Large Enterprise Email System Architecture Design and Full Mail Flow Analysis

🔊

As enterprise digitalization scales up, large organizations demand extreme capabilities from email systems: independent deployment, high availability, global interoperability, security protection, and load balancing. This article breaks down the practical architecture of a dedicated large enterprise email system, covering overall design, physical/logical deployment, core service systems, and the full send/receive mail flow, providing a reference technical solution for enterprise-level email architecture implementation.

I. Overall System Architecture Design

Large enterprise email systems adopt a layered architecture of “frontend gateway layer + load balancing layer + core service layer + backend independent mail system”, balancing security isolation, traffic scheduling, and business independence. The overall architecture is as follows:

mermaid
graph TB
    A[User Client/Web] --> B[Nginx Frontend Proxy]
    B --> C@{shape: stadium, label: "Haproxy<br/>Load Balancer"}
    C --> D["Frontend Gateway Cluster<br/>MTA/DA · Antivirus · Gateway DB"]
    D --> E["Backend Independent Mail System<br/>Domestic/Intl/SDN Channels"]

    classDef src fill:#bbdefb,stroke:#2196F3,color:#1B5E20
    classDef proc fill:#fff3e0,stroke:#FF9800,color:#BF360C
    classDef net fill:#f3e5f5,stroke:#9C27B0,color:#4A148C
    classDef out fill:#c8e6c9,stroke:#4CAF50,color:#1B5E20
    class A,B src
    class C net
    class D proc
    class E out

Core Component Description

  1. Frontend proxy layer: Nginx provides unified proxy for user access entry, improving access stability
  2. Load balancing layer: Haproxy implements load balancing for delivery/antivirus services and backend API port mapping
  3. Gateway layer: Handles email send/receive preprocessing, security verification, and channel scheduling
  4. Security services: Built-in antivirus engine ensures malware-free email transmission
  5. Backend system: Independent email system deployed on enterprise intranet, data isolated and controllable
  6. Global channels: Domestic/international/SDN multi-channel, ensuring cross-border email deliverability

II. Physical Deployment Architecture

Physical deployment adopts a multi-region, multi-node, redundant backup model, with Haproxy implementing gateway layer load balancing. The evolution from old to new physical architecture is as follows:

New Physical Architecture

mermaid
graph TD
    INET@{ shape: double-circle, label: "Domestic/<br/>Intl Internet" } --> SDN@{ shape: hex, label: "SDN Channel 1/2" }
    SDN --> HP@{ shape: hex, label: "Haproxy<br/>Load Balancer" }
    HP --> GW@{ shape: rounded, label: "Gateway 1 / Gateway 2" }
    GW --> BVM@{ shape: doc, label: "Backend VM Cluster" }

    classDef src fill:#bbdefb,stroke:#2196F3,color:#1B5E20
    classDef net fill:#fff3e0,stroke:#FF9800,color:#BF360C
    classDef out fill:#c8e6c9,stroke:#4CAF50,color:#1B5E20
    class INET src
    class SDN,HP,GW net
    class BVM out

Old Physical Architecture

mermaid
graph TD
    INET@{ shape: double-circle, label: "Domestic/<br/>Intl Internet" } --> SDN@{ shape: hex, label: "SDN Channel 1/2" }
    SDN --> GW@{ shape: rounded, label: "Gateway 1 / Gateway 2" }
    GW --> DVM@{ shape: doc, label: "Multi-VM Distributed Nodes" }

    classDef src fill:#bbdefb,stroke:#2196F3,color:#1B5E20
    classDef net fill:#fff3e0,stroke:#FF9800,color:#BF360C
    classDef out fill:#c8e6c9,stroke:#4CAF50,color:#1B5E20
    class INET src
    class SDN,GW net
    class DVM out

Deployment advantages: Gateway cluster redundancy, horizontal node scaling, global network adaptability, avoiding single points of failure.

III. Logical Business Architecture

The logical architecture focuses on business flow, data storage, and protocol compatibility, covering full-scenario mail access and data synchronization:

mermaid
graph TB
    UA@{ shape: double-circle, label: "User Access" } --> PROTO@{ shape: rounded, label: "Web/POP3/<br/>IMAP/SMTP" }
    PROTO --> FG@{ shape: rounded, label: "Frontend Gateway" }
    FG --> HS@{ shape: hex, label: "Haproxy Scheduling" }
    HS --> BE@{ shape: rounded, label: "Backend Mail System<br/>MS Primary/Secondary Storage" }
    HS --> DRSYNC@{ shape: doc, label: "Udsync Sync<br/>Disaster Recovery · API" }

    classDef src fill:#bbdefb,stroke:#2196F3,color:#1B5E20
    classDef proc fill:#fff3e0,stroke:#FF9800,color:#BF360C
    classDef net fill:#f3e5f5,stroke:#9C27B0,color:#4A148C
    classDef out fill:#c8e6c9,stroke:#4CAF50,color:#1B5E20
    class UA src
    class PROTO,FG net
    class HS,BE proc
    class DRSYNC out

Core logic: Full protocol compatibility, tiered storage, real-time data sync, disaster recovery with high availability.

IV. Core Service System

The system is built around unified configuration, protocol support, traffic scheduling, and security extension. Core services include:

  1. Gateway unified configuration service: Global policy management, simplifying multi-node maintenance
  2. Client protocol service: Support Web/POP3/IMAP/SMTP full protocol access
  3. Role service: SMTP frontend sending and MX receiving dual roles operate independently
  4. Scheduling service: Haproxy implements load balancing and port mapping
  5. Sync/disaster recovery service: Udsync mirror synchronization for zero data loss
  6. Security extension service: Mail antivirus, rule filtering, OA system integration

V. Full Mail Sending Flow

The sending flow uses a “gateway verification → channel scheduling → intelligent delivery” mechanism, balancing deliverability and security:

mermaid
flowchart TD
    UC@{ shape: double-circle, label: "User sends" } --> FM@{ shape: rounded, label: "Frontend gateway<br/>MTA/DA processing" }
    FM --> CHK@{ shape: diam, label: "Security rules<br/>+ reputation check" }
    CHK -->|"Violation/Spam"| ERR@{ shape: stadium, label: "Reject / spam channel" }
    CHK -->|"Legitimate"| CH@{ shape: hex, label: "Channel polling + delivery<br/>Domestic/Intl/SDN" }
    CH -->|"Retry on fail"| CH
    CH -->|"Success"| DONE@{ shape: stadium, label: "Sending complete" }

    classDef src fill:#bbdefb,stroke:#2196F3,color:#1B5E20
    classDef proc fill:#fff3e0,stroke:#FF9800,color:#BF360C
    classDef decision fill:#f3e5f5,stroke:#9C27B0,color:#4A148C
    classDef ok fill:#c8e6c9,stroke:#4CAF50,color:#1B5E20
    classDef bad fill:#ffcdd2,stroke:#f44336,color:#B71C1C
    class UC src
    class FM proc
    class CHK decision
    class CH decision
    class DONE ok
    class ERR bad

Key steps: Multi-channel polling, reputation verification, automatic retry on failure, maximizing cross-border email deliverability.

VI. Full Mail Receiving Flow

The receiving flow uses intelligent DNS split routing for separate international/domestic mail path access, ensuring inbound efficiency:

mermaid
flowchart TD
    ES@{ shape: double-circle, label: "External Sender" } --> STP@{ shape: rounded, label: "SMTP Protocol Send" }
    STP --> DNS@{ shape: diam, label: "Intelligent DNS<br/>Intl/Domestic Split" }
    DNS -->|"International"| GW@{ shape: hex, label: "MX Gateway :8025<br/>Intl / Domestic" }
    DNS -->|"Domestic"| GW
    GW --> FB@{ shape: rounded, label: "Forward to<br/>Backend Mail System" }
    FB --> UU@{ shape: double-circle, label: "User Receives Mail" }

    classDef src fill:#bbdefb,stroke:#2196F3,color:#1B5E20
    classDef proc fill:#fff3e0,stroke:#FF9800,color:#BF360C
    classDef decision fill:#f3e5f5,stroke:#9C27B0,color:#4A148C
    classDef out fill:#c8e6c9,stroke:#4CAF50,color:#1B5E20
    class ES src
    class STP,FB proc
    class DNS,GW decision
    class UU out

Core advantages: Intelligent DNS split routing, dedicated port access, low-latency cross-border inbound.

VII. Architecture Core Technical Highlights

  1. Haproxy full-link load balancing: Covers gateway, delivery, and antivirus services, supporting high-concurrency traffic
  2. Multi-channel global delivery: Domestic/international/SDN three channels, solving cross-border email rejection and latency issues
  3. Independent deployment + data isolation: Backend intranet independent mail system, meeting large enterprise data security requirements
  4. Full protocol compatibility: Supports Web/client full-scenario access, adapting to enterprise office habits
  5. Disaster recovery backup: Udsync mirror synchronization, zero data loss, uninterrupted business

Conclusion

This architecture is designed for large enterprises’ core needs of security, independence, global interoperability, and high availability. With layered decoupling, elastic scaling, and secure controllability, it can support tens of thousands of enterprise email users running stably, while adapting to cross-border office, multi-branch, data compliance and other complex scenarios — making it a preferred architectural solution for enterprise-level email systems.