Installation architecture

Ask questions about your setup or get help installing ZCS server (ZD section below).
Post Reply
sami
Posts: 4
Joined: Wed Oct 10, 2018 10:20 am

Installation architecture

Post by sami »

Hey folks,

I'm starting a new installation of Zimbra collaboration, and I was wondering what the best practices were currently for a mail system architecture.
We currently have a really old setup consisting of
1 ldap server (internal)
1 mailbox server (internal)
1 mx server (internal)
1 proxy (external)
1 mx (external)

Is it still relevant to have external/internal smtp servers with split horizon, or does it make more sense to have 2 external with different preference ?
Are there any other considerations I should take into account on the new setup ?

Thanks for your help.
Sami
User avatar
DualBoot
Elite member
Elite member
Posts: 1326
Joined: Mon Apr 18, 2016 8:18 pm
Location: France - Earth
ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
Contact:

Re: Installation architecture

Post by DualBoot »

Hello,

architecture needs to be considered with its context :
- the scope of your enterprise may have a great influence (security, redundancy ...)
- amount of messages sends and receives
- number of account
- amount of data
...

most of the time I use a baseline which I call my Holy Trinity :
- 1 Zimbra LDAP
- 1 Zimbra MailBox
- 1 Zimbra Nginx/SMTP
With this you can easily scale up your architecture, that's my point of view.

Regards,
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Installation architecture

Post by L. Mark Stone »

sami wrote:Hey folks,

I'm starting a new installation of Zimbra collaboration, and I was wondering what the best practices were currently for a mail system architecture.
We currently have a really old setup consisting of
1 ldap server (internal)
1 mailbox server (internal)
1 mx server (internal)
1 proxy (external)
1 mx (external)

Is it still relevant to have external/internal smtp servers with split horizon, or does it make more sense to have 2 external with different preference ?
Are there any other considerations I should take into account on the new setup ?

Thanks for your help.
Sami
It would be helpful if you posted how many mailboxes you have now/plan to have in future, and how many emails a day the typical user sends/receives.

You will then get some more specific suggestionsI am sure!

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
sami
Posts: 4
Joined: Wed Oct 10, 2018 10:20 am

Re: Installation architecture

Post by sami »

Thank you Dual and Mark for your feedback,

The scop is academia, so standard security. The number of mailboxes is arround 200-250 and is pretty stable.
The typical user sends less than 100 mails a day, a few special mailboxes send up to 3k mails a day.

Sami
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Installation architecture

Post by L. Mark Stone »

For 250 users to get a little redundancy I’d install a standard single standalone server, and then add a second server as an LDAP replica, proxy and MTA server.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
sami
Posts: 4
Joined: Wed Oct 10, 2018 10:20 am

Re: Installation architecture

Post by sami »

I'd still like to know about the question below. Does it add anything to security ? Does it, for example, prevent infected/malconfigured internel servers from sending mail, and so protects your mta from being marked as a spam source ?
Also, what's the use for a replica when one is not using a loadbalancer, and other mechanisms take care of daily backup ?

Thanks !
Is it still relevant to have external/internal smtp servers with split horizon, or does it make more sense to have 2 external with different preference ?
Are there any other considerations I should take into account on the new setup ?
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Installation architecture

Post by L. Mark Stone »

No benefit to security.

Spam checks are by domain as well as by IP (and content).

So if you allow compromised mailboxes to send enough spam to get you blacklisted, changing MTAs or ip addresses won’t fix anything.

If anything, ip addresses that are new sources of email are ranked with heightened suspicion for a period of time.

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
sami
Posts: 4
Joined: Wed Oct 10, 2018 10:20 am

Re: Installation architecture

Post by sami »

Thanks for your input Mark !
User avatar
L. Mark Stone
Ambassador
Ambassador
Posts: 2796
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine, US
ZCS/ZD Version: 10.0.6 Network Edition
Contact:

Re: Installation architecture

Post by L. Mark Stone »

sami wrote:Thanks for your input Mark !
Glad that helped!

And to your original question "Are there any other considerations I should take into account on the new setup ?" I'd recommend leveraging the variety of new security services within Zimbra.

-- Postscreen will reduce the number of junk emails Amavis will need to process.

-- Using cbpolicyd to limit outbound email sending rates will reduce the likelihood you will be blacklisted when you have a compromised mailbox.

-- Setting DosFillter to throttle connections and block IPs at a threshold lower than your password account lockout policy will enable legitimate users to continue to access their mailboxes even when a spammer is working hard at a brute force login attack.

So one server, maybe two, and you should be all set!

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Post Reply