I have set the following:
However, a user’s email reply was rejected as their sending email address didn’t match the account email address.
In this case I’d like their email reply to be accepted.
Is there anything I can change to ensure email replies are accepted in cases where the sender email address doesn’t match the account email address?
Make sure the enable_staged_users site setting is enabled.
For categories, enabling “Accept emails from anonymous users with no accounts” in the category’s settings should work.
Thanks @gerhard.
“Enable staged users” was in fact enabled already. In my case, the user has two accounts on the forum, both live. She replied to a notification from the “other” account and it got rejected by Discourse.
I’ve noticed also that the wording on the setting is a little ambiguous. “Only use reply key” suggests in my mind “don’t additionally validate email address” - but then the setting description says that disabling the setting allows user impersonation. I’ll try disabling the setting and see if that helps.
Was it a reply to a public topic or a group message? The exact error would be interesting too. You can find it in Admin -> Emails -> Rejected. The second account might not be allowed to reply to the topic.
The reply was to a public forum post
We’re sorry, but your email message to [“hitreply+[redacted]@se26.life”] (titled Re: SE26.life [Dining/Drinking] Zigghy Cafe [Now open]) didn’t work.
Disabling that setting isn’t a good idea.
Email addresses are always validated. Each reply key is bound to a topic and user. If they do not match, the email gets rejected. There’s only one exception. If the system knows that an email was forwarded to another user, because that other user was in the To or CC header of a previous reply, than it will allow that user to reply with the forwarded reply key.
In your case, the user needs to send with the correct email address. There’s no way around it. Most email clients should be smart enough to select the right sender address anyway.
Thanks for the explanation.
I would be comfortable with just the reply key being used to authorise the user.
After all, it’s easy to spoof an email address isn’t it?
Hi,
I have the same problem, a user has two accounts registered, one with her email as @googlemail.com and one as @gmail.com
The result is that sometimes her emails get rejected with the error:
Your reply was sent from a different email address than the one we expected, so we’re not sure if this is the same person.
I have a few other users replying by email and it only happens to this user, so I assume it’s the gmail/googlemail domain mismatch.
I am thinking of adding the alternate domain email as secondary email address on both accounts, or is there a better idea?
There are no other safe alternatives. Handling this automatically would definitely lead to security issues.
Isn’t it a security issue for Discourse to trust the email address in the From header, and to use this as part of its validation of incoming emails? I can set the From header to whatever I like.
That’s why we have reply keys 
Indeed! 
The reply key is what protects us from spoofed replies to notification emails. The email address listed in the From field doesn’t offer any real protection at all.
Forgive me for repeating the point, but including email address in the validation of replies is causing user-affecting usability issues and should be dropped IMO
Well I ventured into the Rails console (for the first time!) to add a secondary email address, but my workaround to add the @googlemail.com email to the @gmail.com account and viceversa didn’t work, because the emails have already been taken, of course it makes sense.
If anyone has other ideas to fix this reply by email issue, I’ll be grateful, as I generally am for being able to use Discourse.
You could merge the users (provided they’re the same user).
You’re right, I’ll look into that, cheers.
これを実現するためにどのような手順を踏まれたか教えていただけますか?現在も、Discourse がユーザーからの正当なメール投稿を拒否する問題に直面しており、非常に困っています。問題のユーザーにこの件を説明するのは大変です。
最終的には、Discourse が受信メールのメールアドレスに対して行うチェック(これはアドレススプーフィングに対して脆弱であり、返信キーが確認される以上不要です)を無効化できれば、それ以上のことはありません。
完全に解決したとは言い切れませんが、時間が経っており、記憶が薄れている可能性もあります。
こちらで説明されているように、セカンダリのメールアドレスを追加しようと試みました:
しかし、そのメールアドレスが既に使用されていたため、機能しませんでした。
解決策はユーザーをマージすることだったと思いますが、実際に進めませんでした。なぜなら、その後そのユーザーと話し合い、彼女が以降は一つのアカウントのみを使用していることがわかったからです。そのため、実際にはどう機能するかをお伝えすることができません。申し訳ありません。
