JEMH can support remote email users that don't have either (a) right to use, or even (b) any JIRA account at all. Until now there has been an issue with 'snooping' in that it was possible for anyone to mail the inbox with a speculative issue key (eg ABC-123) that would trigger JEMH to join that user into the conversation, some may argue this a feature, some a security risk.
As of 1.2.31
JEMH can be enabled to allow anyone to create issues by having an actual JIRA user set as the reporter to be used for the creation, and to create a specific TEXT (unlimited) Custom Field for storing email addresses. On issue creation, all non JIRA account holder email addresses (including the sender) are stored in this NON JIRA email address custom field. Optionally, the actual creator email address and 'personal' part of the email address can be stored in a separate custom fields.
The only way to restrict issue creation is by whitelisting specific domains as acceptable, or blacklisting ones as not.
The JEMH approach to security is through a buddy system based on trust. For example, the original email:
To: jira@yourco.net From: me@myplace.com Cc: bill@otherplace.com |
jira@yourco.net is the JEMH inbound mail address
With this email used to create, there are only two categories of people who can get involved with the issue by email:
So, an email from bill@otherplace.com will work, but dave@otherplace.com will not. Bill can invite Dave/anyone else by making then additional recipients in an email that gets processed by JEMH:
To: jira@yourco.net From: bill@otherplace.com Cc: dave@otherplace.com |
or
To: jira@yourco.net, dave@otherplace.com From: bill@otherplace.com |
In this way JEMH works on invitation only.