Hey folks,
I'm starting a new installation of Zimbra collaboration, and I was wondering what the best practices were currently for a mail system architecture.
We currently have a really old setup consisting of
1 ldap server (internal)
1 mailbox server (internal)
1 mx server (internal)
1 proxy (external)
1 mx (external)
Is it still relevant to have external/internal smtp servers with split horizon, or does it make more sense to have 2 external with different preference ?
Are there any other considerations I should take into account on the new setup ?
Thanks for your help.
Sami
Installation architecture
- DualBoot
- Elite member
- Posts: 1326
- Joined: Mon Apr 18, 2016 8:18 pm
- Location: France - Earth
- ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
- Contact:
Re: Installation architecture
Hello,
architecture needs to be considered with its context :
- the scope of your enterprise may have a great influence (security, redundancy ...)
- amount of messages sends and receives
- number of account
- amount of data
...
most of the time I use a baseline which I call my Holy Trinity :
- 1 Zimbra LDAP
- 1 Zimbra MailBox
- 1 Zimbra Nginx/SMTP
With this you can easily scale up your architecture, that's my point of view.
Regards,
architecture needs to be considered with its context :
- the scope of your enterprise may have a great influence (security, redundancy ...)
- amount of messages sends and receives
- number of account
- amount of data
...
most of the time I use a baseline which I call my Holy Trinity :
- 1 Zimbra LDAP
- 1 Zimbra MailBox
- 1 Zimbra Nginx/SMTP
With this you can easily scale up your architecture, that's my point of view.
Regards,
- L. Mark Stone
- Ambassador
- Posts: 2800
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Installation architecture
It would be helpful if you posted how many mailboxes you have now/plan to have in future, and how many emails a day the typical user sends/receives.sami wrote:Hey folks,
I'm starting a new installation of Zimbra collaboration, and I was wondering what the best practices were currently for a mail system architecture.
We currently have a really old setup consisting of
1 ldap server (internal)
1 mailbox server (internal)
1 mx server (internal)
1 proxy (external)
1 mx (external)
Is it still relevant to have external/internal smtp servers with split horizon, or does it make more sense to have 2 external with different preference ?
Are there any other considerations I should take into account on the new setup ?
Thanks for your help.
Sami
You will then get some more specific suggestionsI am sure!
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: Installation architecture
Thank you Dual and Mark for your feedback,
The scop is academia, so standard security. The number of mailboxes is arround 200-250 and is pretty stable.
The typical user sends less than 100 mails a day, a few special mailboxes send up to 3k mails a day.
Sami
The scop is academia, so standard security. The number of mailboxes is arround 200-250 and is pretty stable.
The typical user sends less than 100 mails a day, a few special mailboxes send up to 3k mails a day.
Sami
- L. Mark Stone
- Ambassador
- Posts: 2800
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Installation architecture
For 250 users to get a little redundancy I’d install a standard single standalone server, and then add a second server as an LDAP replica, proxy and MTA server.
Hope that helps,
Mark
Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: Installation architecture
I'd still like to know about the question below. Does it add anything to security ? Does it, for example, prevent infected/malconfigured internel servers from sending mail, and so protects your mta from being marked as a spam source ?
Also, what's the use for a replica when one is not using a loadbalancer, and other mechanisms take care of daily backup ?
Thanks !
Also, what's the use for a replica when one is not using a loadbalancer, and other mechanisms take care of daily backup ?
Thanks !
Is it still relevant to have external/internal smtp servers with split horizon, or does it make more sense to have 2 external with different preference ?
Are there any other considerations I should take into account on the new setup ?
- L. Mark Stone
- Ambassador
- Posts: 2800
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Installation architecture
No benefit to security.
Spam checks are by domain as well as by IP (and content).
So if you allow compromised mailboxes to send enough spam to get you blacklisted, changing MTAs or ip addresses won’t fix anything.
If anything, ip addresses that are new sources of email are ranked with heightened suspicion for a period of time.
Mark
Spam checks are by domain as well as by IP (and content).
So if you allow compromised mailboxes to send enough spam to get you blacklisted, changing MTAs or ip addresses won’t fix anything.
If anything, ip addresses that are new sources of email are ranked with heightened suspicion for a period of time.
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
Re: Installation architecture
Thanks for your input Mark !
- L. Mark Stone
- Ambassador
- Posts: 2800
- Joined: Wed Oct 09, 2013 11:35 am
- Location: Portland, Maine, US
- ZCS/ZD Version: 10.0.7 Network Edition
- Contact:
Re: Installation architecture
Glad that helped!sami wrote:Thanks for your input Mark !
And to your original question "Are there any other considerations I should take into account on the new setup ?" I'd recommend leveraging the variety of new security services within Zimbra.
-- Postscreen will reduce the number of junk emails Amavis will need to process.
-- Using cbpolicyd to limit outbound email sending rates will reduce the likelihood you will be blacklisted when you have a compromised mailbox.
-- Setting DosFillter to throttle connections and block IPs at a threshold lower than your password account lockout policy will enable legitimate users to continue to access their mailboxes even when a spammer is working hard at a brute force login attack.
So one server, maybe two, and you should be all set!
All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
AWS Certified Solutions Architect-Associate