HCL Notes and Domino 9.0 Social Edition Forum - Can application encrypt email with X5.0.9 for external recipient

This forum is closed to new posts and responses. Individual names altered for privacy purposes. The information contained in this website is provided for informational purposes only and should not be construed as a forum for customer support requests. Any customer support requests should be directed to the official HCL customer support channels below:

HCL Software Customer Support Portal for U.S. Federal Government clients
HCL Software Customer Support Portal

Share ▼
Subscribe ▼

~Emile Zekfreeverobu

Aug 22, 2014, 2:59 PM

9 Posts

Can application encrypt email with X5.0.9 for external recipient

Category: Application Development
Platform: All Platforms
Release: 9.0.1
Role: Administrator,Developer
Tags:
Replies: 2

Hello

Is it possible to encrypt with X.509 certificate message addressed to external recipient?

Sub Click(Source As Button)
   Dim s As New NotesSession
   Dim db As NotesDatabase
   Dim doc As NotesDocument
   Dim body As NotesMIMEEntity
   Dim header As NotesMIMEHeader
   Dim stream As NotesStream

   Set db = s.CurrentDatabase
   Set stream = s.CreateStream
   s.ConvertMIME = False ' Do not convert MIME to rich text

   Set doc = db.CreateDocument
   Call doc.ReplaceItemValue("Form", "Memo")
   Set body = doc.CreateMIMEEntity
   Set header = body.CreateHeader("Subject")
   Call header.SetHeaderVal("MIME message")
   Set header = body.CreateHeader("To")
   Call header.SetHeaderVal("someUser/Org")
   Call stream.WriteText("Text of message.")
   Call body.SetContentFromText(stream, "text/plain;charset=UTF-8", ENC_NONE)
   Call doc.CloseMIMEEntities(True)
   doc.SignOnSend=False
   doc.EncryptOnSend = True 'Include this line if you want to additionally encrypt the message
   Call doc.Send(False)
   s.ConvertMIME = True ' Restore conversion
End Sub

This function can successfully encrypt to recipient someuser/Org if this user has person document in Domino directory and has X.509 certificate in person document.

However if I enter external email address in forward address of person document, this code no longer works - it does not encrypt the message. Also it requires certificate for forward address, however encryption does not work even with this additional certificate.

Is it possible to send email encrypted with X.509 certificate to external recipient from Notes code? Has anybody succeeded?

Regards

Ramunas

~Vera Elnubergetsi

Aug 22, 2014, 7:02 PM

24 Posts

Thoughts on this and a couple of questions

A couple of questions about the implementation of your code:
a.) Who has the forwarding address field configured to an external email address? The person who signed the agent, or the person mentioned in the code? sender? recipient?
b.) Who is the sender of this agent? Who is the recipient? Who is the signer? Which id file is supposed to be used for the encryption?
c.) Is the final recipient internal or external to the company?
d.) How is this agent being triggered? via an action button (I saw the click event \), or a server-side background agent?
e.) Have you tested with a server-side agent? If so, do you get different results than from a button click?

The idea here is that the x.509 certificate is tied to the user.id, private key, and certificate in the person doc. But if the 'sender' of the email is someone outside of the company (the address in the forwarding address field), then how could Notes/Domino encrypt using the x.590 cert that was imported to a person doc? The process requires an imported x.509 cert, either in the notes client names.nsf for client-sent mail, or in the person doc, for agent-sent mail.

I see that you used the code from TN#1191743, but as a button, not a server-based agent http://www.ibm.com/support/docview.wss?uid=swg21191743

While the code can work from a server agent, there are a few additional notes that I don;t think we can overlook:
-- In order for the agent to execute, the server and the recipient must share trust since S/MIME is checking the recipient's certificate trust on the server.
--the sender of the email should be someone from inside the company, with active user.id and x.509 certificate in their id/person doc.
--There must be a common certifier between the server certificate (in the ID) and the recipient certificate in the Domino Directory (Names & Address book). If there is not a common certifier, there must be a cross certificate in the local server's Domino Directory, issued by the server ID to the recipient.
--In order to allow a server side agent to encrypt email to an internet recipient follow the 7 steps in the technote

If the sender of the email is the one with the forwarding address configured to an external email address (outside the company), I don't believe this could work.

Anyone else have any experience with this?

~Emile Zekfreeverobu

Aug 25, 2014, 6:22 AM

9 Posts

Answers...

Scheduled agent runs on server, agent is signed by some user. I don't need emails to come back by replies, because the sender is application, not the real person. Application needs to deliver encrypted emails to external (Exchange for example) recipients. Recipient is registered as the person in Domino Directory and X.509 certificate is imported to the person document. Having recipient's person document in Domino Directory ensures that application running on server can find X.509 certificate in <<local addressbook>>. If this recipient has only internet address filled in, then this application encrypts successfully emails with X.509 certificate and recipient can decrypt only having private key of X.509 certificate. However application no longer encrypts after I add forward address to forward field in person document of the same recipient. In this case, application requires X.509 certificate for address filled in forward address field and if it's missing then the application provides error about missing X.509 certificate. However having this certificate (for forward address) in person document only omits the error but recipient receives email unencrypted. Forward address in forward address field is required to forward emails to external recipient.

My goal is to have application running on server to send encrypted emails to external recipients using X.509. Any ideas how to achieve this? Has anybody achieved this with some notes API?

Share ▼
Subscribe ▼