Confused by Error Message From Reply-by-Email

We’d have to validate each address right?

5 Likes

I’m still struggling to understand why Discourse trusts/validates the From: header when it can be so trivially spoofed?

The reply id header provides a useful validation as it’s unguessable/unknowable by bad guys.

Validating the From: header simply causes legitimate users to get confusing rejections to their post-by-email attempts if they happen to reply from a different email address (an edge case that’s more common than one would expect)

1 Like

Email is identity. A “different email address” is like saying “different DNA”.

1 Like

I have lots of email addresses, and so do some of my users.

I’m sincerely not trying to pick a fight here. I’m just slightly burnt by this issue as it contributed to a very important member of one of my forums choosing to no longer contribute to the forum

Then you should be advocating for movement on the multiple email address setup per user, scroll up and do some reading perhaps?

2 Likes

Unfortunately I don’t know if the proposed feature would solve the problem experienced on my Discourse instance.

In my case the user is the chairperson of a civic society. She had two email addresses and two Discourse accounts (one for each address). One account represented her personal identity, and other was for “official” posts on behalf of the civic society.

When she replied by email, she frequently did so from the “wrong” email address so her replies got rejected.

I assume the feature being discussed above would involve multiple email addresses per Discourse account, but would (naturally) disallow multiple Discourse accounts per email address. Thus it wouldn’t address my use case unfortunately.

1 Like

Couldn’t you just merge the accounts so one of the email addresses becomes a secondary?

If not, unfortunately there currently aren’t any tools in Discourse to help users remember which hat they are wearing.

1 Like

I could, from a technical point of view, but it is intentional that the user is able to post under two distinct identities (personal / on behalf of civic society)

2 Likes

Yeah. Sometimes people do get stuck in that scenario but I’d probably call it more of a corner case than an edge case :smile:

Am I understanding right that this person effectively has two identities, but both of them are ending up in the same email account for some reason? If that’s true, it seems like they’d be running into this problematic scenario in more places than just Discourse. Maybe a job better suited for handling on the email client?

I have some work related aliases in my work email account, but the client matches the “from” address for replies to the address the mail was sent to…

4 Likes

I agree, it’s a corner case, and if she wasn’t such a prominent user it wouldn’t have been such a big deal.

In order to create two Discourse accounts, we used the gmail dot hack so she could create two email addresses for her gmail mailbox, in order that she could create two Discourse accounts.

When she replies by email to a post on the forum, gmail doesn’t necessarily use the same email address variant that Discourse expects.

IMO, provided the reply id is valid, Discourse should accept the reply.

The dot hack is extremely fragile, and they’d likely be having a much better time with plus addressing instead.

If both accounts use a plus address and no accounts are on the bare address, the From: address switcher will work fine and forgetting to set it will simply mean the email is rejected instead of submitted on the wrong account.

Using + instead of dots also brings a lot of clarity to your filters, too :sweat_smile:

7 Likes

@udan11 can you add that to your list?

5 Likes

I submitted a pull request to improve support for multiple email addresses:

8 Likes

I was also getting such an e-mail (for a forum where I am admin).

Rejected incoming e-mails do not show up under admin/email/rejected. Could you add them there please? That would at least help with investigation.

Also the error message is confusing.

Recipient e-mail address discoursereplies+snip@domain.org equaled body of rejection e-mail notification by discourse ["discoursereplies+snip@domain.org"]. Message ID was probably correct too (hard to check), just the from address was wrong.

No, it wouldn’t have fixed my issue too.

In my case I did send from a different e-mail address (different SMTP server). My e-mail program Thunderbird apparently has a bug to sometimes confuse the sender SMTP e-mail address when using multiple SMTP servers.

1 Like

That sounds correct, per the response message

None of the destination email addresses are recognized

1 Like

I’ve read the entire topic and from an exterior POV, you seem to miss the point they are trying to make here. It’s like getting out of your apartment and having a warning when you close the door, because you didn’t turn the lights off. But the message actually tells you you left a window open (when it is NOT the case. Lights should indeed be turned off, though).

They understand WHY the message is sent, and what the underlying “problem” is (agreeing with it being a problem or not, like mentioned above, is another subject). But the message seems to tell something different than what it actually is. At least, it will probably give this impression to most users.

I guess it must be a different way of thinking and seeing things, which is the matter here. It must make sense to you, Jeff, because you think from a “Discourse POV”: It is an unknown “TO:” or “recipient” address… than where discourse sent the initial email to. Whereas users (me included) are thinking from their “answer email POV”: They sent TO the correct address, but FROM a different address. They don’t understand why they are getting an error saying something different from what they have in mind.

2 Likes

Think of it this way. Discourse calls your house phone which is the number you have set up with it. You call it back from your cellphone… which is unknown to Discourse. Thus, Discourse doesn’t answer because it doesn’t know who you are. (It screens its calls. :slightly_smiling_face:) That’s why they’re saying multiple email addresses should be advocated for.

2 Likes

Jeff Atwood via Discourse Meta:

That sounds correct, per the response message

None of the destination email addresses are recognized

My brain parsed that as "you used the wrong TO:" address. Could you
please consider improving the wording of that?

That e-mail is sent back to users. From perspective of users the
“destination” is the destination e-mail (TO: address) which the user
has sent to (recipient). From perspective of discourse it’s the wrong
From: address.

May I suggest the following wording draft:

We’re sorry, but your email message to
[“discoursereplies+snip-id@domain.org”] (titled Re: snip title) didn’t work.

Possible causes:

  • Do you use more than one e-mail address? Did you accidentally send
    from the wrong e-mail address? Replies by e-mail require to send from
    the very same e-mail address(s) that you signed up for $site.
  • The Message-ID header in the email has been modified.
  • Please make sure that you are sending to the correct email address
    provided by $site.
2 Likes

Sure, Jim. Your analogy is great and on point. The thing here is that Discourse is answering with an error message. But it is not saying “I don’t know that number you are calling me from”. It’s saying instead “you’ve called a wrong number”. Which is confusing some people as they did call the correct number … but using the wrong phone. You’re right on that. The point is the error message which is confusing.

2 Likes

Sure, that’s a good idea. I changed the message from

None of the destination email addresses are recognized, or the Message-ID header in the email has been modified. Please make sure that you are sending to the correct email address provided by staff.

to

Do you use more than one email address? Did you reply from a different email address? Email replies require that you use the same email address when replying. Alternately, the Message-ID header in the email may have been modified.

7 Likes