Personal messages can be sent to email addresses?

I recently installed Discourse on Linux, and I had a user contact me via another means saying that he tried to send me an email via the messaging service on Discourse and that I didn’t respond. I started playing around with the messaging function to see if could figure out what was happening and while doing that I found that I could send an email to anybody on the internet that I wanted to through the messaging service, rather than just to other users. I consider that to be a big security risk as it appears that any user could send email to anyone and they would receive it from the email address of my Discourse server.

Is this intended behavior, and if so, is there anyway to change it? What I’d like to have happen is that users can only send private messages to other users and I’d prefer that they be required to use the userid of the other user rather than their email address.

I’m running version 2.7.0.beta3.

It is intended, see the announcement: Send a Personal Message to an Email Address

This is true of most platforms that have an email invite system, is there any additional risk by using a Discourse PM instead?

You can disable the feature by turning off the site setting Automatically create staged users when processing incoming emails (because sending an email from a PM requires the creation of a staged user)

Will that disable the “invite” function as well, as I do want to use that, at least for someone with moderator or admin authority.

No, it does not impact invite emails as those do not expect a response.

Thanks very much for the assistance! The setting works.