Encrypting Emails Using CDO (1 Viewer)

TheSearcher

Registered User.
Local time
Today, 14:26
Joined
Jul 21, 2011
Messages
304
I wrote the following email routine. The emails are sent and received perfectly without any issues. I'm using the sendTLS method for encryption. However, there is so much conflicting information on the web about its effectiveness. Some suggest using the UseSSL method instead. Regardless of which method I use there is no visible evidence that anything in encrypted. They seem to come through as regular emails. Does anyone know whether my code actually encrypts the emails?
Code:
Public Sub CDOMail(ByVal Email_Code As String)

    '*** The purpose of this email routine is to bypass Outlook completely so that the user doesn't get that annoying message stating
    '*** "A program is trying to send an e-mail message on your behalf..."
    
    Dim mail    As CDO.MESSAGE
    Dim config  As CDO.Configuration
    
    Set mail = CreateObject("CDO.Message")
    Set config = CreateObject("CDO.Configuration")
    
    config.Fields(cdoSendUsingMethod).Value = cdoSendUsingPort
    config.Fields(cdoSMTPServer).Value = "mycompany-com.mail.protection.outlook.com"
    config.Fields(cdoSMTPServerPort).Value = 25
    '*** Encryption - Both config.Fields statements below will work. I chose to use the sendtls command.
    'config.Fields(cdoSMTPUseSSL).Value = True
    config.Fields.Item("http://schemas.microsoft.com/cdo/configuration/sendtls").Value = True
    config.Fields.Update
    
    Set mail.Configuration = config
    
    With mail
        .To = Globals.glb_EmailString
        .From = Globals.glb_Email
        .Subject = "INCIDENT REPORT"
                        
        If Email_Code = "A" Then    'If after director signed then send attachment.
            .AddAttachment Globals.glb_OutputFileLocation
            .TextBody = "An Incident Report has been created for " & Globals.glb_Client & ". Please see attached file." & Chr(13) & Chr(13)
        Else
            .TextBody = "An Incident Report has been created for " & Globals.glb_Client & ". Please review it by clicking on the Director's button in the Incident Reports program." & Chr(13) & Chr(13)
        End If
        
        .Send
    End With
    
    Set config = Nothing
    Set mail = Nothing
    Globals.glb_EmailString = ""
    
End Sub
 

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 13:26
Joined
Feb 28, 2001
Messages
26,999
I am far from expert on this, but I tend to doubt that CDO will encrypt anything. If you pre-encrypt the text body before building the message and your recipient knows how to decrypt it by extracting the text body only, that might work. But generally you need something like Outlook, which has encryption built-in as an option for encryption, because "true" encryption these days requires a certificate interaction.

I think this is true (but won't put money on it) that CDO simply implements SMTP almost directly. The last time I tried this was about 2015 or 2016, so if something has changed, I would not know it. But back then, I couldn't make it happen without doing a LOT of complex programming myself, including making system calls to several Windows APIs regarding encryption. And some of those APIs are very complex indeed. I didn't have the time and couldn't guarantee results on the other end either.
 

TheSearcher

Registered User.
Local time
Today, 14:26
Joined
Jul 21, 2011
Messages
304
Thanks DM and NG. I am very familiar with that article. I used it as a reference when writing my code. However, I find it to be unclear at times. And I can't see any evidence that my emails are encrypted. Makes me feel uncomfortable.
DC - I can't use Outlook because of those annoying messages that I reference at the top of my code. That's why I'm using CDO.
 

Gasman

Enthusiastic Amateur
Local time
Today, 18:26
Joined
Sep 21, 2011
Messages
14,046
I don't *think* they are encrypted.?
When I was last working we needed to send emails encrypted and had to use a third party extension.?

We had been using standard SSL for both POP and SMTP always ?

Even if it did, shouldn't you be using that standard ports for SSL and not 25 ?
 

isladogs

MVP / VIP
Local time
Today, 18:26
Joined
Jan 14, 2017
Messages
18,186
I have used CDO for all emails from Access for over a decade including the use of both SSL & TLS.
I also have this working with authentication needed for GMail.
See CDO EMail Tester - Mendip Data Systems

Consider this 'parallel' situation:
When you encrypt an Access database using a password and then link to its tables using the password, the tables appear unencrypted.
The process is 'seamless' and you would have no direct evidence that any encryption existed in the file.
However in you open an encrypted database using a text editor such as Notepad, you will see the effects of encryption i..e. you just see gobbledegook.

The same is true for emails. When these are sent using encryption, the email application handles the process natively so you can read the received message without any intervention needed

So to confirm whether SSL / TLS encrypts an email sent using CDO you would need to intercept the email and try to read it using an external application e.g. Notepad again. I'll leave that to you...
 
Last edited:

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 13:26
Joined
Feb 28, 2001
Messages
26,999
Depending on what level of registry changes you can make,




This might help you with the Outlook issue
 

Isaac

Lifelong Learner
Local time
Today, 11:26
Joined
Mar 14, 2017
Messages
8,738
I'm going to present a very "layman's" view. I'm not a CDO expert at all, and have only used it a few times.

But isn't the entire encryption question, one handled by the server where the message is dropped to? If Gmail encrypts messages, and you use CDO to call Gmail, then the message will be encrypted? At least that is a guess that I have. You send a message to an smtp, it picks it up and runs with it. It does whatever it normally does with it. No?

For example, if I write a function to send email using Outlook, and give someone else the function code, they would not properly ask Does your function encrypt the email? I would say "it uses Outlook - ask your Exchange admins"

Thus, CDO neither encrypts nor doesn't encrypt messages. It is just a caller of the one who may encrypt. My guess.
 

arnelgp

..forever waiting... waiting for jellybean!
Local time
Tomorrow, 02:26
Joined
May 7, 2009
Messages
19,169
Does anyone know whether my code actually encrypts the emails?
nobody knows. and nobody looks into the hood and look at the "raw" data
being passed or received.

you just take their word by faith.
 

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 13:26
Joined
Feb 28, 2001
Messages
26,999
Stated another way, I know for an absolute fact that it is possible to use VBA to tell Outlook to encrypt a mail message, and it works. You have to do a web search for the correct activation sequence, but once you find the sequence it is maybe one or two instructions to get to the right place to set the "Encrypt" flag. For the version of CDO that I had available, there was no such flag. I looked.

Isaac, you are correct that if you use something else to do the sending, at least from the 2015 perspective, you didn't encrypt anything, your utility did it (or didn't). Some of the articles I saw here refer to using a definitional trick to trigger SSL encryption at the network level, not the utility level. That is a possible solution, I suppose, if encryption is required.

One thing, though, is that at least with Outlook you would know that the message arrived "cleartext" or "encrypted" because the Outlook interface tells you that much. It knows it was encrypted because the encryption "handshake" standard passes a copy of your public key (because the sending side looks that up for encrypted messages). If it was encrypted at the source utility, then the destination utility knows that. If it was encrypted by the network, however, ArnelGP is absolutely correct, because the transport layer at the receiving end is the layer that gets decrypted and the receiving utility doesn't see it. It only sees what the network layer passed to the utility.
 

Users who are viewing this thread

Top Bottom