We’ve been using RT for over five years, but only for internal use. Now, we’d like to expand to letting customers create tickets for our service team to act on. In theory, this is simple: the customer emails the right address, RT creates a ticket in the CS queue from the email, and someone takes ownership of the ticket. Our email integration is all set, it’s the first step I can’t get to work.
When I email a queue’s address from an email account that doesn’t have an RT user associated with it, I get a reply with the subject “permission denied” and my own email in the body. I’ve granted Create Ticket, View Queue, and a few other rights to both unprivileged users and requestor. No matter the rights I enable, I get the same error.
My suspicion is that RT isn’t seeing my external email account as an unprivileged user, but rather as no user at all. I thought it would generate an unprivileged user account for me, but I don’t think it’s doing that. Thus, it stops this random email address from doing anything at all. My rights don’t apply because this email isn’t a user in any way, so has no rights.
How do I get this to work? I should say that we’re using database authentication, no SSO or AD for now. If and when we do move to AD, though, I don’t want every email address that submits a ticket to get an AD account. That may be a separate topic, though. For now, I just need to know how to let non-RT people submit tickets. Thanks for any help.
Your approach sounds correct to me. There is an “Everybody” group as well where you should be able to grant CreateTicket, did you try that?
I didn’t give the “everyone” group the same rights. The goal is to have a queue to deal with incoming customer tickets, but only one team will handle that. Granting everyone rights to view and create in this queue would also put it on the dashboards of everyone, whether they’re in a customer service role or not. At least, that’s my understanding. I hoped that just giving this to unprivileged users would let me avoid that problem.
Where am I missing a step? When the email comes in, RT rejects it. Does a user need to have an account first? Is there no way to automatically create an account for them when we get a ticket from them?
Users should be auto created. Do you have a test email address you’re trying to create a ticket with and seeing it rejected?
You can search that email in the user search to confirm it was auto created. Then you can checkout the rights explorer Admin->Tools->Rights Inspector for that user to see if they do indeed have the CreateTicket right granted
Yes, I’m using a personal email I know won’t have an account on our RT instance. That address is nowhere in the list of users, though I’ve sent four or five test emails from it to the queue I’m working with.
What do you see in the RT logs? Is there a chance the email server is denying the account?
Have you tried giving Everyone only CreateTicket and then giving other rights to the Requestor if you need them to be able to see their own tickets, etc?
Also any chance there is a user for this email but they’re disabled?
The log says:
 [Wed Jan 4 16:14:36 2023] [crit]: Permission Denied: [test_email] has no right to create tickets in queue [test queue] (/opt/rt5/sbin/…/lib/RT/Interface/Email.pm:709)
I later granted the “everyone” group the “view queue” and “create ticket” rights, and the error changed:
 [Wed Jan 4 16:14:36 2023] [crit]: Failed attempt to create a ticket by email, from [test_email]: [test_email] attempted to create a ticket via email in the queue [test queue]; you might need to grant ‘Everyone’ the CreateTicket right. (/opt/rt5/sbin/…/lib/RT/Interface/Email.pm:709)
I have. The error changed, but it still failed. I didn’t get a “permission denied” email after the change, but neither was a ticket created.
You don’t need the view queue - just CreateTicket. You can give the ability to view the queue/ticket/etc to the requestor.
(I should say that this does work normally - we get loads of tickets in our RT from all over the place!)
I didn’t think so, but this turned out to be the case. I must have accidentally submitted something or been copied at this address years ago, because there was a disabled user with the email address. I re-enabled the user, and it worked. I sent an email to the queue from another non-work account, and that also worked. I should have thought to check for this! Thanks for the help.
Thanks for your replies. Turns out the email address I was using to test this stuff already had an account in our RT, but it was disabled. I fixed that, and now it’s working as expected.