Page 1 of 1

Installation architecture

Posted: Wed Oct 10, 2018 10:30 am
by sami
Hey folks,

I'm starting a new installation of Zimbra collaboration, and I was wondering what the best practices were currently for a mail system architecture.
We currently have a really old setup consisting of
1 ldap server (internal)
1 mailbox server (internal)
1 mx server (internal)
1 proxy (external)
1 mx (external)

Is it still relevant to have external/internal smtp servers with split horizon, or does it make more sense to have 2 external with different preference ?
Are there any other considerations I should take into account on the new setup ?

Thanks for your help.
Sami

Re: Installation architecture

Posted: Wed Oct 10, 2018 12:14 pm
by DualBoot
Hello,

architecture needs to be considered with its context :
- the scope of your enterprise may have a great influence (security, redundancy ...)
- amount of messages sends and receives
- number of account
- amount of data
...

most of the time I use a baseline which I call my Holy Trinity :
- 1 Zimbra LDAP
- 1 Zimbra MailBox
- 1 Zimbra Nginx/SMTP
With this you can easily scale up your architecture, that's my point of view.

Regards,

Re: Installation architecture

Posted: Wed Oct 10, 2018 3:37 pm
by L. Mark Stone
sami wrote:Hey folks,

I'm starting a new installation of Zimbra collaboration, and I was wondering what the best practices were currently for a mail system architecture.
We currently have a really old setup consisting of
1 ldap server (internal)
1 mailbox server (internal)
1 mx server (internal)
1 proxy (external)
1 mx (external)

Is it still relevant to have external/internal smtp servers with split horizon, or does it make more sense to have 2 external with different preference ?
Are there any other considerations I should take into account on the new setup ?

Thanks for your help.
Sami
It would be helpful if you posted how many mailboxes you have now/plan to have in future, and how many emails a day the typical user sends/receives.

You will then get some more specific suggestionsI am sure!

Mark

Re: Installation architecture

Posted: Mon Oct 15, 2018 1:36 pm
by sami
Thank you Dual and Mark for your feedback,

The scop is academia, so standard security. The number of mailboxes is arround 200-250 and is pretty stable.
The typical user sends less than 100 mails a day, a few special mailboxes send up to 3k mails a day.

Sami

Re: Installation architecture

Posted: Mon Oct 15, 2018 3:38 pm
by L. Mark Stone
For 250 users to get a little redundancy I’d install a standard single standalone server, and then add a second server as an LDAP replica, proxy and MTA server.

Hope that helps,
Mark

Re: Installation architecture

Posted: Wed Oct 17, 2018 2:55 pm
by sami
I'd still like to know about the question below. Does it add anything to security ? Does it, for example, prevent infected/malconfigured internel servers from sending mail, and so protects your mta from being marked as a spam source ?
Also, what's the use for a replica when one is not using a loadbalancer, and other mechanisms take care of daily backup ?

Thanks !
Is it still relevant to have external/internal smtp servers with split horizon, or does it make more sense to have 2 external with different preference ?
Are there any other considerations I should take into account on the new setup ?

Re: Installation architecture

Posted: Wed Oct 17, 2018 9:44 pm
by L. Mark Stone
No benefit to security.

Spam checks are by domain as well as by IP (and content).

So if you allow compromised mailboxes to send enough spam to get you blacklisted, changing MTAs or ip addresses won’t fix anything.

If anything, ip addresses that are new sources of email are ranked with heightened suspicion for a period of time.

Mark

Re: Installation architecture

Posted: Thu Oct 18, 2018 9:18 am
by sami
Thanks for your input Mark !

Re: Installation architecture

Posted: Thu Oct 18, 2018 12:21 pm
by L. Mark Stone
sami wrote:Thanks for your input Mark !
Glad that helped!

And to your original question "Are there any other considerations I should take into account on the new setup ?" I'd recommend leveraging the variety of new security services within Zimbra.

-- Postscreen will reduce the number of junk emails Amavis will need to process.

-- Using cbpolicyd to limit outbound email sending rates will reduce the likelihood you will be blacklisted when you have a compromised mailbox.

-- Setting DosFillter to throttle connections and block IPs at a threshold lower than your password account lockout policy will enable legitimate users to continue to access their mailboxes even when a spammer is working hard at a brute force login attack.

So one server, maybe two, and you should be all set!

All the best,
Mark