Email reply via Email

Would it be possible to enable https://staging-forum.lawrencesystems.com to support replies via Email?

The use case being $Account is setup for Mailing List mode, and replies can be send via Email instead of only being available to post via the web-form of the specific topic.

Currently this is not possible. Emails sent to postmaster _at_ forums.lawrencesystems.com returns to MTA server with Error code 400.

<postmaster@forums.lawrencesystems.com> delayed: forums.lawrencesystems.com:
    400 Network error: Could not connect to forums.lawrencesystems.com:25


Reporting-MTA: dns; mailrelay2-2.pub.mailoutpod1-cph3.one.com
Received-from-MTA: smtp; [IPv6:2a03:5440:2030:801:e141:c945:2851:e29] (2a03:5440:2030:801:e141:c945:2851:e29)
Original-Envelope-Id: f8178553-6f4a-11e9-931a-d0431ea8a290
Arrival-Date: Sun, 05 May 2019 15:32:19 +0000

Final-Recipient: rfc822; postmaster@forums.lawrencesystems.com
Action: delayed
Status: 5.4.7 (Message could not be delivered in the allotted time frame)
Remote-MTA: dns; forums.lawrencesystems.com
Diagnostic-Code: smtp; 400 Network error: Could not connect to forums.lawrencesystems.com:25

I don’t have that setup mostly because I worry about the abuse of being able to send mass emails and spam the forums.

You could enable Reply via Email to only be available after a certain trust level or with a custom badge earned by $account.

That way new members will not have access to the feature right away. But only after having being active in the community to a certain extent or otherwise proven themselves otherwise worthy of “privileges”.

Going by this post. It should be possible to implement a minimum required trust level for a user account to be able to use Reply via Email.

This post says it is possible to configured the following option.

  • email_in_min_trust: the minimum trust level required for users to send an email to Discourse

This should make is sensible to enable the option. While still preventing spam bots from flooding the forums.

Yes, but that would not stop someone from impersonating an email address that was trusted.

That may vary well be true. Depending on if $mailDomain is not protected adequately with the use of v=spf1 (and optionally DKIM and/or DMARC, too)

Thou I would dispute a mail account being impersonated or a forum account not using 2FA to protect against unauthorized access. Is about equally bad in my opinion(!)


comment: I will add with spf validation. You could configured your receiving smtp daemon to reject (optionally with error message) all senders failing validation state -eq true.


(If everyone used 2FA for every website login they could and only used mail hosting solutions supporting SPF and DKIM. We could be a better road ahead of stopping mail impersonation and preventing brute-forcing and stolen account credentials being used in many current instances happening all over the globe every day because of inadequate security steps taken to protect oneself and solutions provided to customers, fooes and friends alike.)