Package: exim4 Version: 4.69-5 Severity: important (Setting as important as this bug can reveal addresses to spammers and other recipients who should not see them, and most users are probably not aware of this problem.)
First, in the case the MUA wants to send a mail by executing a program (the MTA), this interface between the MUA and the MTA is out of the scope of the RFC's. The MTA defines an interface, and the MUA has to stick with it. When the MUA is configured to invoke the MTA as sendmail, it uses the sendmail interface. Since sendmail strips Bcc out of the messages, exim4 should do the same. (When exim4 is invoked as exim or exim4, it can still do whatever it wants.) BTW, the MUA cannot necessarily even know what the "real" MTA is, e.g. if it shared across machines (via NFS, with the user's configuration on NFS too), whereas machines can use different MTA's. There had been a bug report saying that this bug was fixed in exim4[*], but I've just done the test and the Bcc was in the message received by the recipient in the header "To:". So, it is definitely not fixed. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=304718 FYI, here Mutt invokes the MTA as "/usr/sbin/sendmail -oem -oi". -- Package-specific info: Exim version 4.69 #1 built 02-May-2008 12:47:18 Copyright (c) University of Cambridge 2006 Berkeley DB: Berkeley DB 4.6.21: (September 27, 2007) Support for: crypteq iconv() IPv6 GnuTLS move_frozen_messages Lookups: lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmnz dnsdb dsearch nis nis0 passwd Authenticators: cram_md5 plaintext Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp Fixed never_users: 0 Size of off_t: 8 Configuration file is /var/lib/exim4/config.autogenerated # /etc/exim4/update-exim4.conf.conf # # Edit this file and /etc/mailname by hand and execute update-exim4.conf # yourself or use 'dpkg-reconfigure exim4-config' # # Please note that this is _not_ a dpkg-conffile and that automatic changes # to this file might happen. The code handling this will honor your local # changes, so this is usually fine, but will break local schemes that mess # around with multiple versions of the file. # # update-exim4.conf uses this file to determine variable values to generate # exim configuration macros for the configuration file. # # Most settings found in here do have corresponding questions in the # Debconf configuration, but not all of them. # # This is a Debian specific file dc_eximconfig_configtype='internet' dc_other_hostnames='vin.lip.ens-lyon.fr' dc_local_interfaces='' dc_readhost='' dc_relay_domains='' dc_minimaldns='false' dc_relay_nets='' dc_smarthost='' CFILEMODE='644' dc_use_split_config='false' dc_hide_mailname='' dc_mailname_in_oh='true' dc_localdelivery='maildir_home' mailname:vin.lip.ens-lyon.fr -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.25.4-20080521 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=POSIX, LC_CTYPE=en_US.ISO8859-1 (charmap=ISO-8859-1) Shell: /bin/sh linked to /bin/bash Versions of packages exim4 depends on: ii debconf [debconf-2.0] 1.5.22 Debian configuration management sy ii exim4-base 4.69-5+b1 support files for all Exim MTA (v4 ii exim4-daemon-light 4.69-5+b1 lightweight Exim MTA (v4) daemon exim4 recommends no packages. -- debconf information: exim4/drec: -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
