William ChopsWestfield wrote:

>> In many cases, what you seem to call user agent and what you seem
>> to call smtp client are both parts of one program.
> 
> I think that's pretty rare...

How about Eudora, Outlook, Outlook Express, Pegasus, Thunderbird, 40tude
Dialog, Forte Agent -- I'm sure you can come up with more? They all are
what Lee called "user agent" (the part that the user interacts with) and
smtp client (the part that talks to an smtp server to send out the message)
united in one program. On Windows and Mac pre-OS X systems, this type of
email reader is the norm, probably because there's no smtp client provided
by the operating system.


>> Since it is exactly the purpose of the "B" in BCC that the recipient is
>> /not/ listed in any headers, I also assume that your smtp client strips
>> out such a header line before sending the message if it receives one
>> with it from your user agent. 
>> 
> SMTP clients should NEVER strip ANY headers.  Period.

Maybe you think they /should/ not, but they /do/. This is important for BCC
to work as intended in some configurations. The crucial question is: What
good would be BCC addressing if BCC recipients were listed in the message
headers?


It seems you are using an Apple computer, possibly running OS X, possibly
using a scheme with separate user agent and smtp client, as Lee described,
since this seems to be common in Unix. In that case you might be using
something like sendmail as smtp client. Check out the sendmail
documentation what it says about Bcc, specifically the option -t (which is
used in the mode Lee described): 

-t     Read message for recipients.  To:, Cc:, and Bcc: lines will
       be scanned for recipient addresses.  The Bcc: line will be
       deleted before transmission.  Any addresses in the argument
       list will be suppressed, that is, they will not receive
       copies even if listed in the message header.

In this mode, the Bcc header is being used by whatever user agent to
communicate the BCC recipients to sendmail, the smtp client. But it is
/not/ desired to communicate the BCC recipients to all recipients,
therefore the smtp client /must/ strip this header before mailing the
message when used in this mode. 

(There are of course other ways to use sendmail that do not use message
headers to communicate the recipients to sendmail. In this case, sendmail
in fact does not strip any headers -- but there is no Bcc header to strip
to begin with when doing it this way.) 


When talking about how things /should/ work, it's always good to refer to
any standards that may exist. RFC 2822 is such a standard
http://rfc.net/rfc2822.html. In section "3.6.3. Destination address fields"
it says about the Bcc header field:

   The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
   addresses of recipients of the message whose addresses are not to be
   revealed to other recipients of the message.  There are three ways in
   which the "Bcc:" field is used.  In the first case, when a message
   containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
   removed even though all of the recipients (including those specified
   in the "Bcc:" field) are sent a copy of the message.  In the second
   case, recipients specified in the "To:" and "Cc:" lines each are sent
   a copy of the message with the "Bcc:" line removed as above, but the
   recipients on the "Bcc:" line get a separate copy of the message
   containing a "Bcc:" line.  (When there are multiple recipient
   addresses in the "Bcc:" field, some implementations actually send a
   separate copy of the message to each recipient with a "Bcc:"
   containing only the address of that particular recipient.) Finally,
   since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
   sent without any addresses indicating to the recipients that blind
   copies were sent to someone.  Which method to use with "Bcc:" fields
   is implementation dependent, but refer to the "Security
   Considerations" section of this document for a discussion of each.

The "Security Considerations" section talks about different ways to better
ensure that BCC recipients do not get revealed, not even accidentally by
themselves in replies. Not revealing recipients is the purpose of BCC
addressing, and processing of the Bcc header field (including deleting or
modifying it) in the smtp client can be crucial for this -- depending on
how the smtp client is being used by the user agent.


A discussion of different implementations of the Bcc header handling:
http://www.exim.org/pipermail/exim-users/Week-of-Mon-20040809/075007.html

Gerhard
-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist