I registered a user in a Weblate installation (a Django based translation system) and input an incorrect email address for the user. After trying to send a reset password email, I received a Delivery Status Notification (Failure) email from the mail provider, with the error code 550 Requested action not taken: mailbox unavailable.
Afterwards, no matter which email address I input into the reset password email form (even other users already registered), Django tries to send the reset email to that incorrect email address. I receive similar bounce messages from the mail provider. The emails sent have the same target address, and the same id parameter in the verification url, but different verification_codes.
I tried looking in logs, and the only thing of interest is:
INFO:weblate:sending notification reset on 2414792abd0d4bcb92fd654c2f020ac0 to [email protected]
…which didn't help me in searching through Django's source code either.
Is there some sort of email queue that contains the incorrect address that I need to flush?
Weblate doesn't use Django's built in password reset functionality but uses python-social-auth instead. Looking at the code it seems like it uses session variables to pass information to/from python-social-auth.
The problem is that if a session already exists (i.e., a user has requested a password reset) then it will not refresh the session if you submit a new request, regardless of what email address you submit in the form.
Solution: clear your cookies. Might also be worth filing a bug report?