5321bis, and not
a document specifying the "Delivered-To" field.
--
Viktor.
_______________________________________________
ietf-smtp mailing list
ietf-smtp(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf-smtp