RFC 2821 for handling

[Andre Peitz <andre@xxxxxxxxxxx>]

Hello,

i believe there is a problem with the handling of the for entry in the 
trace fields which allows recipients to see blind copy recipients.

Example:

Mailserver: mail.mydomain.tld handling mydomain.tld

When someone now sends a mail to another server mail.anyotherdomain.tld 
with the following recipient

to: foo@xxxxxxxxxxxxxxxxxx
bcc: bla@xxxxxxxxxxxx
bcc: blub@xxxxxxxxxxxx

qmail-ldap insert in the trace fields of the mails for bla@xxxxxxxxxxxx 
and blub@xxxxxxxxxxxx a line

for <blub@xxxxxxxxxxxx>; 16 Sep 2004 08:20:44 -0000

Now the user bla@xxxxxxxxxxxx can see, which other recipients will 
receive this mail although they are only blind copy recipients.

What says RFC 2821:

7.5 Information Disclosure in Trace Fields

   In some circumstances, such as when mail originates from within a LAN
   whose hosts are not directly on the public Internet, trace
   ("Received") fields produced in conformance with this specification
   may disclose host names and similar information that would not
   normally be available.  This ordinarily does not pose a problem, but
   sites with special concerns about name disclosure should be aware of
   it.  Also, the optional FOR clause should be supplied with caution or
   not at all when multiple recipients are involved lest it
   inadvertently disclose the identities of "blind copy" recipients to
   others.


I had written a patch for qmail-ldap-1.03-20040701. This patch print a 
email address in the for line only when one recipient will receive mail 
on the mailserver. When there are more recipients the field will be let 
blank.

The patch is here 
http://www.tuxplace.de/qmail-rfc2821for/qmail-ldap-rfc2821for.patch.gz

The patch is not for use in a production enviroment. Use it at your own 
risk, the patch has not been fully tested.

What is your opinion on this.

Andre Peitz