We also started off running Zimbra on a single box (FOSS) then upgraded to NE, and decided we needed Multi Server. While we still have some work to do, here's our current setup:
We have 2 Linux servers handling LDAP. One is always master, while the other is replica. Should the master server die, we use Linux-HA heartbeat to move the virtual IP used for the master LDAP service over to the second server. We then use a modified ~zimbra/conf-master folder to start the master LDAP service against the same openldap-data replica data. We've only used this automatic system once or twice -- we try to avoid it if possible. The firewalls on these systems only allows LDAP port 389 and SSH 22 from other Zimbra servers in our Network.
Our MTA's are split into two MTA roles: Relay and MX. Both systems use AntiVirus/AntiSpam from Zimbra. The MX servers handle inbound email only, while the Relays handle customer initiated outbound emails. The MTA MX's have SMTP Auth disabled, and the MTAMyNetworks is very minimal. The Firewall only allows port 25 connections in. We use twelve servers for MX purpose.
For Relay, we use SMTP Auth as well as our IP networks listed in MTAMyNetworks. The firewall on the Relay servers allows traffic on ports 25 and 587. We have two Relay servers, each server's hostname matches the zimbra hostname, however, we also have Virtual IPs for each box that we point "smtp.example.org" to. This round-robin style DNS plus "Wackamole/Spread" open-source software allows us to become independent from any network load balancers.. (What if your Load Balancers fail?). Wackamole is a peer-based software that makes sure the VIPs are evenly distributed (as much as possible) and if any host drops, the VIPs will move automatically to other available servers. We opt'd not to do this for our MTA MX servers, because the DNS MX weights are resilient enough for a host failure automatically.
We use two Zimbra Proxy servers (no other Zimbra services installed) Similar to our MTA Relay, we use 2 extra VIP's for production hostnames such as webmail.example.org, pop.example.org, and imap.example.org. Remember these hostnames resolve to all VIPs that Wackamole/Spread maintain. The firewall here blocks everything except POP(s), IMAP(s), Webmail(443).
We use two physical servers (no VM) with DAS external storage. We don't use the logger service or Anti Virus/Anti Spam (we relay all outbound mail to the MTA relays). For HA what we do use use Linux-HA heartbeat to manage a VIP that Zimbra binds to, as well as to manage the DAS /opt/zimbra mount points. We have an identical standby (a 3rd server) that has all the DAS's wired in. Should either of our two production Mailbox servers die, Heartbeat will bring up the VIPs and mountpoints. Our standby server can only be active for one mailbox server at a time. The firewall on the Mailbox servers only allows the other Zimbra servers to connect. No public access here. I should mention that there are domain attributes such as the ZimbraPublicServiceHostname that you should point to your proxy hostname (ie: webmail.example.org) so that REST urls do not point directly to your physical Mailbox Servers URL.
Lately we've been switching off Xen and onto VMware ESXi for some of the non-Mailbox instances, but otherwise it's a very resilient system for us. **knocks on wood**
Hope the info helps.