EMAIL NOTIFICATION SECURITY ISSUE

It is not difficult to understand why.

Emails are out of the domain of Confluence. If the user with email xxx@xxx.com has access to Conflucence documents, that doesn't mean that I want to send him BY DEFAULT every modification I perform on that document IN CLEAR through email. Notifications means "hey, someone updated the document", not "here's the modification, so that everyone that intercept the message can read it". 

To be strict, this isn't even a notification, it is an attachment! So, the correct way to call it is "send attachment of the document every time you modify". Absurd this is the default behaviour.

Following your ratio, there's not even need to ask login for the user: the software will send everything in clear through the internet to notificate the user of every modification!

So, the fact is:

- I bought a software on premise, in order NOT to spread my data over the network

- I configured a mail server for evenutal future tasks

- By default, you spread my data over the network 

I repeat, that doesn't make any sense, even if noone ever had problems about that.

If someone hack my confluence server, of course I will lose all my data.

If someone hacks my mail (which is not even under my domain), I do not want to lose Confluence data.

Is now a bit clearer in this way?

Hi @Ivan Audero 

This is indeed a default functionality with Confluence when an SMTP server is enabled: Email Notifications.

This option is configurable for each user under their profile settings, on which you could turn it off.

There's an open feature request to make it possible to easily disable this site-wide, which is reported in CONFSERVER-43671 .

There's also a workaround to disable this functionality for all users by modifying their profile options directly in the database: How to disable Show Changed Content to all users .

Ok. Anyway, in particular with on premise solutions, this should not be default.

On premise means that I don't want my data to be outside of my company. If you send the whole document I'm modifying in the body of the email, it is pointless to have on premise architecture.

And anyway, in my opinion, if I modify a document, I DO NOT WANT to spread the modification via mail. I thought this should be default. Otherwise, if someone accidentally step into my mail, is automatically looking at Confluence private data that are protected by username and password.

I want to remark again that this behaviour (even more dangerously, by default) is absolutely out of any security logic.

By the way, now i removed the SMTP server, and probably will never activate it again because I am frightened that by default will send some confidential data over the internet.

Regards.

I don't understand where you've got this idea from. 

The default is what everybody (except you) assumes it should be.  A notification that something has changed goes out with the details of that change to anyone who has access to see the object and has enabled the notification.

This is normal, assumed and expected by everyone.  That's why it's the default.

It is not a security issue, if you believe it is, then you're looking at the wrong attack vectors - the communication between a system and known permitted users is not the problem, it's whatever it is that you're allowing attackers to intercept.

Hi @Ivan Audero 

I understand your point and it makes a lot of sense.

I've updated the feature request ticket with additional information on how this affects your business which will be helpful for the product team.

Regarding SMTP notifications, if it becomes important to your organization in the future, Confluence can be customized to meet your needs if the default configuration doesn't.

The workaround I've shared with you in the previous comment may help you to keep notifying users about changes in the pages, without sharing the modified content -- just a link to the page will be sent in the email body.

Users can also choose to not notify page/space watchers when publishing new versions of a page. See Watch Pages, Spaces and Blogs :

You'll receive email notifications for:

• Page / blog post edits (unless the author clears the 'Notify watchers' check box).
• Deletions.
• Attachments, including new versions or deletions of an existing attachment.
• Comments, including new comments or deletions of existing comments.

By default, Confluence will assign you as a watcher of any page or blog post that you create or edit. This behavior is called 'autowatch'. 

You can also enforce this as the default behavior when someone makes a change in a page, following a similar instruction as in How to uncheck 'Notify watchers' check box on Confluence editor by default .

Kind regards

@Nic Brough -Adaptavist- I don't know if it is clear that IN AN ON PREMISE ENVIRONMENT, BY DEFAULT I DO NOT WANT TO SEND DATA OVER THE INTERNET.I just want people inside my company log in to web page, with specific credentials, and see specific documents.

Ok, my fault that I configured a SMTP server for testing purpose.

But usually, when I have to share some updates via email, I NEVER SEND the document as attachment, since it can be intercepted in any possible way, I send instead a link to an internal resource. So, to steal that resource, you first must enter into my organization, and I believe that this is more difficult that intercepting an email travelling all over the network.

This MUST be the default behavior, there is no other option. This must also be the default behavior of any cautious user, unless you are sharing stupid data (but buying Confluence to share stupid data seems out of context, I guess).

And as @Thiago Masutti said, this makes A LOT OF SENSE! 

I know it can be customized in any way, but since this caused a big lack for our company, I am just criticizing the default option.

- I set up a document with all my company IP addresses, and shared with my collegue

- Put on a private server, and give him a Confluence user/password

- Added one row

- Automatically sent an email all over the world with the content in clear to the user, just because I have configured an SMTP server.

Absurd!

It's perfectly clear what you are saying, my point is that you're making an assumption that is wrong.

A system that has a system that notifies people of change will generally be expected to send those notifications out, and most people expect them to explain the change so they don't have to go visit the system to find out what has changed.

Confluence does this with email by default. 

The default behavour for any system should be to do what the users expect it to do.   Not try to satisfy some non-standard security concern that is actually a weakness in other systems.

>Automatically sent an email all over the world with the content in clear to the user,

That's another point.  First, it only sent the mail to people you have told it are allowed to see the content.  Secondly, it's up to you to secure your mail services, not the service.

@Nic Brough -Adaptavist- we will never agree on this point, and I think is useless to go further. It's quite evident that we have a concept of "default behaviour" completely different.

Anyway thank you for the time you dedicated to me. I will turn off mail notifications, or to be more precise, I will delete the SMTP server configuration, so that I am sure that no information is running free in the web :-)

I think the approach shown by Thiago is more reasonable than yours, but these are just points of view.

I will pay more attention in the future to notifications, hoping that also Confluence will do that, in particular with on premise solutions.

In the end, allow me at least this: if I configure a SMTP server, that doesn't mean I want to send updates by default. That usually mean that I could configure notifcations in the future.

Anyway, I don't want to persuade anyone. You will keep your ideas, and I'll keep mine.

Bye!