This article may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. To maintain the flow of the article, we've left these URLs in the text, but disabled the links.

Providing Web-Based Mail Through Exchange Server
Sean McCormick

Download the code (1,019KB)

Looking for a way to drive traffic at your new Web site? You can offer users email and build the system with ASP, Site Server, and Microsoft Exchange.

It happens time and time again. You invest hundreds of thousands of dollars to build a state-of-the-art Web site and no one visits it. "Build it and they will come" does not apply to Web sites. Simply registering your URL with the big search engines does not cut it these days. So what does it take to make people visit your site? How do you get them to return on a regular basis to view your updates? How do you create a site that generates enough traffic to sell advertising space to recoup your costs and even make a profit, so you can look that pompous corporate accountant, Mr. "I don't think a Web site is a sound investment" in the face and let him have it? Do I sound bitter?
      Many Web sites, portals, and online commerce providers have overcome this perplexing problem by offering free email. Users with Internet access get the benefits of changing where they live, where they work, and which ISP they use and still keep the same email address, personal address book, and appointment calendar. Plus, it is very easy to check email while they travel because all they need is a Web browser and access to the Internet. By integrating the email interface with your Web site, users will visit your site not just once, but many times in the same day! This concept is bound to work much better than your Joke du Jour idea or your Webmaster's Zany Links page.
      Let's discuss a method for offering free email on your Web site using three Microsoft® technologies: Site Server, Microsoft Exchange Server, and ASP. You'll see how I developed a free email system using these tools.
      You can download the code to my sample site from the link at the top of this article. This archive contains a whitepaper describing the design of the sample site in detail, how to install the sample site, and all of the source code.
      Please note that this article is meant as a demonstration of the extensibility of the Exchange platform. Before you decide to implement a solution like the one shown here, you must ensure that you've purchased the appropriate number of licenses for all potential clients. You can check out licensing policies and pricing at http://www.microsoft.com/exchange/55/gen/pricing.htm.

Overview
      This design will create a Web-based email system similar to Outlook® Web Access using Microsoft Exchange. It uses Site Server 3.0 Personalization and Membership instead of the Windows NT® user database. After users are authenticated by Site Server, they can access their mailboxes. The sample Web application based on this design includes these features:

Automatic registration and setup of new accounts

Sending and receiving Internet email (with attachments)

Calendar

Contacts
      The application design follows the Microsoft DNA architecture for applications and distributed processing. ASP and HTML pages supply the presentation layer. Microsoft Transaction Server (MTS) COM components provide the business logic layer where mailbox data is retrieved and sent. The data warehouse layer is provided by Exchange. By basing the application on Microsoft DNA, you have the benefit of knowing that this application is built on top of well-tested and benchmarked tools for distributed computing. Also, the application has the ability to grow as your needs and your business processes grow.
      The free email Web site interface uses ASP pages calling MTS components to do all mailbox manipulation work against Exchange mailboxes. All mail, calendar, and contact data is stored in Exchange Server, so the backup, virus protection, and storage quota tasks are based around an industry-standard application, for which there is a plethora of third-party tools. Since the user database is based on Site Server Personalization and Membership, this system can handle millions of accounts per server. Also, the ASP pages leave the interface wide open for customization, allowing you to create the appearance you want.
      Why would you want to do this when there is Outlook Web Access? A traditional Exchange Server installation has a unique Windows NT account associated with each Exchange mailbox. Windows NT can support only 40,000 accounts per domain without having to cross domains and manage domain trusts. This makes it hard to create a free email system for millions of users. If you use the traditional method for a large email site, you are responsible for distributing a domain name with every account, managing domain trusts, and the overhead of managing a large, multidomain structure.
      By tying a Site Server Personalization and Membership user database to Exchange Server, you can easily create a free email system on a single server with millions of email accounts. Of course, you would need to have a big honkin' server to handle this kind of usage. Also, this design works faster than Outlook Web Access by combining all mailbox work into multithreaded MTS COM components. This increases response time when accessing mailboxes, in contrast to the way Outlook Web Access directly accesses Exchange from ASP pages.
      Finally, unlike Outlook Web Access, Webmasters can configure this system to support any of the features Exchange offers: mail, calendar, contacts, journal entries, public folders, and so on.

How Does It Work?
      This sample has two types of ASP pages. One set is public, and is readable by the entire Internet; the other set is private, and is readable only after a user has been authenticated by Site Server. The public set allows anonymous access and advertises the Web site, updates readers of public news and events, offers automated setup of new email accounts, and whatever other content you want to support. The private set of ASP pages, protected by Site Server Personalization and Membership, will read a user's mailbox and display the contents. They can also create and send new email, create and delete calendar events, and create and delete contacts.
      New users can enter the site and fill out an HTML form that creates a new email account (see Figure 1). This form creates a Site Server Personalization and Membership account and an Exchange mailbox. Then the user can log in to the private set of ASP pages.

Figure 1: Email Account Architecture

      Figure 1: Email Account Architecture

      Once the user has been authenticated by Site Server, the private ASP pages can identify this user and what mailbox they have rights to access. These ASP pages call MTS COM components that run under the permission of the Exchange Administrator. These components act on behalf of the user to send and receive email from their mailbox, create and delete contacts, and create and delete calendar appointments.

Features and Benefits
      A free email system based on Exchange and Site Server provides a solution with easy-to-manage components. If you are familiar with Exchange, you know that administrators have access to control every aspect of the email system. Training, documentation, 24/7 Microsoft technical support, and third-party applications for backup and virus protection are among the many benefits you can gain from using these two technologies. Plus, if you already use Exchange as your corporate email system, then you have the staff to administer the system. Finally, if your goal is to sell target-marketed Web advertising space, Site Server Ad Manager can handle this duty.
      The scalability of these two products is well documented and tested by Microsoft and other third parties. This allows you to adequately design and calculate your initial investment. In case your free email system becomes incredibly popular, these tools can scale to whatever size and bandwidth needed.
      The sample application also uses Collaborative Data Objects (CDO) and Active Directory™ Services Interface (ADSI) to access both Exchange and Site Server to create accounts and access mailbox data. This allows you to upgrade each component as advances in the respective products become available.

Components
      Microsoft Exchange Server acts as the data warehouse for all of the mailbox data. Exchange also provides the functionality for sending and receiving Internet-bound email. Since the capabilities of Exchange Server go well beyond this example, you can improve upon the sample site by offering journal entries, email forwarding, Usenet groups, and so on.
      Site Server provides a lightweight directory access protocol (LDAP)-accessible user database that is queried via an ISAPI filter every time a user tries to access a page that requires authentication. If the user has not been authenticated, Site Server offers the user a form to enter in a username and password. Once the user is authenticated, Site Server will allow access to the page. If the user is authenticated but does not have rights to access the page, the user is denied access. With my sample site, once the user has authenticated against this user database, the ASP page can identify the user and access that user's mailbox only.
      MTS provides the environment under which the mailbox creation and access COM components can run. The COM components run under the identity of the Exchange Administrator account. This allows them, when called by the ASP pages, to access and manipulate any Exchange mailbox. Because these COM components have such power, they require the ASP page to identify which mailbox to access. The components require that the mailbox name and mailbox server be sent as parameters. Since ASP pages can identify the user, they are able to look up these required parameters and return this data when they call the COM components. Once the components finish running and return the appropriate data from Exchange, the ASP pages can format the data and display it to the user. MTS also provides all thread management of the COM components, so they can run faster and more efficiently as the email site receives more hits.

Public and Private Pages
      As mentioned, there are both publicly accessible and private pages in the sample site. These Web pages provide the front end to the free email site. They can include news, notice of events, and press releases that everyone on the Internet can read, whether or not they have an email account with you.
      The last page in this section allows a user to sign up for an email account. This HTML form, when submitted, will spawn an ASP page that will create a Site Server account in the Personalization and Membership user database (using ADSI), as discussed earlier. To open an account, you can require users to enter any sort of information including mother's maiden name, favorite color, or boxers/briefs. This information will be stored with their Site Server account along with the Exchange mailbox name and the name of the Exchange Server on which the mailbox is located.
      When finished creating the Site Server account, the ASP page will call an MTS COM component to create the Exchange Server mailbox. This mailbox is associated with a single Windows NT account and contains the user's first and last name and their Site Server Personalization and Membership logon ID as the mailbox name. All mailboxes in this free email system are associated with the same Windows NT user account, which allows the Exchange server to grow to an indefinite size of mailboxes independent of the size of the Windows NT domain.
      Now that there is a Site Server Personalization and Membership account and an Exchange mailbox associated with this account, the user can log in to the privately accessible Web pages and access their mailbox.
      The private Web pages require the user to authenticate via Site Server before the ASP page will run and return the HTML to the user's browser. This keeps users from reading other users' mail or sending email from someone else's mailbox. Each ASP page has a particular function: there is one for reading your email, one for sending a new email, one for reading your calendar, and so on. These ASP pages make calls to the MTS COM components to get all of the appropriate data from Exchange Server. Once the MTS COM components return the data from Exchange, the ASP pages can format this data for the user to view.

Code Samples
      Here are some code snippets taken from the sample site. In the site, I used an account creation page to create a Site Server account and then the Exchange mailbox. Figure 2 shows how to create the Site Server account.
      Next, the ASP page calls an MTS COM object to create the Exchange mailbox using ADSI and LDAP. Figure 3 shows how the Exchange mailbox is created.
      Once an account is created, the user can log on to the private ASP pages. Code at the top of every private ASP page identifies the user and extracts the mailbox they have rights to access. The following code identifies the user with a Site Server Active User Object (AUO) and retrieves their mailbox details. For more explanation on AUO, see the Site Server documentation. This simple example shows how to create an instance of the AUO interface and retrieve properties of the authenticated user.


 'Create an AUO object
 Set oAUO=Server.CreateObject("Membership.UserObjects")
 if Err.number <>0 Then
     Response.Write "Unable to create AUO object"
     Response.End
 End If

 'Retrieve the value of CN which happens to be the mailbox name within 
 'exchange
 fUserID = oAUO.Get("cn")

 'Retrieve the value of userComment which we used to hold the name of the
 'Exchange server the mailbox resides on
 fServerName = oAUO.Get("userComment")

After creating the AUO object, the code sets the user's properties to ASP variables. The sample site uses the Site Server Personalization and Membership properties of cn (canonical name) and userComment (user comments) to hold the values of the Exchange mailbox name and Exchange server name, respectively. The ASP variables of fUserID and fServerName are then set to the values of these properties. Every MTS COM object has methods that are called from ASP. Each one of those methods has the required parameters of mailbox name and Exchange server name. The ASP page uses the values of fUserID and fServerName when calling the MTS COM objects to fill these parameters.
Here's how an ASP page calls one of the MTS COM objects to access and manipulate an Exchange mailbox:


 Set Foo = Server.CreateObject("Sendmail.ExchangeEmail")
 Foo.GetEmail(CStr(fUserID),CStr(fServerName),CStr(MessageID), _
 "INBOX",False,"")

Within every MTS COM object, the values of fUserID and fServerName are used to create a dynamic, Outlook-type CDO profile and log in as that user to access their mailbox. Since these components run under the Exchange Administrator account, they can access every mailbox in Exchange.
Here is a code snippet from the CreateEmail method of the Sendmail.ExchangeEmail interface. It shows how to create an on-the-fly Outlook-type CDO profile and log into that profile:


 Set CDOSession = CreateObject("MAPI.Session")
 CDOSession.Logon , , , , , , fServerName & vbLf & fUserID

This creates a dynamic profile that logs into the Exchange server named by fServerName and accesses the mailbox named by fUserID. Once the profile is created and the CDO session is logged on, you can manipulate the mailbox using any of the CDO objects and methods available.
Here is a code snippet from the CreateEmail method of the Sendmail.ExchangeEmail interface that creates an outgoing email after the CDO session is created and logged on:


 Set oFolder = CDOSession.Outbox
 Set oMessages = oFolder.Messages
 Set oMsg = oMessages.Add
 oMsg.Subject = "test Subject"
 oMsg.Text = "test Msg" & vbCRLF & "—" & vbCRLF & "Test Advertisement" 
 Set oRcpt = oMsg.Recipients
 oRcpt.Add , "SMTP:mccormick@home.com"
 oRcpt.Resolve
 oMsg.Send False
 CDOSession.Logoff

This creates a new message in the user's outbox. This message has the subject, body text, and recipients set before it calls the send method to deliver the message. It then logs out of the CDO session. After the CDO session is logged out, the Outlook-type CDO profile is removed from the computer automatically.

Security and Scalability Tips

      Before taking the site live, I must tell you about some security issues that exist in this design.
      To prevent any misuse of the ASP pages, Site Server LDAP databases, and Exchange server, I would definitely place all servers for this application behind a firewall. You only need to allow access to your Web server via port 80 (HTTP), and your Exchange Server via port 25 (SMTP). This will allow incoming HTML and email requests to access the services on that computer only.
      If you use Site Server forms authentication, which is the process of entering username and password into an HTML form, you will want to purchase an SSL certificate. Since forms authentication will send username and password data in clear text over the Internet, the SSL certificate will allow you to encrypt the traffic sent over the Internet between the browser and server. You do not want to encrypt all traffic because that can slow your site down tremendously. You will want to set encryption on the logon page so no user names and passwords travel over the Internet unencrypted. See the Site Server documentation for other tips on securing your system for Internet access.
      The COM components running on MTS are powerful. Since they run under the permission of the Exchange Administrator account, they can read the contents of all mailboxes they have access to. You can set up MTS security so only your application has rights to spawn these COM components. Read the MTS documentation for more information on security and roles.
      When setting up the Internet Mail Service for Exchange, you are asked if you want Exchange Server to have the ability to forward email from other computers or just send mail for Exchange Server. I would not recommend allowing your server to forward email from other computers because this ability has been exploited by spammers. If you turned on email forwarding during the installation, you can still turn it off at a later date. See the Exchange Server documentation on how to accomplish this.
      If you allow email file attachment functionality in your free email site, you will want to look at setting quotas to limit the size of each mailbox, plus set a limit on the largest-size attachment you will accept. These quotas will help protect your Exchange Server from quickly running out of disk space.
      You need to invest in a sturdy, well-tested Exchange-enabled backup software package. Once you have it, you need to make backups on a daily basis and store the tapes off- site. Backups don't help if they are stored right next to the server. You may also want to invest in an Exchange-enabled anti-virus package to prevent sending and receiving virus-ridden attachments.
      Please, please, please keep up with Internet Information Server (IIS) and ASP security issues. Before placing a site on the Internet, install the latest hot fixes and patches. Since IIS and ASP have grown so popular, they have also become a target for many hackers. Ignorance is not an excuse for having your site compromised. Visit the Microsoft Security Advisory Web site (http://www.microsoft.com/security) on a weekly basis and keep up with the posted issues.

Scalability Planning

      The scalability of Site Server is well documented. Many high-traffic sites use Site Server as their Web platform. If you plan on having a high-traffic site with millions of email accounts, I recommend using SQL Server™ for your Site Server Personalization and Membership user database. Microsoft Access will work to a certain extent, but it does not scale very well. If your site will host millions of accounts, use SQL Server from the beginning and plan your SQL Server design appropriately. This includes partitioning the databases properly to allow for scalability in the future. For more information, see the Site Server documentation about setting up a Site Server/SQL Server Personalization and Membership user database for hundreds of thousands of users.
      As you get more accounts and more traffic on your site, you will find that your single Web server cannot handle all of the requests. You can install additional Site Server Web application servers that point to your original Site Server Personalization and Membership database. Once you have created this additional Web application server, simply install the ASP files and COM components as you did for the original server.
      You will also need to create a routing scheme that load-balances all incoming requests to both servers equally. You can add as many Web application servers as you like to help decrease response time for your clients. See the Site Server documentation for design specifics and diagrams on how to set up multiple application Web servers that access the same Site Server Personalization and Membership user database.
      Exchange Server runs the email systems of thousands of companies around the world. This email system design is based on a single Exchange organization and a single Exchange site. To monitor the performance of your Exchange Server refer to the preconfigured Performance Monitor charts that come with Exchange. As you fill up one Exchange server, simply add another to the existing site and modify your account creation pages to create accounts on this newly added server. You can do this as many times as you need to.

Final Thoughts

      This system design will allow you to offer any of the services provided by Exchange in your free email site. My sample site only shows how to provide email, a calendar, and contacts. I haven't even tapped into such abilities as storing tasks, notes, and journal entries. Also, you could include the sharing of Exchange public folders that contain forum-type information or usenet news groups via your Web site.
      In addition, you could forward all email destined for one of your online mailboxes to any Internet-accessible mailbox (so your site acts as a personal mail forwarder). This would allow people to have the same email address, no matter where they lived, where they worked, or what ISP they used. Mail sent to this mailbox would then be forwarded to the mailbox of their current job or ISP. Of course, this takes away from the major goal of this site: to increase daily site traffic and increase revenues generated from selling products or advertising space.
      If you want to add value to your email service, you could have a second Site Server Web site that is totally SSL protected. Keep in mind that this will slow down response time for your clients. You could set up this secondary site to hit the same Site Server Personalization and Membership user database and Exchange Server. Setting SSL over the entire site would encrypt all transactions to and from the Web server and give your users the comfort of knowing that they are the only ones that can read their email. This has the added value of letting your users choose between email access speed (by using the normal site) and email access security (by using the SSL-protected site). With this added security, you might attract users to your site for business correspondence.
      Generating more traffic to a Web site is the greatest task for any Web developer. This application design and sample site, if implemented properly, could give your site the boost it needs. At this time, MSN.com™ Hotmail® boasts of hosting over 40 million email accounts. That's a lot of eyes seeing their advertisements and products on a daily basis. Plus, if you set up a nonintrusive two-line advertisement at the bottom of every email sent, your users would be sending email to their friends and co-workers with your advertisement. This has the potential of getting your marketing message out to an unlimited audience. Now that's a smart investment.

http://msdn.microsoft.com/workshop/server/nextgen/perstutor.asp

From the December 1999 issue of Microsoft Internet Developer.