@@ -78,52 +78,160 @@ for example:
7878
7979===================
8080
81- Config options
82- --------------
83-
84- **Note: Registration by email address or phone number will not work in this release unless
85- some config options are changed from their defaults. **
86-
87- This is due to Synapse v1.4.0 now defaulting to sending registration and password reset tokens
88- itself. This is for security reasons as well as putting less reliance on identity servers.
89- However, currently Synapse only supports sending emails, and does not have support for
90- phone-based password reset or account registration. If Synapse is configured to handle these on
91- its own, phone-based password resets and registration will be disabled. For Synapse to send
92- emails, the ``email `` block of the config must be filled out. If not, then password resets and
93- registration via email will be disabled entirely.
94-
95- This release also deprecates the ``email.trust_identity_server_for_password_resets `` option and
96- replaces it with the ``account_threepid_delegates `` dictionary. This option defines whether the
97- homeserver should delegate an external server (typically an `identity server
98- <https://matrix.org/docs/spec/identity_service/r0.2.1> `_) to handle sending password reset or
99- registration messages via email and SMS.
100-
101- If ``email.trust_identity_server_for_password_resets `` is set to ``true ``, and
102- ``account_threepid_delegates.email `` is not set, then the first entry in
103- ``trusted_third_party_id_servers `` will be used as the account threepid delegate for email.
104- This is to ensure compatibility with existing Synapse installs that set up external server
105- handling for these tasks before v1.4.0. If ``email.trust_identity_server_for_password_resets ``
106- is ``true `` and no trusted identity server domains are configured, Synapse will throw an error.
81+ New custom templates
82+ --------------------
10783
108- If `` email.trust_identity_server_for_password_resets `` is `` false `` or absent and a threepid
109- type in `` account_threepid_delegates `` is not set to a domain, then Synapse will attempt to
110- send password reset and registration messages for that type .
84+ If you have configured a custom template directory with the
85+ `` email.template_dir `` option, be aware that there are new templates regarding
86+ registration and threepid management (see below) that must be included .
11187
112- Email templates
113- ---------------
88+ * ``registration.html `` and ``registration.txt ``
89+ * ``registration_success.html `` and ``registration_failure.html ``
90+ * ``add_threepid.html `` and ``add_threepid.txt ``
91+ * ``add_threepid_failure.html `` and ``add_threepid_success.html ``
11492
115- If you have configured a custom template directory with the `` email.template_dir `` option, be
116- aware that there are new templates regarding registration. `` registration.html `` and
117- `` registration.txt `` have been added and contain the content that is sent to a client upon
118- registering via an email address .
93+ Synapse will expect these files to exist inside the configured template
94+ directory, and ** will fail to start ** if they are absent.
95+ To view the default templates, see ` synapse/res/templates
96+ <https://github.com/matrix-org/synapse/tree/master/synapse/res/templates> `_ .
11997
120- ``registration_success.html `` and ``registration_failure.html `` are also new HTML templates
121- that will be shown to the user when they click the link in their registration emai , either
122- showing them a success or failure page (assuming a redirect URL is not configured).
98+ 3pid verification changes
99+ -------------------------
100+
101+ **Note: As of this release, users will be unable to add phone numbers or email
102+ addresses to their accounts, without changes to the Synapse configuration. This
103+ includes adding an email address during registration. **
104+
105+ It is possible for a user to associate an email address or phone number
106+ with their account, for a number of reasons:
107+
108+ * for use when logging in, as an alternative to the user id.
109+ * in the case of email, as an alternative contact to help with account recovery.
110+ * in the case of email, to receive notifications of missed messages.
111+
112+ Before an email address or phone number can be added to a user's account,
113+ or before such an address is used to carry out a password-reset, Synapse must
114+ confirm the operation with the owner of the email address or phone number.
115+ It does this by sending an email or text giving the user a link or token to confirm
116+ receipt. This process is known as '3pid verification'. ('3pid', or 'threepid',
117+ stands for third-party identifier, and we use it to refer to external
118+ identifiers such as email addresses and phone numbers.)
119+
120+ Previous versions of Synapse delegated the task of 3pid verification to an
121+ identity server by default. In most cases this server is ``vector.im `` or
122+ ``matrix.org ``.
123+
124+ In Synapse 1.4.0, for security and privacy reasons, the homeserver will no
125+ longer delegate this task to an identity server by default. Instead,
126+ the server administrator will need to explicitly decide how they would like the
127+ verification messages to be sent.
128+
129+ In the medium term, the ``vector.im `` and ``matrix.org `` identity servers will
130+ disable support for delegated 3pid verification entirely. However, in order to
131+ ease the transition, they will retain the capability for a limited
132+ period. Delegated email verification will be disabled on Monday 2nd December
133+ 2019 (giving roughly 2 months notice). Disabling delegated SMS verification
134+ will follow some time after that once SMS verification support lands in
135+ Synapse.
136+
137+ Once delegated 3pid verification support has been disabled in the ``vector.im `` and
138+ ``matrix.org `` identity servers, all Synapse versions that depend on those
139+ instances will be unable to verify email and phone numbers through them. There
140+ are no imminent plans to remove delegated 3pid verification from Sydent
141+ generally. (Sydent is the identity server project that backs the ``vector.im `` and
142+ ``matrix.org `` instances).
123143
124- Synapse will expect these files to exist inside the configured template directory. To view the
125- default templates, see `synapse/res/templates
126- <https://github.com/matrix-org/synapse/tree/master/synapse/res/templates> `_.
144+ Email
145+ ~~~~~
146+ Following upgrade, to continue verifying email (e.g. as part of the
147+ registration process), admins can either:-
148+
149+ * Configure Synapse to use an email server.
150+ * Run or choose an identity server which allows delegated email verification
151+ and delegate to it.
152+
153+ Configure SMTP in Synapse
154+ +++++++++++++++++++++++++
155+
156+ To configure an SMTP server for Synapse, modify the configuration section
157+ headed ``email ``, and be sure to have at least the ``smtp_host, smtp_port ``
158+ and ``notif_from `` fields filled out.
159+
160+ You may also need to set ``smtp_user ``, ``smtp_pass ``, and
161+ ``require_transport_security ``.
162+
163+ See the `sample configuration file <docs/sample_config.yaml >`_ for more details
164+ on these settings.
165+
166+ Delegate email to an identity server
167+ ++++++++++++++++++++++++++++++++++++
168+
169+ Some admins will wish to continue using email verification as part of the
170+ registration process, but will not immediately have an appropriate SMTP server
171+ at hand.
172+
173+ To this end, we will continue to support email verification delegation via the
174+ ``vector.im `` and ``matrix.org `` identity servers for two months. Support for
175+ delegated email verification will be disabled on Monday 2nd December.
176+
177+ The ``account_threepid_delegates `` dictionary defines whether the homeserver
178+ should delegate an external server (typically an `identity server
179+ <https://matrix.org/docs/spec/identity_service/r0.2.1> `_) to handle sending
180+ confirmation messages via email and SMS.
181+
182+ So to delegate email verification, in ``homeserver.yaml ``, set
183+ ``account_threepid_delegates.email `` to the base URL of an identity server. For
184+ example:
185+
186+ .. code :: yaml
187+
188+ account_threepid_delegates :
189+ email : https://example.com # Delegate email sending to example.com
190+
191+ account_threepid_delegates.email `` replaces the deprecated
192+ ``email.trust_identity_server_for_password_resets ``: if
193+ ``email.trust_identity_server_for_password_resets `` is set to ``true ``, and
194+ ``account_threepid_delegates.email `` is not set, then the first entry in
195+ ``trusted_third_party_id_servers `` will be used as the
196+ ``account_threepid_delegate `` for email. This is to ensure compatibility with
197+ existing Synapse installs that set up external server handling for these tasks
198+ before v1.4.0. If ``email.trust_identity_server_for_password_resets `` is
199+ ``true `` and no trusted identity server domains are configured, Synapse will
200+ report an error and refuse to start.
201+
202+ If ``email.trust_identity_server_for_password_resets `` is ``false `` or absent
203+ and no ``email `` delegate is configured in ``account_threepid_delegates ``,
204+ then Synapse will send email verification messages itself, using the configured
205+ SMTP server (see above).
206+ that type.
207+
208+ Phone numbers
209+ ~~~~~~~~~~~~~
210+
211+ Synapse does not support phone-number verification itself, so the only way to
212+ maintain the ability for users to add phone numbers to their accounts will be
213+ by continuing to delegate phone number verification to the ``matrix.org `` and
214+ ``vector.im `` identity servers (or another identity server that supports SMS
215+ sending).
216+
217+ The ``account_threepid_delegates `` dictionary defines whether the homeserver
218+ should delegate an external server (typically an `identity server
219+ <https://matrix.org/docs/spec/identity_service/r0.2.1> `_) to handle sending
220+ confirmation messages via email and SMS.
221+
222+ So to delegate phone number verification, in ``homeserver.yaml ``, set
223+ ``account_threepid_delegates.msisdn `` to the base URL of an identity
224+ server. For example:
225+
226+ .. code :: yaml
227+
228+ account_threepid_delegates :
229+ msisdn : https://example.com # Delegate sms sending to example.com
230+
231+ matrix.org `` and ``vector.im `` identity servers will continue to support
232+ delegated phone number verification via SMS until such time as it is possible
233+ for admins to configure their servers to perform phone number verification
234+ directly. More details will follow in a future release.
127235
128236Rolling back to v1.3.1
129237----------------------
@@ -140,7 +248,8 @@ v1.3.1, subject to the following:
140248 The room statistics are essentially unused in v1.3.1 (in future versions of
141249 Synapse, they will be used to populate the room directory), so there should
142250 be no loss of functionality. However, the statistics engine will write errors
143- to the logs, which can be avoided by setting the following in `homeserver.yaml `:
251+ to the logs, which can be avoided by setting the following in
252+ `homeserver.yaml `:
144253
145254 .. code :: yaml
146255
0 commit comments