[LMStone]

You can use other methods for moving mailboxes between mailbox servers; Zimbra Proxy is by far the easiest on your end users.

A separate LDAP Master server for just two mailbox servers seems like overkill, but I can see that you might have firewall architecture reasons for doing it that way.

Two suggestions:

First, configure A/MX records for your mailbox servers but block port 25 to them. Configure the mailbox servers to use the MTA box as their webmail host as well. In this way, the spammers won't be able to touch your mailbox servers but if your MTA gets overloaded or otherwise compromised, with one quick firewall change and two easy Admin Console changes your users will be able to continue to send and receive email.

Second, we typically deploy Zimbra Proxy on a separate server. In the early days, Zimbra Proxy would sometimes have issues, so isolating it on a separate server gave us flexibility. We still do the same thing, but to be fair I think more out of inertia than anything else at this point.

We saw one single-to-multi server install where the site deployed the second mailbox server, and then deployed Zimbra Proxy on the first mailbox server (the original single-server), so that the end users had to make no changes whatsoever in how they accessed the system.

Hope that helps,
Mark