Allowed Email Domains blocks Accept emails from Anonymous

There’s a conflict between the Allowed Email Domains setting and the staged users created by the per-category Accept emails from anonymous users with no accounts.

Just troubleshot this on a clients’ site. They enabled the setting to ensure that the only registered users accessing their Discourse site were employees with corporate email accounts.

A few days later they realize their support inbox hasn’t received any new messages, but hadn’t connected the dots between the two.

That setting also affects the creation of staged users when inbound email from anonymous users is enabled on a category. I can’t be sure if this is a regression, but it definitely feels like a valid use case.

1 Like

@Stephen, could you please share the steps to reproduce the issue? It is not clear to me which settings are on and what is happening compared to the expected behavior. Let me know and I will check it out. :slight_smile:

If Allowed Email Domains has a domain in it (discourse.org for example) then external users on other email services can’t send email to categories creating staged users in the normal way.

1 Like

must approve users combined with auto approve email domains might be a better setup for this use case.

Possibly. Maybe it’s more ux but there’s nothing to warn the user that their configuration isn’t valid.

They went for days with emails from external users being silently dropped.

1 Like

They should still get a rejection notification, it shouldn’t be silent.

What change would you suggest we make here? A warning on the allowed email domains is already present.

Perhaps a warning in the admin panel if inbound emails are being rejected?

This wording is what creates the confusion, at least for me:

Staged users haven’t completed any registration, so it stands to reason that they shouldn’t be impacted.

What’s the rationale behind the setting impacting staged accounts? They can’t log in and information can’t leak?

1 Like

Looking at commit history led me to this topic: Email domain blacklist is not consulted when receiving emails (and creating staged users), the original reasoning seems to have been that staged accounts were a spam vector.

Would it help to reword from this:

A pipe-delimited list of email domains that users MUST register accounts with. Subdomains are automatically handled for the specified domains. Wildcard symbols * and ? are not supported. WARNING: Users with email domains other than those listed will not be allowed!

to:

A list of the email domains allowed when creating user accounts. When set, any email with a domain not listed in this list will not be valid for account creation (including staged user accounts). Subdomains are automatically handled for the specified domains. Wildcard symbols * and ? are not supported.

5 Likes