Reply own mail creates new topic

(This might be a feature request rather than a bug, depending on your view…)

Consider the following chain of events:

• A user enabled with Mailing List mode enabled, but excluding own posts
• User sends in a new topic by mail (say, to support@discourse.my.org), obviously a new topic is created
• No email is sent back to the user due to their settings
• User now sends a second mail in
  • The only mail in their email client is the original one in Sent, as no other mail has arrived
• This also goes to support@discourse.my.org
• Creates another new thread instead of appending to the first one

Given that the second mail will have an In-Reply-To header of the first mail, is it possible to detect that these should be on the first thread?

By default Discourse needs to reply to a special email address that contains a reply key. The reply key is generated when Discourse sends you a notification about a new post and it is only valid for you ¹⁾ and that specific post. That’s how Discourse verifies that you are who you claim to be (because nobody else should have access to that reply key) and it also knows to which post you are replying.

Such an email address looks like this: support+148425ef5b96ce547e9d79fb3b605760@example.com

Without a reply key, Discourse assumes that you want to create a new topic.

But, there is a site setting which allows you to change that behaviour. Discourse will try to find related posts by Message-ID when you disable find_related_post_with_key in the settings.
There is a reason why that setting is enabled by default. Disabling it makes incoming emails a little bit less secure.

I’d say this is neither a bug nor a feature request

¹⁾ There is one exception to that rule. When you reply to Discourse using a reply key and include other users via To or CC, Discourse knows about that and allows incoming emails using the same reply key from those users.

Aha, so there is a setting, interesting. I see it says “WARNING: disabling this allows user impersonation based on email address” - how does this happen? Presumably it’s some kind of header shenanigans?

Right, I’m aware of spoofing the From header, but I feel I’m still missing a piece of the puzzle so apologies if I’m dragging this out. How does the use of a dedicated To address (reply+token@myinstance) help detect / block From header forgery? Or to put it another way, how does checking the message-id enable that vector?

It doesn’t prevent spoofing of the From header. But the reply key is like a secret that is only known by Discourse and you.

Every email sent by Discourse uses a different key. So, unless someone gains access to your emails or you forward the key to someone, nobody should be able to send an email to Discourse and successfully pretend to be you.

Ah, the key is unique per recipient rather than per post? That’s the piece I was missing. Thanks!

It’s actually unique per email sent (so unique per recipient and post).

Ugh, yes, I got that but my comment is misleading :). Thanks for clarifying!