search

ecederstrand / exchangelib

Python client for Microsoft Exchange Web Services (EWS)
BSD 2-Clause "Simplified" License
1.18k stars 248 forks source link

Support Office365 Message Encryption #545

Closed nebriv closed 4 years ago

nebriv commented 5 years ago

Hey There!

Any chance it would be possible to support Office365 Message Encryption (OME)? I'm not sure if it's even possible or if its accessible from the EWS API.

https://docs.microsoft.com/en-us/office365/securitycompliance/ome

Thanks!

ecederstrand commented 5 years ago

According to that link:

End-users that read encrypted or rights-protected mail on clients other than Outlook also use the OME portal to view encrypted and rights-protected messages that they receive.

I assume messages are transferred while still encrypted, in which case the client must do the encryption/decryption. This means exchangelib would need to implement that encryption scheme for encryption and decryption to happen seamlessly.

Unless Microsoft uses an open-source encryption schema and provides documentation for how they use it, I don't see this happening.

It's possible that the OME portal provides an API to allow on-demand encryption/decryption of messages, but I can't find any mention of it in the link.

nebriv commented 5 years ago

I agree - it's definitely not an open source solution.

I know on "dumb" clients (aka not an outlook client) the user is presented an attachment that essentially opens as an HTML file that links back to Microsoft for authentication.

It looks like according to this there is no native support for encryption (other than encrypting it yourself and attaching it as such). https://blogs.msdn.microsoft.com/webdav_101/2015/12/16/about-encrypting-or-signing-a-message-programmatically/

EWS has no native ability to create signed or encrypted messages. You will need to create a message as encrypted MIME. There is no developer support for creating MIME without the usage of a Microsoft API which is designed to do so. So, one way to get past this limitation is to create a signed message using CDOSYS and extract the final MIME then use EWS to create the message with that MIME.

I'll keep an eye on the API documentation and see if anything comes up.

ecederstrand commented 4 years ago

I'm closing this issue. Feel free to reopen if anything pops up that would enable use to support OME in some form or other.