HINT: One Way to "Turn Off" Discourse Email Validation

DiscourseDuck · December 21, 2020, 7:26am

REFERENCE:

Hey onecame

Of course it is not recommended to bypass email activation for many reasons (anti-spam, anti-fraud, etc.) and my guest is that 99.999% of forums would never do this. However, if you really want to do this, of course their are many ways to do this; however, you will need write a plugin, without support from the Discourse meta team, to make it work properly.

One way to get started, if you really want to go this direction (and totally unsupported by meta) is to change the default values in the DB for these two fields, as illustrated in this sample Rails migration:

class ChangeDefaultValuesToOverrideEmailActivations < ActiveRecord::Migration
  def up
    change_column_default :users, :active, true
    change_column_default :email_tokens, :confirmed, true
  end

  def down
    change_column_default :users, :active, false
    change_column_default :email_tokens, :confirmed, false
  end
end

This will work (basically) because I have tested it (briefly, but not fully since I'm not ever going to do this on any forum!). However, I was curious how this validation process works after reading many people on Discourse meta asking this same question and feeling frustrated not getting any technical reply.

In a nutshell, as a courtesy to onecame over at Discourse meta:

It you want to run a forum with unmanageable spam and never ending bot logins, etc. that is your choice (not ours), I guess.... but you are own your own and so kindly please do not post back about how to manage all the spam (and misery) you will get!

But as a holiday season courtesy to you, I am providing this "clue" to you so you can do this if you absolutely want to do it.

Hope this helps.

onecame · December 21, 2020, 8:50am

Hey @DiscourseDuck,

1-Why do we use mail confirmation instead of using chapcha?
2-my community consists of very few people why should i pay smtp for this?
3-I do not know much about where to paste the code you gave .d

4-thank you for your help🙏

DiscourseDuck · December 21, 2020, 9:51am

Hi @onecame

I do not know why the Discourse development team uses email validation and not captcha and I do not know why Discourse is heavily dependent on email for validation.

Regrading the plugin code, you should hire a professional plugin developer to help you; since this kind of work is not just simple "cut-and-paste" and requires a lot of testing; or you need to learn to write your own plugins if you want to use Discourse in ways not supported by the Discourse team.

However, I suspect if you are unwilling to pay a small monthly fee for an SMTP email provider; you are also unwilling to pay for a Discourse professional plugin developer.

nezabudka · December 21, 2020, 10:51am

Hey @onecame
Create a Google mailbox for free, example: yourbox@gmail.com.
You go to your account => Security. You turn on the "Less secure app access".
Then when you install discourse, you enter the following data:

smtp_address: smtp.gmail.com
smtp_port: 587 
smtp_user_name: yourbox@gmail.com
password: 123456

You may need to check your spam basket for the first time
That's all. Good luck

onecame · December 21, 2020, 4:24pm

Thenkyou

DiscourseDuck · December 22, 2020, 2:30am

FYI, it is against Google's terms of service to use their services in this manner.

However, if you only have a small about of email, a handful per hour, Google will not complain, generally.

But, if you have a lot of SMTP relay traffic, like a big site sending out user digests, Google will block you.

In other words, when you use Google Gmail service in this manner, you are in violation of Google's policies and they can and will block you if they detect what you are doing; and they will detect it if you send more than a trivial amount of SMTP mail in this manner.

Neo · December 22, 2020, 2:46am

Yes, best to turn off digests completely if you are going to use Google Gmail SMTP relay services.

nezabudka · December 22, 2020, 5:34am

Hi. It's right.
I brought the classic method from the mutt email client setup. Suitable for cases with no big traffic as for @onecame or for getting acquainted with the Discourse engine on a virtual machine with an invented domain name as in my own case.
Pardon my French.

So, if you know about it, it is very easy to organize an attack even if the traffic is small.

nezabudka · December 22, 2020, 5:45am

Hi @Neo
Yes. Turning on "Less secure app access" is already a security hole.

Neo · December 22, 2020, 11:27am

Correct.

Well considered, @nezabudka!

Neo · December 22, 2020, 11:38am

FWIW,

I have found SendGrid to be the best SMTP provider, and the best value, for Discourse, at the current time, after testing around 10 (or a bit less).