My Zimbra Installation Recipe

[yonatan]

Background
I am looking to bring email in-house for a small accountancy firm (< 5 users). I explored outsourcing to a Zimbra hosting provider, but there is only one in the country and we were unsatisfied with their service. As a result, I have decided to set up a Zimbra mail server myself with the help of the Zimbra community

The purpose of this thread is to verify that the steps and decisions that I make are as sound as possible. Setting up a mail server is a new experience for me, as is the lingo. I have spent the past week reading up as much as I can in the Zimbra forums, as well as various wikis, blogs etc. However, putting all the pieces together in an appropriate way for this accountancy is important and I don't want to make any critical mistakes in terms of security and reliability.

Infrastructure
Internet (Dynamic IP) <-> ADSL Modem <-> Cisco ASA 5505 <-> Server (VMWare ESXi host)

Note: Although the ISP provides a dynamic IP, which renews ever 20 minutes we always get the same one. Also, the ISP blocks port 25.

I will separate my Zimbra installation into three sections making it more manageable for myself and anyone who is willing to help. Also, I think this will be useful for others looking for a Zimbra installation recipe.

1. Domain & DNS (Including Firewall) [STATUS: Waiting for feedback]
2. OS Install & Configuration (Including Split-DNS) [STATUS: Waiting for feedback]
3. Zimbra Install & Configuration [STATUS: On hold]

Note: I will update this post with any changes I make after receiving feedback from the community.

-------------------------------------------------
1. Domain & DNS (Including Firewall)
The accountancy firm's domain registrar only handles the domain and points to the ISP's DNS servers. I can administer the domain and any DNS records on the ISP's website.

Code:

Domain: mydomain.se
Public IP: 217.xxx.xxx.xx

Q1: Through my research I have read about different DNS records, MX, PTR, A, CNAME etc. Should I setup any other records except for MX and A?

Q2: On the ISP's DNS editor website setting up a DNS record involves filling out four fields: Subdomain, Type, TTL and Data. For my MX and A records:

Code:

Subdomain	Type		TTL		Data
@		MX		?		mail.mydomain.se
@		A		?		217.xxx.xxx.xx (public IP)

Have I made a mistake by putting "@" for both records? I understand that the "@" means the root domain, i.e. mydomain.se, but I have seen some people put "mail" instead.

Also, I am not confident about what time (TTL) to choose for each record.

Finally the firewall. There is a Cisco ASA 5505 (base license) that needs to be configured for the Zimbra mail server. At the moment there are no ports open and the only way into the LAN is via VPN. I am not a security expert, but I am concerned about security.

Q3: Are the minimum ports that need to be opened 443 (https), 993 (imaps) and 25 (smtp) for sending and receiving email from the LAN and WAN using a client mail application and Zimbra webmail?

Q4: The ISP blocks port 25. They have a smtp mail relay thing that is free of charge, but is there any way not to rely on the ISP for sending email, i.e. can I bypass the port 25 restriction?

Q5: Are there any additional things I should think about before moving to the next section?

-------------------------------------------------
2. OS Install & Configuration (Including Split-DNS)
I've chosen to use Ubuntu Server 8.04.4 LTS installed in a virtual machine, which will run on the ESXi 4 host. I have little Linux experience, so I will outline most of the steps that I've taken in installing and configuring the OS.

Setting up the virtual machine:

Code:

1 vCPU
2 GB RAM
20 GB hard drive (vmdk)

Q6: I looked at the Zimbra Virtual Appliance and it has two vmdks. Should I do something similar for my install?

The following steps I've compiled from these sources:
Ubuntu 8.04 LTS Server (Hardy Heron) Install Guide - Zimbra :: Wiki
[SOLVED] DNS in a nutshell
Split DNS - Zimbra :: Wiki
The Perfect Server - Ubuntu Hardy Heron (Ubuntu 8.04 LTS Server) | HowtoForge - Linux Howtos and Tutorials
http://help.ubuntu.com/community/BIND9ServerHowto

During the Ubuntu Server installation I interrupted the DHCP network configuration and chose to do a manual network config. with the following settings:

Code:

IP: 10.0.1.100
Netmask: 255.255.255.0
Gateway: 10.0.1.1
Nameserver: 10.0.1.100
Hostname: mail
Domain: mydomain.se

At "Partition Disks" I selected "Guided - use entire disk" and accepted the default partition scheme.

Q7: This question is linked to Q6 about the virtual disk setup. Should I modify the partitioning scheme and if so what would be suitable for my mail server?

Finally, at the "Software Selection" screen I selected:

Code:

DNS server
OpenSSH server

Once the installation completed I updated the apt package database and installed any updates:

Code:

sudo apt-get update
sudo apt-get upgrade --show-upgraded

Now I installed "ntpd" for timekeeping against a network time server:

Code:

sudo apt-get install ntp

Note: The following two links are useful for configuring the ntpd service and making sure you follow best practices for virtual machine time management.

https://help.ubuntu.com/8.04/serverguide/C/NTP.html
http://kb.vmware.com/selfservice/mic...rnalId=1006427

Installing VMware Tools is also recommended and I did using an Operating System Specific Package (OSP). See this link for information: http://www.vmware.com/pdf/osp_install_guide.pdf.

At this point I tackled Split-DNS. I can't say that I have fully grasped everything that follows, but since Zimbra will be behind a firewall this is essential.

I started by verifying the hosts file and modifying the first line, so that the file looks like this:

/etc/hosts

Code:

127.0.0.1       localhost.localdomain	localhost
10.0.1.100      mail.mydomain.se	mail

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Next I verified resolv.conf:

/etc/resolv.conf

Code:

search mydomain.se
nameserver 10.0.1.100

The next file to modify is named.conf.options. I've seen different variations of this file, but this is what mine looks like. The only thing I've changed is to uncomment "forwarders" and add my ISP's DNS servers.

/etc/bind/named.conf.options

Code:

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you might need to uncomment the query-source
        // directive below.  Previous versions of BIND always asked
        // questions using port 53, but BIND 8.1 and later use an unprivileged
        // port by default.

        // query-source address * port 53;

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders {
                195.67.199.39;
                195.67.199.40;
        };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Q8: Should the forwarders be the ISP's DNS servers or the DNS servers that mydomain.se points to?

Add a DNS zone by editing named.conf.local. All I did was add the part in bold.

/etc/bind/named.conf.local

Code:

//
// Do any local configuration here
//

zone "mydomain.se" {
        type master;
        file "/etc/bind/db.mydomain.se";
};

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

Next I used an existing zone file as a template (I saw this here https://help.ubuntu.com/community/BIND9ServerHowto):

Code:

sudo cp /etc/bind/db.local /etc/bind/db.mydomain.se

After making a copy I made a number of changes (shown in bold). Again I've seen many variations of this file.:

/etc/bind/db.mydomain.se

Code:

;
; BIND data file for mydomain.se
;
$TTL    604800
@       IN      SOA     mail.mydomain.se. admin.mydomain.se. (
                        20100603        ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      mail
        IN      MX      10 mail
        IN      A       10.0.1.100
mail    IN      A       10.0.1.100

Q9: There are two things that I'd like help with in the above file.
a) Should I change the different time durations from the default?
b) If my understanding of Split-DNS is correct then the four last lines should be the same as the two that I setup in Q2 above, but with the LAN IP. Well they are not as I followed the Ubuntu 8.04 LTS Server (Hardy Heron) Install Guide - Zimbra :: Wiki. Perhaps someone can please clarify this for me.

Q10: I read something about chrooting BIND. According to the information in Ubuntu's BIND9ServerHowto this is recommended if AppArmor is not installed. Well I have not made any changes to AppArmor and frankly not sure about all of this. What is the recommended approach?

Finally, I finish off this long section (thank you for reading) by restarting bind:

Code:

sudo /etc/init.d/bind9 restart

Then running the following diagnostics, which hopefully means more to you than me

dig mydomain.se mx

Code:

; <<>> DiG 9.4.2-P2.1 <<>> mydomain.se mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24887
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;mydomain.se.		IN	MX

;; ANSWER SECTION:
mydomain.se.	604800	IN	MX	10 mail.mydomain.se.

;; AUTHORITY SECTION:
mydomain.se.	604800	IN	NS	mail.mydomain.se.

;; ADDITIONAL SECTION:
mail.mydomain.se.	604800	IN	A	10.0.1.100

;; Query time: 2 msec
;; SERVER: 10.0.1.100#53(10.0.1.100)
;; WHEN: Tue Jun  8 19:56:37 2010
;; MSG SIZE  rcvd: 85

dig mydomain.se any

Code:

; <<>> DiG 9.4.2-P2.1 <<>> mydomain.se any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53740
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mydomain.se.		IN	ANY

;; ANSWER SECTION:
mydomain.se.	604800	IN	SOA	mail.mydomain.se. admin.mydomain.se. 20100603 604800 86400 2419200 604800
mydomain.se.	604800	IN	NS	mail.mydomain.se.
mydomain.se.	604800	IN	MX	10 mail.mydomain.se.
mydomain.se.	604800	IN	A	10.0.1.100

;; ADDITIONAL SECTION:
mail.mydomain.se.	604800	IN	A	10.0.1.100

;; Query time: 1 msec
;; SERVER: 10.0.1.100#53(10.0.1.100)
;; WHEN: Tue Jun  8 19:57:21 2010
;; MSG SIZE  rcvd: 143

host `hostname`

Code:

mail.mydomain.se has address 10.0.1.100

I know that I've probably covered many basic things, which are not Zimbra specific. Nonetheless, I hope that my systematic approach will help others in the community and also let me learn whether I am doing things correctly.

-------------------------------------------------
3. Zimbra Install & Configuration

Coming as soon as I've hammered out the issues in sections 1 and 2 above!

[phoenix]

Some initial thoughts in-line.

Infrastructure
Internet (Dynamic IP) <-> ADSL Modem <-> Cisco ASA 5505 <-> Server (VMWare ESXi host)

Note: Although the ISP provides a dynamic IP, which renews ever 20 minutes we always get the same one. Also, the ISP blocks port 25.

You can't always guarantee that you'll get the same IP and must plan accordingly. You will also need to work around the Port 25 block by using a professional service that provides you with a relay (out - I'm assuming it's only outbound block?) on different ports.

1. Domain & DNS (Including Firewall)
The accountancy firm's domain registrar only handles the domain and points to the ISP's DNS servers. I can administer the domain and any DNS records on the ISP's website.

I'd suggest you use a professional service (such as EasyDNS - there are many others if you search) to host the DNS records, they also provide you with backup should your server be offline.

Code:

mydomain.se
Public IP: 217.xxx.xxx.xx

Q1: Through my research I have read about different DNS records, MX, PTR, A, CNAME etc. Should I setup any other records except for MX and A?[/QUOTE]You need no DNS records other than A & MX.

Q2: On the ISP's DNS editor website setting up a DNS record involves filling out four fields: Subdomain, Type, TTL and Data. For my MX and A records:

Code:

Subdomain	Type		TTL		Data
@		MX		?		mail.mydomain.se
@		A		?		217.xxx.xxx.xx (public IP)

Have I made a mistake by putting "@" for both records? I understand that the "@" means the root domain, i.e. mydomain.se, but I have seen some people put "mail" instead.

Also, I am not confident about what time (TTL) to choose for each record.[/QUOTE]See my comment above about a professional service.

Finally the firewall. There is a Cisco ASA 5505 (base license) that needs to be configured for the Zimbra mail server. At the moment there are no ports open and the only way into the LAN is via VPN. I am not a security expert, but I am concerned about security.

Q3: Are the minimum ports that need to be opened 443 (https), 993 (imaps) and 25 (smtp) for sending and receiving email from the LAN and WAN using a client mail application and Zimbra webmail?

There should be no problem if you have only Port 25 & 443 open for SMTP & https web UI access.[/QUOTE]There should be no problem with just those ports open.

Q4: The ISP blocks port 25. They have a smtp mail relay thing that is free of charge, but is there any way not to rely on the ISP for sending email, i.e. can I bypass the port 25 restriction?

See my comment above about using a professional service.

Q5: Are there any additional things I should think about before moving to the next section?

2. OS Install & Configuration (Including Split-DNS)
I've chosen to use Ubuntu Server 8.04.4 LTS installed in a virtual machine, which will run on the ESXi 4 host. I have little Linux experience, so I will outline most of the steps that I've taken in installing and configuring the OS.

Setting up the virtual machine:

Code:

1 vCPU
2 GB RAM
20 GB hard drive (vmdk)

Depending on the mail levels you'll need more HD space that that and even if the levels are low I'd still suggest getting more HD space.

Q6: I looked at the Zimbra Virtual Appliance and it has two vmdks. Should I do something similar for my install?

I guess that would depend on where you will be allocating your disk space, I'd suggest putting /opt on a different HD from the operating system and make sure that / has enough space for your requirements. You can find many tutorials on what a 'good' partitioning scheme is for linux, they're all different and usually personal to the author of the article. I'd read up on some of them and pick one that makes sense to you.

The following steps I've compiled from these sources:
Ubuntu 8.04 LTS Server (Hardy Heron) Install Guide - Zimbra :: Wiki
[SOLVED] DNS in a nutshell
Split DNS - Zimbra :: Wiki
The Perfect Server - Ubuntu Hardy Heron (Ubuntu 8.04 LTS Server) | HowtoForge - Linux Howtos and Tutorials
http://help.ubuntu.com/community/BIND9ServerHowto

During the Ubuntu Server installation I interrupted the DHCP network configuration and chose to do a manual network config. with the following settings:

Code:

IP: 10.0.1.100
Netmask: 255.255.255.0
Gateway: 10.0.1.1
Nameserver: 10.0.1.100
Hostname: mail
Domain: mydomain.se

At "Partition Disks" I selected "Guided - use entire disk" and accepted the default partition scheme.

Q7: This question is linked to Q6 about the virtual disk setup. Should I modify the partitioning scheme and if so what would be suitable for my mail server?

Finally, at the "Software Selection" screen I selected:

Code:

DNS server
OpenSSH server

Once the installation completed I updated the apt package database and installed any updates:

Code:

sudo apt-get update
sudo apt-get upgrade --show-upgraded

Now I installed "ntpd" for timekeeping against a network time server:

Code:

sudo apt-get install ntp

Note: The following two links are useful for configuring the ntpd service and making sure you follow best practices for virtual machine time management.

https://help.ubuntu.com/8.04/serverguide/C/NTP.html
http://kb.vmware.com/selfservice/mic...rnalId=1006427

Installing VMware Tools is also recommended and I did using an Operating System Specific Package (OSP). See this link for information: http://www.vmware.com/pdf/osp_install_guide.pdf.

At this point I tackled Split-DNS. I can't say that I have fully grasped everything that follows, but since Zimbra will be behind a firewall this is essential.

I started by verifying the hosts file and modifying the first line, so that the file looks like this:

/etc/hosts

Code:

127.0.0.1       localhost.localdomain	localhost
10.0.1.100      mail.mydomain.se	mail

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Next I verified resolv.conf:

/etc/resolv.conf

Code:

search mydomain.se
nameserver 10.0.1.100

The next file to modify is named.conf.options. I've seen different variations of this file, but this is what mine looks like. The only thing I've changed is to uncomment "forwarders" and add my ISP's DNS servers.

/etc/bind/named.conf.options

Code:

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you might need to uncomment the query-source
        // directive below.  Previous versions of BIND always asked
        // questions using port 53, but BIND 8.1 and later use an unprivileged
        // port by default.

        // query-source address * port 53;

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

        forwarders {
                195.67.199.39;
                195.67.199.40;
        };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Q8: Should the forwarders be the ISP's DNS servers or the DNS servers that mydomain.se points to?

Add a DNS zone by editing named.conf.local. All I did was add the part in bold.

/etc/bind/named.conf.local

Code:

//
// Do any local configuration here
//

zone "mydomain.se" {
        type master;
        file "/etc/bind/db.mydomain.se";
};

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

Next I used an existing zone file as a template (I saw this here https://help.ubuntu.com/community/BIND9ServerHowto):

Code:

sudo cp /etc/bind/db.local /etc/bind/db.mydomain.se

After making a copy I made a number of changes (shown in bold). Again I've seen many variations of this file.:

/etc/bind/db.mydomain.se

Code:

;
; BIND data file for mydomain.se
;
$TTL    604800
@       IN      SOA     mail.mydomain.se. admin.mydomain.se. (
                        20100603        ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      mail
        IN      MX      10 mail
        IN      A       10.0.1.100
mail    IN      A       10.0.1.100

Q9: There are two things that I'd like help with in the above file.
a) Should I change the different time durations from the default?
b) If my understanding of Split-DNS is correct then the four last lines should be the same as the two that I setup in Q2 above, but with the LAN IP. Well they are not as I followed the Ubuntu 8.04 LTS Server (Hardy Heron) Install Guide - Zimbra :: Wiki. Perhaps someone can please clarify this for me.

Q10: I read something about chrooting BIND. According to the information in Ubuntu's BIND9ServerHowto this is recommended if AppArmor is not installed. Well I have not made any changes to AppArmor and frankly not sure about all of this. What is the recommended approach?

Finally, I finish off this long section (thank you for reading) by restarting bind:

Code:

sudo /etc/bind/init.d/bind9 restart

Then running the following diagnostics, which hopefully means more to you than me

dig mydomain.se mx

Code:

; <<>> DiG 9.4.2-P2.1 <<>> mydomain.se mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24887
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1

;; QUESTION SECTION:
;mydomain.se.		IN	MX

;; ANSWER SECTION:
mydomain.se.	604800	IN	MX	10 mail.mydomain.se.

;; AUTHORITY SECTION:
mydomain.se.	604800	IN	NS	mail.mydomain.se.

;; ADDITIONAL SECTION:
mail.mydomain.se.	604800	IN	A	10.0.1.100

;; Query time: 2 msec
;; SERVER: 10.0.1.100#53(10.0.1.100)
;; WHEN: Tue Jun  8 19:56:37 2010
;; MSG SIZE  rcvd: 85

dig mydomain.se any

Code:

; <<>> DiG 9.4.2-P2.1 <<>> mydomain.se any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53740
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; QUESTION SECTION:
;mydomain.se.		IN	ANY

;; ANSWER SECTION:
mydomain.se.	604800	IN	SOA	mail.mydomain.se. admin.mydomain.se. 20100603 604800 86400 2419200 604800
mydomain.se.	604800	IN	NS	mail.mydomain.se.
mydomain.se.	604800	IN	MX	10 mail.mydomain.se.
mydomain.se.	604800	IN	A	10.0.1.100

;; ADDITIONAL SECTION:
mail.mydomain.se.	604800	IN	A	10.0.1.100

;; Query time: 1 msec
;; SERVER: 10.0.1.100#53(10.0.1.100)
;; WHEN: Tue Jun  8 19:57:21 2010
;; MSG SIZE  rcvd: 143

host `hostname`

Code:

mail.mydomain.se has address 10.0.1.100

There seems to be nothing wrong with the DNS records above, does the install work?

I know that I've probably covered many basic things, which are not Zimbra specific. Nonetheless, I hope that my systematic approach will help others in the community and also let me learn whether I am doing things correctly.

-------------------------------------------------
3. Zimbra Install & Configuration

Coming as soon as I've hammered out the issues in sections 1 and 2 above!

Can't wait.

[Dirk]

That sure is a lot of information in a single post!

I'd agree with pretty much everything that Phoenix has already said, especially the disk space issue. We've recently updated the hardware for our server with less than 50 users so that it now has around 600GB and I dont consider that to be excessive, I consider it to be safe.

The bigest complication in you setup is going to the be ISP, is there any way you can pay a nominal extra fee for a static ip address?

[phoenix]

The bigest complication in you setup is going to the be ISP, is there any way you can pay a nominal extra fee for a static ip address?

As port 25 outbound is blocked doesn't the relay through an external server get round the dynamic IP?

[Dirk]

Well, yes, but isnt a dynamic IP going to be problematic for the inbound mail? Plus, if the ISP is being pigheaded enough to block outbound SMTP, then bypassing that will be violating some terms&condition somewhere.

It may work for weeks/months/years, but what if the ISP blocks SMTP with packet inspection? I'm not suggesting they would, but one of the things that you want to "just work" is your mail server.

[phoenix]

Inbound isn't normally a problem as ISPs usually (I'll stress the 'usually' as I don't know the ISPs t&c) only block outbound to stop spammers but a professional service such as DynDNS will relay inbound and outbound mail to the IP on a different port (usually 587).

The ISP may block mail by packet inspection but I assume that nobody does that at the moment. I also assume that the o/p will check the t&c to see whether there's any restrictions on running a mail server. Obviously the ISP may offer a fixed IP and allow a mail server on that but that's another question for them. If there are restrictions on hosting a mail server then the obvious answer is to host the server somewhere else.

[batfastad]

Something that could help for outbound mail is to set up your own remote private relay. We bought a cheap VPS from vpslink.com for this purpose, $7 per month, configured postfix on CentOS to only accept mail from us, setup the rDNS so now all our outgoing mail is routed through that. Much better than relying on our ISP's relay.

HTH
Cheers, B

[LMStone]

Something that could help for outbound mail is to set up your own remote private relay. We bought a cheap VPS from vpslink.com for this purpose, $7 per month, configured postfix on CentOS to only accept mail from us, setup the rDNS so now all our outgoing mail is routed through that. Much better than relying on our ISP's relay.

HTH
Cheers, B

Curious if the VPS is for outbound-from-your-Zimbra-server only or if you have it configured as an MX for your domain to relay email inbound-to-your-Zimbra-server as well?

All the best,
Mark

[batfastad]

Curious if the VPS is for outbound-from-your-Zimbra-server only or if you have it configured as an MX for your domain to relay email inbound-to-your-Zimbra-server as well?

Yep outbound only.
The MX record for our domain points to our static IP assigned by our ISP (BeThere in the UK). At the time I was setting it up, I didn't have time to look into the postfix stuff for getting it configured to act as our inbound.

Zimbra's anti-spam/anti-virus is such a huge upgrade for us over MS SBS 2003 that I thought it best that Zimbra be the front-line server.
It's highly unlikely that I could get postfix configured on the VPS to be anywhere near as effective as Zimbra, so I left it just for outbound.

We send various e-mail newsletters out and sending through our own relay made the delivery much more consistent.

[LMStone]

I was curious if you were doing inbound from the VPS because configuring a separate Postfix server to act as a true SmartHost (inbound and outbound) for Zimbra is not trivial on the inbound-from-VPS-to-Zimbra side.

The Postfix docs presume the SmartHost is configured to accept inbound email only for valid mail addresses. That means you periodically have to export all valid email addresses from Zimbra and then import them into the SmartHost's Postfix configuration.

We've successfully automated that process for ourselves, but are always curious if someone is doing something different that could benefit our Zimbra hosting and premises-based clients.

All the best,
Mark