Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Kerio leaks the BCC list
  •  
mrralan

Messages: 151
Karma: 3
Send a private message to this user
If I send an email to a couple of my co-workers using the BCC, they are able to see the other recipients by examining the internet headers. Is this a known issue???
  •  
trifecta

Messages: 87
Karma: -2
Send a private message to this user
No, this is not normal. The BCC list should not be displayed in the message header.

On the examination of the outgoing messages, I confirmed that the BCC list was indeed displayed in the message header.

You should report this bug to Kerio ASAP (Priority 1).


  • Attachment: Snap28.jpg
    (Size: 59.01KB, Downloaded 391 times)

[Updated on: Wed, 12 October 2011 19:10]

  •  
mrralan

Messages: 151
Karma: 3
Send a private message to this user
Thanks for confirming that. I submitted a ticket.
  •  
sedell

Messages: 1168
Karma: 1
Send a private message to this user
Are you referring to the X-Envelope-To header? If so, that would be a feature.

Scott
  •  
Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
trifecta wrote on Wed, 12 October 2011 18:54
No, this is not normal. The BCC list should not be displayed in the message header.

On the examination of the outgoing messages, I confirmed that the BCC list was indeed displayed in the message header.

You should report this bug to Kerio ASAP (Priority 1).


It's perfectly ok to have BCC in the email copy saved in Sent Items folder. It is removed from emails during processing on the server. Client saves full email copy with no changes.
  •  
trifecta

Messages: 87
Karma: -2
Send a private message to this user
Thanks for the info. One more lesson learned today Smile
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
mrralan wrote on Wed, 12 October 2011 18:15
If I send an email to a couple of my co-workers using the BCC, they are able to see the other recipients by examining the internet headers. Is this a known issue???


I just tested this, and it looks like a "BCC leak".
If you have the X-Envelope-To header turned on on the server and have BCC recipients in the mail, everyone who received the mail (if they have accounts on a Kerio Connect server) will see ALL recipients listed in the X-Envelope-To.

External mail servers does NOT see the X-Envelope-To header since KC only applies it to incoming mail.

Could someone verify this?

[Updated on: Thu, 13 October 2011 11:03]

  •  
mrralan

Messages: 151
Karma: 3
Send a private message to this user
I can verify that external mail servers do NOT see the recipients. I received this reply from my ticket...

"In the Advanced Options do you have the option "Insert-X-Envelope-To header to locally delivered messages? If so, uncheck this as that is what is causing it."

When it is unchecked, the recipient info is no longer visible. However, I don't know if unchecking this will produce a different negative affect.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Well, I was wondering more if anyone who has more than one domain in Kerio Connect sees this. I sent a notification mail to all our customers a week ago (we have 25 domains on the server, all different companies), and for privacy reasons I put all their addresses in the BCC field. The X-Envelope-To header was enabled in admin, and the resulting mail contained all the addresses from the BCC field in the X-Envelope-To header. I checked it today.
  •  
Kedar

Messages: 1320
Karma: 48
Send a private message to this user
mrralan wrote on Thu, 13 October 2011 13:51
However, I don't know if unchecking this will produce a different negative affect.


X-Envelope-To option is turned off by default. It has no negative effect.

From context help:
Insert X-Envelope-To header to locally delivered messages
Defines if the X-Envelope-To entry will be inserted into the header of messages delivered locally. X-Envelope-To is the original recipient address based on the SMTP envelope. This option is useful especially if there is a domain mailbox in Kerio Connect.
  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
@Radek Sip: Fair enough, but you may want to warn in the context help and in the documentation what kind of side effects the setting has. Nobody should be able to see what addresses was in the Bcc: field. With the X-Envelope-To header it's a matter of simple deduction.
  •  
mrralan

Messages: 151
Karma: 3
Send a private message to this user
Was it always turned off by default? I didn't turn it on here but someone else could have 4 years ago. TorW, did you turn that option on in your enviroment?

[Updated on: Thu, 13 October 2011 14:50]

  •  
TorW

Messages: 769
Karma: 9
Send a private message to this user
Yes, I explicitly turned it on at one point because we had some delivery anomalies to an alias. It behaved the same way in 6.7.1, apparently. I since left it turned on because I (erroneously) thought it behaved the same way as qmail's anti-loop "Delivered-To:" header.

Please note that I don't think this is a security issue or a bug. X-Envelope-To and Envelope-To headers are present in many mailservers for domain mailbox and mailing list reasons, but they're not standard and does not travel across the internet. If you don't need it, turn it off.
Previous Topic: Kerio Trial Questions
Next Topic: Total newb RFI: KMS LDAP in Thunderbird 2/3 config???
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Sun Nov 19 15:07:48 CET 2017

Total time taken to generate the page: 0.00552 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.