“Secure email mode” site setting ensures that no content is leaked to the outside via emails when the site’s content is sensitive.
Use Case
My Forum is safe (HTTPS, secure server) and I use it for discussion of sensitive information. However, participants may use insecure emails and mailing list / notifications / digests will leak sensitive information to outside agents.
Affected Area
Digests
Mailing List Emails
Notification Emails
Push Notifications
Proposal
All notifications to outside systems will be replaced by a “dumb” notification:
Instead of a standard notification, you will get a mail only saying that there is a new reply for you on the forum.
Digests will only have the big numbers section.
Mailing list makes no sense in this mode, so I believe we can expect that it will be disabled.
I would still have comprehensive protection in place; if mailing list does get set, it will contain nothing but “a new post was created, go to the site to look at it”.
PGP support seems like plugin territory to me – but core should at least make it possible for a plugin to keep the content even in secure mode, for exactly this reason
I’m interested in seeing secure email mode implemented.
A single site wide admin setting to enable/disable secure email mode is a good starting point but perhaps a bit draconian for most sites including ours. We have many users accustomed to using email to participate in discussions and we also have many topics that are public or, if private, not worthy of this level of security. It would be a shame to lose all that - though on the other hand it also might also lead to more engagement since people would be forced to start logging in.
Here are some other possible ways to bite this cherry for your consideration:
user preference - allow users to opt for secure email mode themselves, separately for PMs and posts. This is handy for users who might be feeling paranoid about the security of their own email mailbox and want to control what lands there.
category security settings - allow admins to set up secure email mode independently for each category. Then we educate our users on where to put secure correspondence.
break out site setting to enable/disable secure email separately for public categories, private categories, and private messages
composer - add secure email option directly to the composer, so user can decide to keep a specific message or post secure. (probably overkill)
I’m also very interested in a secure email option (I was redirected here after asking about it in a new thread). I’m a little surprised it wasn’t available, given how feature rich Discourse is :). Other web forum software kind of have this by default, i.e. “there is a new post in thread X” … though I’d like even the thread name to be avoided. Would be happy with just a link to the thread and to the new post.
Also very opposed to anything PGP, unless it’s optional.
Just a note for when this is going to be implemented. The URLs should be sanitized too. For example, currently they contain the topic title which in many cases is revealing, they should be replaced with http://discourse.example.com/t/123/99 for topic id 123, post id 99 which already works fine.
I was looking at changing the email templates to leave only the URLs, but can the above be done currently? Is there a placeholder I can use in the email template that gets me the sanitized url version?
Not if “Secure email” would mean what I expected when I opened this thread: The ability to upload my S/MIME public key to discourse and received encrypted emails in the future.
I’ve just merged in my first attempt at this. I ended up renaming it to private_email instead of secure_email following some feedback from the team. I think the new name works better because it’s about keeping details private rather than actually securing email.
^ oops I just realized the commit message was wrong. The key is private_email despite that message which I cannot update now because our master doesn’t allow force pushes
Here’s some screenshots of what emails look like when this feature is enabled. Whenever the Topic Title should be shown instead we show it as “Topic #ID”, and we remove all context posts and excerpts:
Receiving one of the many topic notifications (reply, @mention, etc):
I’d love for people in the community to help us test this on their forums. I should warn you that Discourse has a lot of email templates and it’s possible I missed some, so it should be considered not 100% private until we’ve had some users test it out and report bugs.
Part of the problem is the templates they’re based on just don’t look as nice as Facebook’s. I think we’d have to add all new templates to look as nice.