search

fuel / email

Fuel PHP Framework - Fuel v1.x Email library
60 stars 38 forks source link

Changing the headers to their upper-case variants seems to resolve the i... #26

Closed gillesdemey closed 12 years ago

gillesdemey commented 12 years ago

...ssue that BCC headers were not being stripped correctly, showing them to all recipients.

gillesdemey commented 12 years ago

To resolve the following issue https://github.com/fuel/email/issues/25

frankdejonge commented 12 years ago

Hey, sorry for the wait. I've looked at other mail sender packages and none of them have the BCC and CC as uppercase. So I don't think this is the solution to the problem. It also goes against specs. Have you got a raw mail example that went wrong? (on mac it's: view > message > raw source)

gillesdemey commented 12 years ago

I looked at the Codeigniter email package and noticed they used uppercase characters, so that's where I go the idea to test it.

According to the official RFC some servers don't really take the case-insensitivity into account.

Full headers from my email client (outlook, since I'm on my windows machine at the moment).

Return-path: <gilles.de.mey+caf_=gilles.de.mey=me.com@gmail.com>
Received: from st11b01mm-smtpin201.mac.com ([17.172.48.32])
 by ms02524.mac.com (Oracle Communications Messaging Server 7u4-23.01
 (7.0.4.23.0) 64bit (built Aug 10 2011))
 with ESMTP id <0M0Z00I47UCKMFC0@ms02524.mac.com> for gilles.de.mey@me.com;
 Fri, 16 Mar 2012 20:02:44 +0000 (GMT)
Original-recipient: rfc822;gilles.de.mey@me.com
Received: from mail-iy0-f174.google.com ([209.85.210.174])
 by st11b01mm-smtpin201.mac.com
 (Oracle Communications Messaging Server 7u4-23.01(7.0.4.23.0) 64bit (built Aug
 10 2011)) with ESMTP id <0M0Z00D28UC6GG30@st11b01mm-smtpin201.mac.com> for
 gilles.de.mey@me.com (ORCPT gilles.de.mey@me.com); Fri,
 16 Mar 2012 13:02:44 -0700 (PDT)
X-Proofpoint-Virus-Version: vendor=fsecure
 engine=2.50.10432:5.6.7498,1.0.260,0.0.0000
 definitions=2012-03-16_05:2012-03-16,2012-03-15,1970-01-01 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=8 spamscore=8
 ipscore=0 suspectscore=13 phishscore=0 bulkscore=92 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=6.0.2-1012030000
 definitions=main-1203160201
Received: by mail-iy0-f174.google.com with SMTP id z16so5853237iag.19 for
 <gilles.de.mey@me.com>; Fri, 16 Mar 2012 13:02:43 -0700 (PDT)
Received: by 10.50.85.228 with SMTP id k4mr327932igz.67.1331928163561; Fri,
 16 Mar 2012 13:02:43 -0700 (PDT)
X-Forwarded-To: gilles.de.mey@me.com
X-Forwarded-for: gilles.de.mey@gmail.com gilles.de.mey@me.com
Delivered-to: gilles.de.mey@gmail.com
Received: by 10.231.21.201 with SMTP id k9csp29860ibb; Fri,
 16 Mar 2012 13:02:42 -0700 (PDT)
Received: by 10.14.119.15 with SMTP id m15mr508897eeh.34.1331928162356; Fri,
 16 Mar 2012 13:02:42 -0700 (PDT)
Return-path: <gilles.de.mey@me.com>
Received: from smtp.priorweb.be (smtp01.priorweb.be. [62.182.61.111])
 by mx.google.com with ESMTPS id w1si1962114eef.182.2012.03.16.13.02.41
 (version=TLSv1/SSLv3 cipher=OTHER); Fri, 16 Mar 2012 13:02:42 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning
 gilles.de.mey@me.com does not designate 62.182.61.111 as permitted sender)
 client-ip=62.182.61.111;
Authentication-results: mx.google.com; spf=softfail (google.com: domain of
 transitioning gilles.de.mey@me.com does not designate 62.182.61.111 as
 permitted sender) smtp.mail=gilles.de.mey@me.com
Received: from [78.23.130.137] (port=3930 helo=localhost)
    (Authenticated user: uitvaartzorg@van-dael.be)
    by smtp.priorweb.be with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32)
    (Exim 4.72) (envelope-from <gilles.de.mey@me.com>)  id 1S8dMD-0006Cc-5m; Fri,
 16 Mar 2012 21:02:37 +0100
Date: Fri, 16 Mar 2012 20:02:42 +0000
From: gilles.de.mey@me.com
Bcc: gilles.de.mey@gmail.com, gilles.de.mey@me.com
Subject: Nieuwe condolatie voor Gilles De Mey
Message-id: <4f639c62b2e00@me.com>
X-Priority: 3 (Normal)
X-Mailer: FuelPHP, PHP 5.3 Framework
MIME-version: 1.0
Content-type: multipart/alternative;
 boundary=B1_7df5917f6a28163ef05ee91d02769ea7
floorish commented 12 years ago

Why are Bcc recipients added to the header anyway? They shouldn't be visible to anyone at all, so why put them in a header?

According to the specs (http://tools.ietf.org/html/rfc2822#section-3.6.3) :

The "Bcc:" field (where the "Bcc" means "Blind Carbon Copy") contains
addresses of recipients of the message whose addresses are not to be
revealed to other recipients of the message.  There are three ways in
which the "Bcc:" field is used.  In the first case, when a message
containing a "Bcc:" field is prepared to be sent, the "Bcc:" line is
removed even though all of the recipients (including those specified
in the "Bcc:" field) are sent a copy of the message.  In the second
case, recipients specified in the "To:" and "Cc:" lines each are sent
a copy of the message with the "Bcc:" line removed as above, but the
recipients on the "Bcc:" line get a separate copy of the message
containing a "Bcc:" line.  (When there are multiple recipient
addresses in the "Bcc:" field, some implementations actually send a
separate copy of the message to each recipient with a "Bcc:"
containing only the address of that particular recipient.) Finally,
since a "Bcc:" field may contain no addresses, a "Bcc:" field can be
sent without any addresses indicating to the recipients that blind
copies were sent to someone.  Which method to use with "Bcc:" fields
is implementation dependent, but refer to the "Security
Considerations" section of this document for a discussion of each.

This means you should either:

I think the second option is the cleanest (separate email for each Bcc recipient), and I think Gmail uses this approach, but this uses more resources on the mail server. Best solution is either the first or third option: remove/empty Bcc header.

The uppercase BCC header does the trick, but no idea why that works...

frankdejonge commented 12 years ago

@floorish: That formatting spec is for the email sender, which we aren't. What you do in php is sending instructions to your mailer (smpt/php/sendmail) with what needs the be send. That the systems receiving those instruction will then act like you cited above.

floorish commented 12 years ago

@FrenkyNet Hmm, I guess that depends on the driver (sendmail/mail/smtp). I'm using smtp, and you specify the receivers separately from the headers. I think smtp doesn't do anything with the DATA (i.e. headers + body). See also http://forums.codewalkers.com/pear-packages-47/email-bcc-header-confusion-840705.html

frankdejonge commented 12 years ago

@floorish I've done some more research and this problem was only with smtp. Just pushed a fix for it: https://github.com/fuel/email/commit/2d306295223d95a7207cb8521fbb43b9f874a2ae

/cc @gillesdemey

frankdejonge commented 12 years ago

Since this fixed the problem, closing this issue.

floorish commented 12 years ago

Looks good, thanks for checking it out!