I'm running VB at home with around 3 users, but I don't see why it wouldn't support 25. Virtualization, in my opinion, it a must. Snapshots are just too convenient for failure recovery.
I guess my question is/are: what kind of hardware should I consider? Should it be virtualized? Is virtualbox ok for this?
If mail is a critical for your environment, then probably. I'm working on that currently for my employer. As for Software RAID, I'm not a fan.
Should we have a second mailserver for failover? Software raid 1 ok?
ALWAYS! You should never be putting servers directly on the net. A small Linux firewall, running IPTables and using Firewall Builder for the rules. And yes, you can run Zimbra behind the firewall (DMZ) with a Split-DNS setup.
What about a external firewall? We don't currently have one and Zimbra says don't use a firewall? Should we?
Depends on what version you're using. At home, I'm using OSE, at work we're using NE.
What is a good backup strategy for Zimbra?
At home, I do an XFS snapshot of the file system and then use Duplicity to do the compressing, encrypting and moving to a secondary storage unit. For work, we use the built-in backup facilities
Low-end quad core system (I'm currently running on a referb Dell with a Core2Quad, between 8 and 10 GB memory and 2 Hard drives, 1 for the OS and 1 for the datastore. For backups, a eSata drive.
I guess my questions really boil down to: if you had a limited budget (but at least had a budget) what is the best way to set something like this up and what would you like to see included?
For the Virtualization, VB 4.12 64bit. If you're not Windows averse (I am), the VMWare ESXi 4.10 is a good choice as well, but requires a Windows client for administration.