Avoiding BCC Leaks with Exim

This issue is, by no means, Joomla specific - but Joomla's mass mail functionality provides a good example of what can go wrong.

The expectation that most users have, is that the list of recipients BCC'd on an email will never be visible to any of those recipients.

Unfortunately, whether or not that's the case may well depend on the Mail Transport Agent (MTA) that you are using.

Those familiar with Joomla's Mass Mail feature will know that by default, recipients are BCC'd - unfortunately, if you're using Exim (which most CPanel servers, for example, are) then you may in fact find that those receiving your message can see exactly who it was sent to.

Whether or not this BCC Leak is visible to the recipients will depend on what mail client they use (assuming they're not in the habit of looking at the mail headers anyway....), but those using Google Apps/Google Mail will have the list clearly presented to them when viewing the mail.

 

The issue stems from the fact that the Exim developers appear to have adopted a simple philosophy - An MTA should never change mail headers, that's for the Mail User Agent (MUA) to do.

For the most part, I'd agree, but add the qualification - with the exception of BCC...

As a result of this do not touch mentality, if Exim receives the mail with the BCC headers intact, it will faithfully relay that mail onto the recipients SMTP servers with the full header intact (something Mutt users discovered a little while back).

The issue being, that if your Joomla site is configured to use either PHPMail or Sendmail, there isn't an MUA to speak of, and so Exim helpfully discloses your BCC recipient list. 

 

Reconfigure Exim

If you've got root access to your server, the best way to fix the issue is to tell exim that it should always strip BCC headers when delivering mail.

In /etc/exim.conf find the block definining remote SMTP

 remote_smtp:
   driver = smtp
   interface = ${if exists {/etc/mailips}{${lookup{$original_domain}lsearch{/etc/mailips}{$value}{${lookup{$sender_address_domain}lsearch{/etc/mailips}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{/etc/mailips}{$value}{}}}}}}}}
   helo_data = ${if exists {/etc/mailhelo}{${lookup{$original_domain}lsearch{/etc/mailhelo}{$value}{${lookup{$sender_address_domain}lsearch{/etc/mailhelo}{$value}{${lookup{${perl{get_sender_from_uid}}}lsearch*{/etc/mailhelo}{$value}{$primary_hostname}}}}}}}{$primary_hostname}}
 

and insert the following line just below the driver

  headers_remove = bcc

If there's a section for dkim_remote_smtp, do the same thing.

Save and exit the file and then restart Exim

service exim restart

 

Joomla Side

Assuming you can't do the above (haven't got root access?) then an alternative is to configure Joomla to use SMTP instead (which also works around the issue). You may have to double check the settings with your webhost, however in most cases, simply setting the mailhost to localhost should be sufficient

Global Settings -> Server -> Mail Settings

Then

  1. Set Mailer to SMTP
  2. SMTP Host: localhost

Save and close

 

What about using -t

In theory, using sendmail -t to send the mail should cause Exim to strip the BCC's. However on the system this affected (running Exim 4.82), it seems that -t no longer guarantees this (I haven't dug into why yet).

 

Conclusion

The default configuration used by at least one big webhost doesn't take the above into account, so a site hosted there may inadvertently leak it's BCC list when sending mail.

Personally, I think it's a pretty poor default for Exim to have - especially given that Exim has been leaking BCC's for quite some time.