Bcc are not kept secret
-
Hi!
When I send an email with To and Bcc fields filled out, the Bcc are visible to the recipients in the To field. I made the following fix in backend/imap/Mail.php. I added an empty if statement (the first line below) in the prepareHeaders function to skip the Bcc. Is it a correct thing to do? Will it not break any other functionality?} elseif (strcasecmp($key, ‘Bcc’) === 0) {
// Skip the Bcc
} else { // existing code below
// If $value is an array (i.e., a list of addresses), convert
// it to a comma-delimited string of its elements (addresses).
if (is_array($value)) {
$value = implode(’, ', $value); …Thank you!
Elan -
Hi @elan,
the imap backend is mostly community contributed and I’m not very actively involved in its development. There are some bcc related issues in the issue tracker: https://jira.z-hub.io/browse/ZP-1292, https://jira.z-hub.io/browse/ZP-1618.
Your fix just removes “Bcc” field from headers but not from the recipient list, doesn’t it? Did you test it if it works as you intended?
Manfred
-
In my case Exim does this for me.
Which SMTP server are you using? -
@Manfred Thanks for the reply. Yes, it does work as expected. The headers do not reveal the Bcc anymore and Bcc-ed addresses do receive the mails. Just wanted to verify with the developers, if there could be unintended side effects and to bring it their attention.
@bob4os , I have an exim4.86. With dovecot, I had a different problem. Bcc was moved to To. But neither of them hid the Bcc in mail’s header. I’m using z-push version 2.5.
-
Sorry for the late answer.
Exim needs to be started with “-t” to remove BCC.
I guess you are right, the MUA - in our case Z-Push - needs to remove the BCC.
Thunderbird and Roundcube seem to remove the header themselves…But “backend/imap/Mail.php” is not the right place to do this - it is included from PEARs Mail package and should remain untouched as much as possible.
I think it is better to do it in “backend/imap/imap.php” in the function “sendMessage()” where we just need to unset($headers[$key]) in case of “bcc”, “Bcc” or “BCC” after adding them to the recipients list.if (strcasecmp($key, “BCC”) == 0) {
unset($headers[$key]);
}I will create a pull request for this as soon as stash.z-hub.io is online again.
There seems to be some sort of server problem. -
And one other thing:
There is a FAQ on this topic in the Exim GitHub Wiki section (https://github.com/Exim/exim/wiki/Q5004) which explains use cases in accordance to RFC 2822.
I think the aforementioned fix by removing the header is the easiest way to protect “BCC” information.Dovecot should not change headers.
As far as I can see, it is up to the IMAP client to decide, whether it shows the “BCC” information or not.
Outlook in my case hides unrelated BCC information, but I can see the full header if I want to.Another and better way to go, would be to rewriting sendMessage() to send a copy of the mail to each “BCC” recipient, containing only themself as “BCC” recipient in the “BCC” header and the original mail to all “CC” and “TO” recipients without “BCC” information, which should be a fairly simple task.
There is also another bug - at least I think it is one - with sending a mail to “BCC” recipients only (no “TO”), because this does not work.
