Homeserver invites leak information to 3rd parties

[cheribral]

Description

Setup a home server using the instructions from the readme on github for a source install

Steps to reproduce

• connect to your homeserver with a client, create a room and send an email invite.

When I did this, I didn't like the email I received, so I thought I would go in and adjust the templates I saw while browsing the code on github. To my surprise, there were no templates installed on the server.

Looking more closely, the homeserver is POSTing requests to cloudflare with user email addresses and then the emails are coming back from matrix.org.

For all the talk about being concerned about privacy, this seems like a really disingenuous default configuration. Perhaps I don't understand how things are supposed to work, but I would say this certainly is not the principle of least surprise.
This is even more surprising because the "source" has a res directory with email templates, but your instructions for a source install don't include it.

I don't think it is far fetched, especially after seeing a directory full of email templates during a brief browse on github, to assume that a homeserver would send emails from my server for invites to people who are going to chat on my server.

Emails should come from the homeserver, or this behaviour should be more clearly documented either in the config or the install instructions.

[buckle2000]

Where is the URL of the POST request?

[ara4n]

3rd party invites are done via identity servers; the default one for riot is vector.im; other clients default to matrix.org. you could always run your own identity server to mitigate this however.

[buckle2000]

@ara4n thanks.

So we have synapse, syndent. What else?

[buckle2000]

I also wasn't sure how Matrix server can swarm.

[cheribral]

Thank you @ara4n, that's good to know. What confuses me yet is that I had commented out all the trusted identity servers. Should that have stopped the request from going out?

Anyway, apart from the surprises mentioned above, the install of the server is quite simple, everything important "just worked" after following the instructions, and I had a lovely conversation this weekend using it, so thank you for that!

[maxidorius]

@cheribral @buckle2000 mxisd is a self-hosted Identity server implementation that can help you with all this.

[richvdh]

I believe this is now fixed as part of the privacy work which landed in synapse 1.4.0 (and riot-web v1.4.0). Sending an email invitation requires you to explicitly choose an identity server.