Is this really fixed? We're experiencing the exact same behaviour on a current release JSD.

Customers cannot create other customers by CC'ing but Agents still do. Am I missing something?

We have exactly same problem, can you please describe how / where the  feature flag "sd.agent.always.can.invite.customer" should be set on the server ?

Thanks Matthew, we are looking forward to it!

In 3.5.0 there will be a setting on Email Requests page to allow global configuration of this for all Service Desk Mail Handlers on the instance.

@juakali

Hi, the Description of the Option of the Incoming Mail Handler is "If a message comes from an unrecognised address, create a new JIRA user with the user name and email address set to the 'From' address of the message.
The password for the new user is randomly generated, and an email is sent to the new user informing them about their new account in JIRA.". In my eyes this is the exactly same behaviour as in the Service Desk Functionality. But nevertheless, I don't see any difference in Customer/User like you say. In my understanding every Customer is a User, but not every User is a Customer. When a, like you say, Customer is created via Service Desk Mail this customer is in fact a user in the JIRA Internal Directory as you may find out. The only thing that makes it a customer is that it has Access to the Service Desk which created the user. But you could give it access to every other Servicedesk or plain JIRA Projects too. Knowing this I would say that it is not right that Customers of a Service Desk don't count in the licensing of Jira. Anyway I don't know if users which are created by the Incoming Mail Handler also get access to the Project/Servicedesk the issue was created in. I simply didn't test it because we don't want any users to be created by mail so didn't use this option. You're welcome to do so and I would like to hear the answer if you have it

Greetings!

Hi, I like the tip above, but, is that automation creating new users or new customers? You can quickly add a lot of users to JIRA Core and various products which will have a tremendous effect on the pricing of the products as well as any add-ons. The JIRA Service Desk emal handler will add them as customers, which are of no consequence to any licensing in regards to JIRA Service Desk.

For us this is also an issue. We need the possibility to switch off this behaviour because we want the control about which users are created and no uncontrollable automatism.

For now we habe a workaround which will do for now, but generates much effort to do the trick. You also need to jump through some loopholes..

1.  Don't use the Service Desks E-Mail-Request-Feature, use the Basic JIRA Incoming Mail Handler instead
2. Add the Post-Box you want to use for the Servicedesk
3. Add a Handler using this Postbox. Set that every new mail creates a new issue
4. Set the Project you want the issue to be created in + the issue type you used before for E-Mail-Requests. The other options can be set as you like. Note that you can choose her if users that are e.g. in CC should be created. This is exactly what we want for the Service Desk
5. Finish the Wizard
6. For the next step you need the free JIRA Automation Plugin
7. Create a new Automation Rule in the Addon
8. Select Issue Event Trigger and Issue Created as Event
9. Use a JQL like this without the quotes: "project = XXX AND type = "YYY"  AND "Customer Request Type" IS EMPTY". In this XXX is your Service Desk Project and YYY is the Issue Type you use for Mail-Requests. When you create the issues the way described here they have no Request Type. You need to set it this way.
10. In the next Step you need two Actions.
    1. Add an Edit Issue Action. It needs this value without the quotes: "customfield_10100=isd/get-it-help" (Note that the customfield is the Customer Request Type Field. The ID of yours may be different. Also the value depends on your Setup. You need to find out both values out of the customfield and customfieldvalue table in your database). You also need to set the "Allow variable expansion" checkbox
    2. Add an Publish Event Action -> Issue Created
11. Save the Rule

Now you should have pretty the same as if you used the default Service Desk Function but with control about creating users or not. Import is that users that should be able to create issues by mail need to have the Create Issue Permission. If you have selcted "Customers who are added to the project" as Customer Permission only adding them to the Application group "Service Desk Customers" won't do. This is because per Default they can only add Requests per Portal or, if configured, per Default Mail Functionality. If you use above Workaround the need to have a general permission to create Issues. I realized this by creating a "Service Desk Customers - Mail Access" Project Role and adding this to the Permission Schema. On the Downside they will also be able to Create Issues directly in the Project too. You need to elaborate how criticial this is to you.

But even if this is a workaround, a native solution would be pretty much preferred.

Greetings

Our use-case is similar to Dave Nicholls above and we also consider this a significant security issue.

However we want to keep the convenience of being able to forward to / BCC the service desk email to get relevant communications logged against tickets but often these email chains will involve third parties that need to be prevented from seeing the entire ticket, in order for us to maintain NDA terms with various customers.

I found that not only where cc'd people added as customers, but also people who where not cc'd in the email to JIRA, but were cc'd earlier in the email trail which was then forwarded to JIRA to log a ticket.

This is a huge risk and security hole. We are trying to limit our helpdesk to only certain customers and cannot do that when using emailed requests.

Please implement this enhancement ASAP.

Our company services external clients and some/all we may not want to receive these notifications. It would benefit us immensely!

Thanks.