Zimbra Collaboration Suite is an open source email and collaboration platform that includes email, contacts, calendar, documents and more. It is a Web-based application suite that can be deployed as an on-premise private cloud or outsourced public cloud service. I’ve been using Zimbra since 2007 (version 4.x) for variety scale of implementation : from hundreds to fifty thousand account. How this can be handled by Zimbra? The key is to use Zimbra cluster with multi-server scheme.
Below are simple Zimbra design with 1 main goal : be able handle up to 25 thousand accounts.
- All servers are using private network/IP. Only 1 public IP required for public access
- All servers are preferable to be installed as VM on top of VMware (or others Virtualization Technology). All servers can also be installed on physical server but it will require a lot of physical servers
- On the above design, I distinguish routing for HTTP/S (web), Local traffic (LMTP) and External SMTP. POP3 and IMAP access will refer to the same access as HTTP/S. We can also provide load balancer in front of each traffic to reduce the overload
- Routing for HTTP port 80 or port 443 (HTTPS), POP3 and IMAP provided by Zimbra Reverse Proxy. This server will provide all port to be NAT-ed to IP Public except for Zimbra Admin 7071 and SMTP port, such as port 80, 110, 143, 443, 993 and 995. Zimbra Proxy usually installed along with memcached used for route lookup handler which will forward traffic and account to the appropriate mailbox server
- In total there are 5 mailbox servers to share access load with about 3000 to 5000 account on each mailbox server. Even if using 5 different mailbox server, all users accessing Zimbra with same address, such as webmail.vavai.com. All access will be forwarded by Zimbra proxy to the corresponding mailbox server where the account resides
- Incoming SMTP server with NAT port 25 serves as a front-end server and MX records on public DNS. This server contains anti-spam and anti-virus services. According to its function, this server can also be replaced with security (anti spam & anti virus) appliance
- Local SMTP server divide into three separate functions : to the normal connection (Local MTA), SMTP App for email delivery from application and the last is SMTP for mass email delivery/mailing list
- Port 465 SMTP SSL and port 587 SMTP TLS can also be NAT-ed on outgoing SMTP or on the local MTA, used for mail sending port from Mail User Agent (MUA, ie : Outlook, Thunderbird etc)
- On the above design, I forgot (?? 🙂 ) to add LDAP server as cluster component. Actually, I have 2 LDAP server. The first one act as LDAP master and the other as LDAP Replica. All servers connected to LDAP replica; only LDAP replica connected to LDAP master
There are several advantages of using the above design:
- Load balancing server on mailbox. Access to HTTP, IMAP and POP3 can be divided into multiple mailbox server. We can applying horizontal scaling : add more account will require additional mailbox server only, without changing existing configuration
- We can also create multiple Zimbra proxy for scaling front end access
- Allows us to create a different rule for incoming and outgoing email, ie : rate limit outgoing email to prevent blacklist IP when compromised account send massive spam email. Applying such rule will not affecting local mail delivery.
- Easier to scaling SMTP function for email delivery
I know that the above design are very modest and based on my experience only, so if you have any suggestion regarding Zimbra large scale deployment, do not hesitate to drop a comment.