-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Drop support for delegating email validation #13192
Conversation
d375408
to
61df162
Compare
Delegating email validation to an IS is insecure (since it allows the owner of the IS to do a password reset on your HS), and has long been deprecated. It will now cause a config error at startup.
Give it an `email` config instead of a threepid delegate
Rather than an enum and a boolean, all we need here is a single bool, which says whether we are or are not doing email verification.
61df162
to
8c2936d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM — thanks :-).
this will be in 1.64, not 1.63
this one too
Complement failure is a known flake. Merging manually. |
@richvdh @DMRobertson Think it would be possible to either reconsider or delay the full deprecation of this and make enabling the setting a warning only for now? Installations currently depending on this for example those (still) on ma1sd or custom identity servers may need to figure out migration strategies.
where has this been communicated? Consider cases where IS and HS are administered by the same entity - delegating account security to the IS is a feature, not a bug, and not a reduction in security, in some scenarios. In any case, I know of multiple HSes that will need to either fork synapse or stay at 1.63.x if this is pursued like planned in 1.64. Some heads-up before breakages like this would be expected. |
Currently use ma1sd to restrict email verification by domain-would greatly appreciate at least a release cycle to figure out how the heck I'm migrating. |
Hrm, we've been talking about this for so long within the team that I assumed everyone knew about it, but now that I come to have a look it does indeed look like we've done a poor job of communicating it, so my apologies for landing it without fair warning. The problem with this feature is that it relies on unspecified Identity Service APIs ( I've not used ma1sd, but I'm afraid I don't entirely understand the usecase: why is it preferable to delegate email-sending to it rather than have synapse send email directly?
I think you may be able to achieve this result via Rather than continue to discuss on a closed PR, please could you open a new issue describing your usecase and explaining why it's not met by having synapse send verification emails directly? |
It's not necessarily a use-case thing so much as it is a short notice
migration thing. I'm happy to drop it, I'd just appreciate an extra release
cycle.
…On Wed, Jul 27, 2022, 12:48 PM Richard van der Hoff < ***@***.***> wrote:
Hrm, we've been talking about this for so long within the team that I
assumed everyone knew about it, but now that I come to have a look it does
indeed look like we've done a poor job of communicating it, so my apologies
for landing it without fair warning.
The problem with this feature is that it relies on unspecified Identity
Service APIs (POST /_matrix/identity/api/v1/validate/email/requestToken, GET
/_matrix/identity/api/v1/3pid/getValidated3pid), both of which were
removed from the spec two years ago
<matrix-org/matrix-spec-proposals#2713>, so it's
not appropriate for mainline Synapse to continue using them.
I've not used ma1sd, but I'm afraid I don't entirely understand the
usecase: why is it preferable to delegate email-sending to it rather than
have synapse send email directly?
Currently use ma1sd to restrict email verification by domain
I think you may be able to achieve this result via allowed_local_3pids
<https://matrix-org.github.io/synapse/v1.63/usage/configuration/config_documentation.html#allowed_local_3pids>
(possibly in conjunction with `registrations_require_3pid
<https://matrix-org.github.io/synapse/v1.63/usage/configuration/config_documentation.html#registrations_require_3pid>
.
Rather than continue to discuss on a closed PR, please could you open a
new issue describing your usecase and explaining why it's not met by having
synapse send verification emails directly?
—
Reply to this email directly, view it on GitHub
<#13192 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACFNSCMW7SQUSR4MFROJ6HTVWFR6RANCNFSM52XT336Q>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Well, you've got another week before this is released 😇. And even after that, I don't think there's any harm in remaining on 1.63 for a couple of weeks. We'll try to do better on this in future, but I'm not sure there's much to be gained by backing it out now that it's landed. |
I'm really sorry for being grumpy here but ~1 month notice for a
really needs some more planning and communication to roll out than <1month from proposal to merge and completed in the next release. Like @theAeon , my bigger issue is not the change itself but the process around how a change of this nature and impact is made and rolled out. What I'd really would have liked to see (and I'llopen a new issue for this, just getting this down here for now):
Given way that MSC changes have been governed, made and communicated (which I up until now have not experienced as problematic, and is not my point of critique here), future changes like this really need to be handled differently to this. To be clear how unfortunate this is, the current release 1.63.1 that has the even older unsupported configuration
The linked section still instructs users that what is currently broken is the way to go:
, with an example of how to delegate e-mail sending. So a hypothetical new synapse user who followed the For an example of how I think this should be handled, the previous deprecation of |
It's worse than what I wrote above apparently. Latest official docs still encourages users delegating email validation using the feature being dropped here: |
With all due respect, this level of breaking change notice is something you'd expect in a beta release. |
This comment was marked as off-topic.
This comment was marked as off-topic.
oh that was directed at op |
This reverts commit fa71bb1.
This reverts commit fa71bb1.
This reverts commit fa71bb1.
There is now a draft PR for changing this from an error to a warning (so keeping the functionality for now but deprecating it and reflecting that in docs) in #13406. |
This reverts commit fa71bb1.
Synapse 1.64.0 (2022-08-02) =========================== No significant changes since 1.64.0rc2. Deprecation Warning ------------------- Synapse v1.66.0 will remove the ability to delegate the tasks of verifying email address ownership, and password reset confirmation, to an identity server. If you require your homeserver to verify e-mail addresses or to support password resets via e-mail, please configure your homeserver with SMTP access so that it can send e-mails on its own behalf. [Consult the configuration documentation for more information.](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#email) Synapse 1.64.0rc2 (2022-07-29) ============================== This RC reintroduces support for `account_threepid_delegates.email`, which was removed in 1.64.0rc1. It remains deprecated and will be removed altogether in Synapse v1.66.0. ([\matrix-org#13406](matrix-org#13406)) Synapse 1.64.0rc1 (2022-07-26) ============================== This RC removed the ability to delegate the tasks of verifying email address ownership, and password reset confirmation, to an identity server. We have also stopped building `.deb` packages for Ubuntu 21.10 as it is no longer an active version of Ubuntu. Features -------- - Improve error messages when media thumbnails cannot be served. ([\matrix-org#13038](matrix-org#13038)) - Allow pagination from remote event after discovering it from [MSC3030](matrix-org/matrix-spec-proposals#3030) `/timestamp_to_event`. ([\matrix-org#13205](matrix-org#13205)) - Add a `room_type` field in the responses for the list room and room details admin APIs. Contributed by @andrewdoh. ([\matrix-org#13208](matrix-org#13208)) - Add support for room version 10. ([\matrix-org#13220](matrix-org#13220)) - Add per-room rate limiting for room joins. For each room, Synapse now monitors the rate of join events in that room, and throttles additional joins if that rate grows too large. ([\matrix-org#13253](matrix-org#13253), [\matrix-org#13254](matrix-org#13254), [\matrix-org#13255](matrix-org#13255), [\matrix-org#13276](matrix-org#13276)) - Support Implicit TLS (TLS without using a STARTTLS upgrade, typically on port 465) for sending emails, enabled by the new option `force_tls`. Contributed by Jan Schär. ([\matrix-org#13317](matrix-org#13317)) Bugfixes -------- - Fix a bug introduced in Synapse 1.15.0 where adding a user through the Synapse Admin API with a phone number would fail if the `enable_email_notifs` and `email_notifs_for_new_users` options were enabled. Contributed by @thomasweston12. ([\matrix-org#13263](matrix-org#13263)) - Fix a bug introduced in Synapse 1.40.0 where a user invited to a restricted room would be briefly unable to join. ([\matrix-org#13270](matrix-org#13270)) - Fix a long-standing bug where, in rare instances, Synapse could store the incorrect state for a room after a state resolution. ([\matrix-org#13278](matrix-org#13278)) - Fix a bug introduced in v1.18.0 where the `synapse_pushers` metric would overcount pushers when they are replaced. ([\matrix-org#13296](matrix-org#13296)) - Disable autocorrection and autocapitalisation on the username text field shown during registration when using SSO. ([\matrix-org#13350](matrix-org#13350)) - Update locked version of `frozendict` to 2.3.3, which has fixes for memory leaks affecting `/sync`. ([\matrix-org#13284](matrix-org#13284), [\matrix-org#13352](matrix-org#13352)) Improved Documentation ---------------------- - Provide an example of using the Admin API. Contributed by @jejo86. ([\matrix-org#13231](matrix-org#13231)) - Move the documentation for how URL previews work to the URL preview module. ([\matrix-org#13233](matrix-org#13233), [\matrix-org#13261](matrix-org#13261)) - Add another `contrib` script to help set up worker processes. Contributed by @villepeh. ([\matrix-org#13271](matrix-org#13271)) - Document that certain config options were added or changed in Synapse 1.62. Contributed by @behrmann. ([\matrix-org#13314](matrix-org#13314)) - Document the new `rc_invites.per_issuer` throttling option added in Synapse 1.63. ([\matrix-org#13333](matrix-org#13333)) - Mention that BuildKit is needed when building Docker images for tests. ([\matrix-org#13338](matrix-org#13338)) - Improve Caddy reverse proxy documentation. ([\matrix-org#13344](matrix-org#13344)) Deprecations and Removals ------------------------- - Drop tables that were formerly used for groups/communities. ([\matrix-org#12967](matrix-org#12967)) - Drop support for delegating email verification to an external server. ([\matrix-org#13192](matrix-org#13192)) - Drop support for calling `/_matrix/client/v3/account/3pid/bind` without an `id_access_token`, which was not permitted by the spec. Contributed by @Vetchu. ([\matrix-org#13239](matrix-org#13239)) - Stop building `.deb` packages for Ubuntu 21.10 (Impish Indri), which has reached end of life. ([\matrix-org#13326](matrix-org#13326)) Internal Changes ---------------- - Use lower transaction isolation level when purging rooms to avoid serialization errors. Contributed by Nick @ Beeper. ([\matrix-org#12942](matrix-org#12942)) - Remove code which incorrectly attempted to reconcile state with remote servers when processing incoming events. ([\matrix-org#12943](matrix-org#12943)) - Make the AS login method call `Auth.get_user_by_req` for checking the AS token. ([\matrix-org#13094](matrix-org#13094)) - Always use a version of canonicaljson that supports the C implementation of frozendict. ([\matrix-org#13172](matrix-org#13172)) - Add prometheus counters for ephemeral events and to device messages pushed to app services. Contributed by Brad @ Beeper. ([\matrix-org#13175](matrix-org#13175)) - Refactor receipts servlet logic to avoid duplicated code. ([\matrix-org#13198](matrix-org#13198)) - Preparation for database schema simplifications: populate `state_key` and `rejection_reason` for existing rows in the `events` table. ([\matrix-org#13215](matrix-org#13215)) - Remove unused database table `event_reference_hashes`. ([\matrix-org#13218](matrix-org#13218)) - Further reduce queries used sending events when creating new rooms. Contributed by Nick @ Beeper (@Fizzadar). ([\matrix-org#13224](matrix-org#13224)) - Call the v2 identity service `/3pid/unbind` endpoint, rather than v1. Contributed by @Vetchu. ([\matrix-org#13240](matrix-org#13240)) - Use an asynchronous cache wrapper for the get event cache. Contributed by Nick @ Beeper (@Fizzadar). ([\matrix-org#13242](matrix-org#13242), [\matrix-org#13308](matrix-org#13308)) - Optimise federation sender and appservice pusher event stream processing queries. Contributed by Nick @ Beeper (@Fizzadar). ([\matrix-org#13251](matrix-org#13251)) - Log the stack when waiting for an entire room to be un-partial stated. ([\matrix-org#13257](matrix-org#13257)) - Fix spurious warning when fetching state after a missing prev event. ([\matrix-org#13258](matrix-org#13258)) - Clean-up tests for notifications. ([\matrix-org#13260](matrix-org#13260)) - Do not fail build if complement with workers fails. ([\matrix-org#13266](matrix-org#13266)) - Don't pull out state in `compute_event_context` for unconflicted state. ([\matrix-org#13267](matrix-org#13267), [\matrix-org#13274](matrix-org#13274)) - Reduce the rebuild time for the complement-synapse docker image. ([\matrix-org#13279](matrix-org#13279)) - Don't pull out the full state when creating an event. ([\matrix-org#13281](matrix-org#13281), [\matrix-org#13307](matrix-org#13307)) - Upgrade from Poetry 1.1.12 to 1.1.14, to fix bugs when locking packages. ([\matrix-org#13285](matrix-org#13285)) - Make `DictionaryCache` expire full entries if they haven't been queried in a while, even if specific keys have been queried recently. ([\matrix-org#13292](matrix-org#13292)) - Use `HTTPStatus` constants in place of literals in tests. ([\matrix-org#13297](matrix-org#13297)) - Improve performance of query `_get_subset_users_in_room_with_profiles`. ([\matrix-org#13299](matrix-org#13299)) - Up batch size of `bulk_get_push_rules` and `_get_joined_profiles_from_event_ids`. ([\matrix-org#13300](matrix-org#13300)) - Remove unnecessary `json.dumps` from tests. ([\matrix-org#13303](matrix-org#13303)) - Reduce memory usage of sending dummy events. ([\matrix-org#13310](matrix-org#13310)) - Prevent formatting changes of [matrix-org#3679](matrix-org#3679) from appearing in `git blame`. ([\matrix-org#13311](matrix-org#13311)) - Change `get_users_in_room` and `get_rooms_for_user` caches to enable pruning of old entries. ([\matrix-org#13313](matrix-org#13313)) - Validate federation destinations and log an error if a destination is invalid. ([\matrix-org#13318](matrix-org#13318)) - Fix `FederationClient.get_pdu()` returning events from the cache as `outliers` instead of original events we saw over federation. ([\matrix-org#13320](matrix-org#13320)) - Reduce memory usage of state caches. ([\matrix-org#13323](matrix-org#13323)) - Reduce the amount of state we store in the `state_cache`. ([\matrix-org#13324](matrix-org#13324)) - Add missing type hints to open tracing module. ([\matrix-org#13328](matrix-org#13328), [\matrix-org#13345](matrix-org#13345), [\matrix-org#13362](matrix-org#13362)) - Remove old base slaved store and de-duplicate cache ID generators. Contributed by Nick @ Beeper (@Fizzadar). ([\matrix-org#13329](matrix-org#13329), [\matrix-org#13349](matrix-org#13349)) - When reporting metrics is enabled, use ~8x less data to describe DB transaction metrics. ([\matrix-org#13342](matrix-org#13342)) - Faster room joins: skip soft fail checks while Synapse only has partial room state, since the current membership of event senders may not be accurately known. ([\matrix-org#13354](matrix-org#13354))
Synapse 1.64.0 (2022-08-02) =========================== No significant changes since 1.64.0rc2. Deprecation Warning ------------------- Synapse v1.66.0 will remove the ability to delegate the tasks of verifying email address ownership, and password reset confirmation, to an identity server. If you require your homeserver to verify e-mail addresses or to support password resets via e-mail, please configure your homeserver with SMTP access so that it can send e-mails on its own behalf. [Consult the configuration documentation for more information.](https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#email) Synapse 1.64.0rc2 (2022-07-29) ============================== This RC reintroduces support for `account_threepid_delegates.email`, which was removed in 1.64.0rc1. It remains deprecated and will be removed altogether in Synapse v1.66.0. ([\matrix-org#13406](matrix-org#13406)) Synapse 1.64.0rc1 (2022-07-26) ============================== This RC removed the ability to delegate the tasks of verifying email address ownership, and password reset confirmation, to an identity server. We have also stopped building `.deb` packages for Ubuntu 21.10 as it is no longer an active version of Ubuntu. Features -------- - Improve error messages when media thumbnails cannot be served. ([\matrix-org#13038](matrix-org#13038)) - Allow pagination from remote event after discovering it from [MSC3030](matrix-org/matrix-spec-proposals#3030) `/timestamp_to_event`. ([\matrix-org#13205](matrix-org#13205)) - Add a `room_type` field in the responses for the list room and room details admin APIs. Contributed by @andrewdoh. ([\matrix-org#13208](matrix-org#13208)) - Add support for room version 10. ([\matrix-org#13220](matrix-org#13220)) - Add per-room rate limiting for room joins. For each room, Synapse now monitors the rate of join events in that room, and throttles additional joins if that rate grows too large. ([\matrix-org#13253](matrix-org#13253), [\matrix-org#13254](matrix-org#13254), [\matrix-org#13255](matrix-org#13255), [\matrix-org#13276](matrix-org#13276)) - Support Implicit TLS (TLS without using a STARTTLS upgrade, typically on port 465) for sending emails, enabled by the new option `force_tls`. Contributed by Jan Schär. ([\matrix-org#13317](matrix-org#13317)) Bugfixes -------- - Fix a bug introduced in Synapse 1.15.0 where adding a user through the Synapse Admin API with a phone number would fail if the `enable_email_notifs` and `email_notifs_for_new_users` options were enabled. Contributed by @thomasweston12. ([\matrix-org#13263](matrix-org#13263)) - Fix a bug introduced in Synapse 1.40.0 where a user invited to a restricted room would be briefly unable to join. ([\matrix-org#13270](matrix-org#13270)) - Fix a long-standing bug where, in rare instances, Synapse could store the incorrect state for a room after a state resolution. ([\matrix-org#13278](matrix-org#13278)) - Fix a bug introduced in v1.18.0 where the `synapse_pushers` metric would overcount pushers when they are replaced. ([\matrix-org#13296](matrix-org#13296)) - Disable autocorrection and autocapitalisation on the username text field shown during registration when using SSO. ([\matrix-org#13350](matrix-org#13350)) - Update locked version of `frozendict` to 2.3.3, which has fixes for memory leaks affecting `/sync`. ([\matrix-org#13284](matrix-org#13284), [\matrix-org#13352](matrix-org#13352)) Improved Documentation ---------------------- - Provide an example of using the Admin API. Contributed by @jejo86. ([\matrix-org#13231](matrix-org#13231)) - Move the documentation for how URL previews work to the URL preview module. ([\matrix-org#13233](matrix-org#13233), [\matrix-org#13261](matrix-org#13261)) - Add another `contrib` script to help set up worker processes. Contributed by @villepeh. ([\matrix-org#13271](matrix-org#13271)) - Document that certain config options were added or changed in Synapse 1.62. Contributed by @behrmann. ([\matrix-org#13314](matrix-org#13314)) - Document the new `rc_invites.per_issuer` throttling option added in Synapse 1.63. ([\matrix-org#13333](matrix-org#13333)) - Mention that BuildKit is needed when building Docker images for tests. ([\matrix-org#13338](matrix-org#13338)) - Improve Caddy reverse proxy documentation. ([\matrix-org#13344](matrix-org#13344)) Deprecations and Removals ------------------------- - Drop tables that were formerly used for groups/communities. ([\matrix-org#12967](matrix-org#12967)) - Drop support for delegating email verification to an external server. ([\matrix-org#13192](matrix-org#13192)) - Drop support for calling `/_matrix/client/v3/account/3pid/bind` without an `id_access_token`, which was not permitted by the spec. Contributed by @Vetchu. ([\matrix-org#13239](matrix-org#13239)) - Stop building `.deb` packages for Ubuntu 21.10 (Impish Indri), which has reached end of life. ([\matrix-org#13326](matrix-org#13326)) Internal Changes ---------------- - Use lower transaction isolation level when purging rooms to avoid serialization errors. Contributed by Nick @ Beeper. ([\matrix-org#12942](matrix-org#12942)) - Remove code which incorrectly attempted to reconcile state with remote servers when processing incoming events. ([\matrix-org#12943](matrix-org#12943)) - Make the AS login method call `Auth.get_user_by_req` for checking the AS token. ([\matrix-org#13094](matrix-org#13094)) - Always use a version of canonicaljson that supports the C implementation of frozendict. ([\matrix-org#13172](matrix-org#13172)) - Add prometheus counters for ephemeral events and to device messages pushed to app services. Contributed by Brad @ Beeper. ([\matrix-org#13175](matrix-org#13175)) - Refactor receipts servlet logic to avoid duplicated code. ([\matrix-org#13198](matrix-org#13198)) - Preparation for database schema simplifications: populate `state_key` and `rejection_reason` for existing rows in the `events` table. ([\matrix-org#13215](matrix-org#13215)) - Remove unused database table `event_reference_hashes`. ([\matrix-org#13218](matrix-org#13218)) - Further reduce queries used sending events when creating new rooms. Contributed by Nick @ Beeper (@Fizzadar). ([\matrix-org#13224](matrix-org#13224)) - Call the v2 identity service `/3pid/unbind` endpoint, rather than v1. Contributed by @Vetchu. ([\matrix-org#13240](matrix-org#13240)) - Use an asynchronous cache wrapper for the get event cache. Contributed by Nick @ Beeper (@Fizzadar). ([\matrix-org#13242](matrix-org#13242), [\matrix-org#13308](matrix-org#13308)) - Optimise federation sender and appservice pusher event stream processing queries. Contributed by Nick @ Beeper (@Fizzadar). ([\matrix-org#13251](matrix-org#13251)) - Log the stack when waiting for an entire room to be un-partial stated. ([\matrix-org#13257](matrix-org#13257)) - Fix spurious warning when fetching state after a missing prev event. ([\matrix-org#13258](matrix-org#13258)) - Clean-up tests for notifications. ([\matrix-org#13260](matrix-org#13260)) - Do not fail build if complement with workers fails. ([\matrix-org#13266](matrix-org#13266)) - Don't pull out state in `compute_event_context` for unconflicted state. ([\matrix-org#13267](matrix-org#13267), [\matrix-org#13274](matrix-org#13274)) - Reduce the rebuild time for the complement-synapse docker image. ([\matrix-org#13279](matrix-org#13279)) - Don't pull out the full state when creating an event. ([\matrix-org#13281](matrix-org#13281), [\matrix-org#13307](matrix-org#13307)) - Upgrade from Poetry 1.1.12 to 1.1.14, to fix bugs when locking packages. ([\matrix-org#13285](matrix-org#13285)) - Make `DictionaryCache` expire full entries if they haven't been queried in a while, even if specific keys have been queried recently. ([\matrix-org#13292](matrix-org#13292)) - Use `HTTPStatus` constants in place of literals in tests. ([\matrix-org#13297](matrix-org#13297)) - Improve performance of query `_get_subset_users_in_room_with_profiles`. ([\matrix-org#13299](matrix-org#13299)) - Up batch size of `bulk_get_push_rules` and `_get_joined_profiles_from_event_ids`. ([\matrix-org#13300](matrix-org#13300)) - Remove unnecessary `json.dumps` from tests. ([\matrix-org#13303](matrix-org#13303)) - Reduce memory usage of sending dummy events. ([\matrix-org#13310](matrix-org#13310)) - Prevent formatting changes of [matrix-org#3679](matrix-org#3679) from appearing in `git blame`. ([\matrix-org#13311](matrix-org#13311)) - Change `get_users_in_room` and `get_rooms_for_user` caches to enable pruning of old entries. ([\matrix-org#13313](matrix-org#13313)) - Validate federation destinations and log an error if a destination is invalid. ([\matrix-org#13318](matrix-org#13318)) - Fix `FederationClient.get_pdu()` returning events from the cache as `outliers` instead of original events we saw over federation. ([\matrix-org#13320](matrix-org#13320)) - Reduce memory usage of state caches. ([\matrix-org#13323](matrix-org#13323)) - Reduce the amount of state we store in the `state_cache`. ([\matrix-org#13324](matrix-org#13324)) - Add missing type hints to open tracing module. ([\matrix-org#13328](matrix-org#13328), [\matrix-org#13345](matrix-org#13345), [\matrix-org#13362](matrix-org#13362)) - Remove old base slaved store and de-duplicate cache ID generators. Contributed by Nick @ Beeper (@Fizzadar). ([\matrix-org#13329](matrix-org#13329), [\matrix-org#13349](matrix-org#13349)) - When reporting metrics is enabled, use ~8x less data to describe DB transaction metrics. ([\matrix-org#13342](matrix-org#13342)) - Faster room joins: skip soft fail checks while Synapse only has partial room state, since the current membership of event senders may not be accurately known. ([\matrix-org#13354](matrix-org#13354)) # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCgAdFiEE8SRSDO7gYkSP4chELS76LzL74EcFAmLo+zIACgkQLS76LzL7 # 4EehbRAAronXZtWM+ViMxPsiDj70KXYOKK117pGXK5XGf3Tyqb/vExA7c7bfimyW # d3FW855fe27AMsSfcMGDpxhggVa8sZDSdvQumt5jqDXrzC348mW/FYtgcYOxkoIa # Hh2/7V26CxWFsv8eVF3hwpualelT9lp2sedWXCQtdAkcQoWs2JwBsnoxSDliDZHg # jc4mBFBAkah5CJ3bcZuZXRsr9doKxDOAXUv19RXhdwEGO82mpSbwQ8P0mcw2S8zr # aAVza7jkVAza6ahg9qE0lMpi8uYE9/mt5JBnfrv/JxC7ZZfBg9jyHKaxFrzpjFsj # 3g0jhqzcNxRskD1sk1GKGVy7D9oTg1WVpii5l3M93KguSDLKxomouhgekWOxMPBe # 43xVdDI13ohsex+1QBnGnTSP7jZcfODnfvzSdyHQv6ef4k+OplRdfMA0QjkUcI5j # ocJlkm2D02vw1mnU3hHNdw9ri3vkaS1Qwfsz3ZEYgn6OcZOeKAWn351WMXF/F1fm # HYeQ5uMud+i+EekBtR8Op9ZICHt9Ogp49172enlSGzeyeD3yUk5HMAMrzJfmsp3W # /LCCONkRrV+R8TRByUQE9YtqxUgn+eSgB5Ew/2C/WB54pZHtco+rPqkY1Bhan4QJ # LeZTuzDKeXzgho1D5b4quEC2AWAqz3GeIvEVuOZCt8rJoMMRslg= # =RRRX # -----END PGP SIGNATURE----- # gpg: Signature made Tue Aug 2 11:23:46 2022 BST # gpg: using RSA key F124520CEEE062448FE1C8442D2EFA2F32FBE047 # gpg: Can't check signature: No public key # Conflicts: # synapse/rest/client/read_marker.py # synapse/rest/client/receipts.py # synapse/storage/databases/main/events_worker.py # synapse/storage/databases/main/purge_events.py # tests/rest/client/test_rooms.py # tests/storage/test_event_push_actions.py
Delegating email validation to an IS is insecure (since it allows the owner of the IS to do a password reset on your HS), and has long been discouraged. It will now cause a config error at startup.
Part of #5881. Reviewable commit-by-commit.