I recently installed Discourse on Linux, and I had a user contact me via another means saying that he tried to send me an email via the messaging service on Discourse and that I didn’t respond. I started playing around with the messaging function to see if could figure out what was happening and while doing that I found that I could send an email to anybody on the internet that I wanted to through the messaging service, rather than just to other users. I consider that to be a big security risk as it appears that any user could send email to anyone and they would receive it from the email address of my Discourse server.
Is this intended behavior, and if so, is there anyway to change it? What I’d like to have happen is that users can only send private messages to other users and I’d prefer that they be required to use the userid of the other user rather than their email address.
I’m running version 2.7.0.beta3.