On Sun, 03 Nov 2019 15:08:12 -0500, David Levine said:
And it looks like BCC: has never listed the bcc recipients. This is from the MH 6.8.5 post.c: fprintf (out, "BCC:\n");
That's proper behavior. BCC is *blind* carbon copy, specifically intended to *not* show who else got copies. I'd argue that the only time it's acceptable to list recipients there is if you are feeding to an MSA that's like 'sendmail -t' that needs it to get additional recipients because you can't speak SMTP and hand off RCPT TO:<...> for the Bcc people. And of course, you trust your MTA to then promptly eat that header and not promulgate it any further. I'll go further and assert that if there is still a Bcc: header in the RFC822 headers once the MSA has accepted the mail for further processing, that somebody has dropped the ball because sometimes, even a Bcc: that shows that there *were* other recipients may be an unacceptable information leak....
pgpT1sA6eBuua.pgp
Description: PGP signature