Re: Serious information leak in Ximian Evolution
<edited>
Thierry Florac said:
> On Sat, 2003-01-18 at 15:07, S?ren Boll Overgaard wrote:
> > It is not the job of evolution to hide Bcc recipients, that is the job
> > of the SMTP-server being used.
> > Bcc recipient specification in evolution is just a nice way of
> > specifying addresses to be included in rcpt to: smtp commands, which are
> > not included in either the cc: or to: headers.
> >
> > It is the job of the smtp-server to remove any bcc: headers in email
> > messages.
>
> After reading RFC2822 which discuss the "Internet Message Format", it
> seems that thinks are not so clear, and that it's very implementation
> dependant !! And it's never discussed in any way that it's the SMTP
> server's job to rebuild message's and delete such headers...
> Anyway, this made Balsa maintainers to modify their "Bcc"
> implementation...
Hmm. It may depend on how exim / sendmail / whatever is being called.
The exim man page says this:
-t When Exim is receiving a locally-generated, non-SMTP
message on the current input, the -t option causes the
recipients of the message to be obtained from the To:,
Cc:, and Bcc: headers in the message instead of from
the command arguments. The addresses are extracted
before any rewriting takes places.
If there are in fact any arguments, they specify
addresses to which the message is not to be delivered.
That is, the argument addresses are removed from the
recipients list obtained from the headers. This is
compatible with Smail 3 and in accordance with the
documented behaviour of Sendmail. However, it has been
reported that in some versions at least, Sendmail adds
argument addresses to those obtained from the headers.
Exim can be made to behave in this way by setting the
option extract_addresses_remove_arguments false.
If a Bcc: header is present, it is removed from the
message unless there is no To: or Cc: header, in which
case a Bcc: header with no data is created, in accor-
dance with RFC 822.
Most of the MUA's that I have seen use the -t option. As far as I can
recall, sendmail has the exact same behavior. If someone familier with
evolution source can check how sendmail is called we will know for sure
that it's being called correctly.
Looking at the evolution config, you have the option of choosing SMTP or
Sendmail as a delivery method. Are you sure you are using sendmail and
not smtp?
Reply to: