Installation architecture

Ask questions about your setup or get help installing ZCS server (ZD section below).
sami
Posts: 4
Joined: Wed Oct 10, 2018 10:20 am

Installation architecture

Postby sami » Wed Oct 10, 2018 10:30 am

Hey folks,

I'm starting a new installation of Zimbra collaboration, and I was wondering what the best practices were currently for a mail system architecture.
We currently have a really old setup consisting of
1 ldap server (internal)
1 mailbox server (internal)
1 mx server (internal)
1 proxy (external)
1 mx (external)

Is it still relevant to have external/internal smtp servers with split horizon, or does it make more sense to have 2 external with different preference ?
Are there any other considerations I should take into account on the new setup ?

Thanks for your help.
Sami


User avatar
DualBoot
Outstanding Member
Outstanding Member
Posts: 768
Joined: Mon Apr 18, 2016 8:18 pm
Location: Earth
ZCS/ZD Version: ZCS FLOSS - 8.7.11 Mutli servers

Re: Installation architecture

Postby DualBoot » Wed Oct 10, 2018 12:14 pm

Hello,

architecture needs to be considered with its context :
- the scope of your enterprise may have a great influence (security, redundancy ...)
- amount of messages sends and receives
- number of account
- amount of data
...

most of the time I use a baseline which I call my Holy Trinity :
- 1 Zimbra LDAP
- 1 Zimbra MailBox
- 1 Zimbra Nginx/SMTP
With this you can easily scale up your architecture, that's my point of view.

Regards,
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1864
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.8 Patch 6 Network Edition
Contact:

Re: Installation architecture

Postby L. Mark Stone » Wed Oct 10, 2018 3:37 pm

sami wrote:Hey folks,

I'm starting a new installation of Zimbra collaboration, and I was wondering what the best practices were currently for a mail system architecture.
We currently have a really old setup consisting of
1 ldap server (internal)
1 mailbox server (internal)
1 mx server (internal)
1 proxy (external)
1 mx (external)

Is it still relevant to have external/internal smtp servers with split horizon, or does it make more sense to have 2 external with different preference ?
Are there any other considerations I should take into account on the new setup ?

Thanks for your help.
Sami


It would be helpful if you posted how many mailboxes you have now/plan to have in future, and how many emails a day the typical user sends/receives.

You will then get some more specific suggestionsI am sure!

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
sami
Posts: 4
Joined: Wed Oct 10, 2018 10:20 am

Re: Installation architecture

Postby sami » Mon Oct 15, 2018 1:36 pm

Thank you Dual and Mark for your feedback,

The scop is academia, so standard security. The number of mailboxes is arround 200-250 and is pretty stable.
The typical user sends less than 100 mails a day, a few special mailboxes send up to 3k mails a day.

Sami
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1864
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.8 Patch 6 Network Edition
Contact:

Re: Installation architecture

Postby L. Mark Stone » Mon Oct 15, 2018 3:38 pm

For 250 users to get a little redundancy I’d install a standard single standalone server, and then add a second server as an LDAP replica, proxy and MTA server.

Hope that helps,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
sami
Posts: 4
Joined: Wed Oct 10, 2018 10:20 am

Re: Installation architecture

Postby sami » Wed Oct 17, 2018 2:55 pm

I'd still like to know about the question below. Does it add anything to security ? Does it, for example, prevent infected/malconfigured internel servers from sending mail, and so protects your mta from being marked as a spam source ?
Also, what's the use for a replica when one is not using a loadbalancer, and other mechanisms take care of daily backup ?

Thanks !

Is it still relevant to have external/internal smtp servers with split horizon, or does it make more sense to have 2 external with different preference ?
Are there any other considerations I should take into account on the new setup ?
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1864
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.8 Patch 6 Network Edition
Contact:

Re: Installation architecture

Postby L. Mark Stone » Wed Oct 17, 2018 9:44 pm

No benefit to security.

Spam checks are by domain as well as by IP (and content).

So if you allow compromised mailboxes to send enough spam to get you blacklisted, changing MTAs or ip addresses won’t fix anything.

If anything, ip addresses that are new sources of email are ranked with heightened suspicion for a period of time.

Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/
sami
Posts: 4
Joined: Wed Oct 10, 2018 10:20 am

Re: Installation architecture

Postby sami » Thu Oct 18, 2018 9:18 am

Thanks for your input Mark !
User avatar
L. Mark Stone
Elite member
Elite member
Posts: 1864
Joined: Wed Oct 09, 2013 11:35 am
Location: Portland, Maine
ZCS/ZD Version: 8.8.8 Patch 6 Network Edition
Contact:

Re: Installation architecture

Postby L. Mark Stone » Thu Oct 18, 2018 12:21 pm

sami wrote:Thanks for your input Mark !


Glad that helped!

And to your original question "Are there any other considerations I should take into account on the new setup ?" I'd recommend leveraging the variety of new security services within Zimbra.

-- Postscreen will reduce the number of junk emails Amavis will need to process.

-- Using cbpolicyd to limit outbound email sending rates will reduce the likelihood you will be blacklisted when you have a compromised mailbox.

-- Setting DosFillter to throttle connections and block IPs at a threshold lower than your password account lockout policy will enable legitimate users to continue to access their mailboxes even when a spammer is working hard at a brute force login attack.

So one server, maybe two, and you should be all set!

All the best,
Mark
___________________________________
L. Mark Stone
Mission Critical Email - Zimbra VAR/BSP/Training Partner https://www.missioncriticalemail.com/
Zeta Alliance http://www.zetalliance.org/

Return to “Installation and Upgrade”

Who is online

Users browsing this forum: No registered users and 10 guests