Mi&Bee Blog
中文

Large Enterprise Email System Architecture Design and Full Mail Flow Analysis

Architecture Email System, Architecture, High Availability 1197 words 6 min read

As enterprise digitalization scales up, large organizations demand extreme capabilities from email systems: independent deployment, high availability, global interoperability, security protection, and load balancing. This article breaks down the practical architecture of a dedicated large enterprise email system, covering overall design, physical/logical deployment, core service systems, and the full send/receive mail flow, providing a reference technical solution for enterprise-level email architecture implementation.

I. Overall System Architecture Design

Large enterprise email systems adopt a layered architecture of “frontend gateway layer + load balancing layer + core service layer + backend independent mail system”, balancing security isolation, traffic scheduling, and business independence. The overall architecture is as follows:

mermaid
graph TB
    A[User Client/Web/Mail Client] --> B[Nginx Frontend Proxy]
    B --> C@{shape: stadium, label: "Haproxy Load Balancer"}
    C --> D[Frontend Gateway Cluster]
    D --> D1[MTA/DA Integrated Delivery Service]
    D --> D2@{shape: cyl, label: "Gateway Database"}
    D --> D3[Mail Antivirus Service]
    C --> E[Backend Intranet Independent Mail System]
    D --> F[Domestic/International/SDN Delivery Channels]

    classDef primary fill:#e3f2fd,stroke:#1976d2
    classDef storage fill:#e8f5e9,stroke:#4caf50
    classDef network fill:#fff3e0,stroke:#ff9800
    classDef process fill:#f3e5f5,stroke:#7b1fa2
    class C network
    class D2 storage
    class A,B,D1,D3,E,F process

Core Component Description

  1. Frontend proxy layer: Nginx provides unified proxy for user access entry, improving access stability
  2. Load balancing layer: Haproxy implements load balancing for delivery/antivirus services and backend API port mapping
  3. Gateway layer: Handles email send/receive preprocessing, security verification, and channel scheduling
  4. Security services: Built-in antivirus engine ensures malware-free email transmission
  5. Backend system: Independent email system deployed on enterprise intranet, data isolated and controllable
  6. Global channels: Domestic/international/SDN multi-channel, ensuring cross-border email deliverability

II. Physical Deployment Architecture

Physical deployment adopts a multi-region, multi-node, redundant backup model, with Haproxy implementing gateway layer load balancing. The evolution from old to new physical architecture is as follows:

New Physical Architecture

mermaid
graph LR
    OI@{ shape: double-circle, label: "International Internet" } --> SDN@{ shape: hex, label: "SDN Channel 1/2" }
    DI@{ shape: double-circle, label: "Domestic Internet" } --> SDN
    SDN --> HP@{ shape: hex, label: "Haproxy Load Balancer" }
    HP --> GW@{ shape: rounded, label: "Gateway 1/Gateway 2" }
    GW --> BVM@{ shape: doc, label: "Backend VM Node Cluster" }

    classDef primary fill:#e3f2fd,stroke:#1976d2
    classDef network fill:#fff3e0,stroke:#ff9800
    classDef process fill:#f3e5f5,stroke:#7b1fa2
    class GW network
    class BVM primary

Old Physical Architecture

mermaid
graph LR
    OI@{ shape: double-circle, label: "International Internet" } --> SDN@{ shape: hex, label: "SDN Channel 1/2" }
    DI@{ shape: double-circle, label: "Domestic Internet" } --> SDN
    SDN --> GW@{ shape: rounded, label: "Gateway 1/Gateway 2" }
    GW --> DVM@{ shape: doc, label: "Multi-VM Distributed Nodes" }

    classDef primary fill:#e3f2fd,stroke:#1976d2
    classDef network fill:#fff3e0,stroke:#ff9800
    classDef alert fill:#fce4ec,stroke:#e53935
    classDef process fill:#f3e5f5,stroke:#7b1fa2
    class GW,SDN network
    class DVM primary
    class OI,DI alert

Deployment advantages: Gateway cluster redundancy, horizontal node scaling, global network adaptability, avoiding single points of failure.

III. Logical Business Architecture

The logical architecture focuses on business flow, data storage, and protocol compatibility, covering full-scenario mail access and data synchronization:

mermaid
graph TB
    UA@{ shape: double-circle, label: "User Access" } --> Web@{ shape: rounded, label: "Web" }
    UA --> POP3@{ shape: rounded, label: "POP3" }
    UA --> IMAP@{ shape: rounded, label: "IMAP" }
    UA --> SMTP@{ shape: rounded, label: "SMTP" }
    Web & POP3 & IMAP & SMTP --> FG@{ shape: rounded, label: "Frontend Gateway" }
    FG --> HS@{ shape: hex, label: "Haproxy Scheduling" }
    HS --> BE@{ shape: rounded, label: "Backend Independent Mail System" }
    BE --> MS1@{ shape: cyl, label: "MS Primary Storage" }
    BE --> MS2@{ shape: cyl, label: "MS Secondary Storage" }
    HS --> US@{ shape: rounded, label: "Udsync Mirror Sync" }
    US --> DR@{ shape: doc, label: "Disaster Recovery Backup" }
    HS --> API@{ shape: doc, label: "System API Interface" }

    classDef primary fill:#e3f2fd,stroke:#1976d2
    classDef storage fill:#e8f5e9,stroke:#4caf50
    classDef network fill:#fff3e0,stroke:#ff9800
    classDef process fill:#f3e5f5,stroke:#7b1fa2
    class FG,Web,POP3,IMAP,SMTP,BE primary
    class MS1,MS2 storage
    class HS network
    class US,DR,API,UA process

Core logic: Full protocol compatibility, tiered storage, real-time data sync, disaster recovery with high availability.

IV. Core Service System

The system is built around unified configuration, protocol support, traffic scheduling, and security extension. Core services include:

  1. Gateway unified configuration service: Global policy management, simplifying multi-node maintenance
  2. Client protocol service: Support Web/POP3/IMAP/SMTP full protocol access
  3. Role service: SMTP frontend sending and MX receiving dual roles operate independently
  4. Scheduling service: Haproxy implements load balancing and port mapping
  5. Sync/disaster recovery service: Udsync mirror synchronization for zero data loss
  6. Security extension service: Mail antivirus, rule filtering, OA system integration

V. Full Mail Sending Flow

The sending flow uses a “gateway verification → channel scheduling → intelligent delivery” mechanism, balancing deliverability and security:

mermaid
flowchart TD
    UC@{ shape: double-circle, label: "User Sends/Web/Client" } --> FG@{ shape: rounded, label: "Deliver to Frontend Gateway" }
    FG --> MTA@{ shape: rounded, label: "MTA/DA Service Processing" }
    MTA --> SRC@{ shape: diam, label: "Security Rule Check" }
    SRC -->|Rule Violation| RJ@{ shape: stadium, label: "Reject Sending" }
    SRC -->|Rule Passed| CAC@{ shape: diam, label: "CAC Reputation Check" }
    CAC -->|Legitimate Mail| CS@{ shape: diam, label: "Channel Polling Selection" }
    CS --> DC@{ shape: hex, label: "Domestic Channel" }
    CS --> OS@{ shape: hex, label: "International Channel" }
    CS --> SDS@{ shape: hex, label: "SDN Dedicated Channel" }
    DC & OS & SDS --> TS@{ shape: rounded, label: "Target Server Delivery" }
    TS -->|Delivery Success| FC@{ shape: stadium, label: "Sending Complete" }
    TS -->|Rejected/Connection Failed| CS
    CAC -->|Spam| GP@{ shape: stadium, label: "Spam Channel Processing" }

    classDef primary fill:#e3f2fd,stroke:#1976d2
    classDef network fill:#fff3e0,stroke:#ff9800
    classDef process fill:#f3e5f5,stroke:#7b1fa2
    classDef alert fill:#fce4ec,stroke:#e53935
    class FG,MTA,TS primary
    class CS,SRC,CAC process
    class DC,OS,SDS network
    class UC alert
    class RJ,FC,GP alert

Key steps: Multi-channel polling, reputation verification, automatic retry on failure, maximizing cross-border email deliverability.

VI. Full Mail Receiving Flow

The receiving flow uses intelligent DNS split routing for separate international/domestic mail path access, ensuring inbound efficiency:

mermaid
flowchart TD
    ES@{ shape: double-circle, label: "External Sender" } --> STP@{ shape: rounded, label: "SMTP Protocol Send" }
    STP --> IDN@{ shape: diam, label: "Intelligent DNS Query Resolution" }
    IDN --> ID@{ shape: diam, label: "Check if International Inbound" }
    ID -->|Yes| OM@{ shape: hex, label: "International MX Gateway Port 8025" }
    ID -->|No| DM@{ shape: hex, label: "Domestic MX Gateway Port 8025" }
    OM & DM --> FB@{ shape: rounded, label: "Forward to Backend Mail System" }
    FB --> UU@{ shape: double-circle, label: "User Receives Normally" }
    classDef primary fill:#e3f2fd,stroke:#1976d2
    classDef storage fill:#e8f5e9,stroke:#4caf50
    classDef network fill:#fff3e0,stroke:#ff9800
    classDef alert fill:#fce4ec,stroke:#e53935
    classDef process fill:#f3e5f5,stroke:#7b1fa2
    class STP,OM,DM,FB,UU primary
    class IDN,ID process
    class ES,UU alert

Core advantages: Intelligent DNS split routing, dedicated port access, low-latency cross-border inbound.

VII. Architecture Core Technical Highlights

  1. Haproxy full-link load balancing: Covers gateway, delivery, and antivirus services, supporting high-concurrency traffic
  2. Multi-channel global delivery: Domestic/international/SDN three channels, solving cross-border email rejection and latency issues
  3. Independent deployment + data isolation: Backend intranet independent mail system, meeting large enterprise data security requirements
  4. Full protocol compatibility: Supports Web/client full-scenario access, adapting to enterprise office habits
  5. Disaster recovery backup: Udsync mirror synchronization, zero data loss, uninterrupted business

Conclusion

This architecture is designed for large enterprises’ core needs of security, independence, global interoperability, and high availability. With layered decoupling, elastic scaling, and secure controllability, it can support tens of thousands of enterprise email users running stably, while adapting to cross-border office, multi-branch, data compliance and other complex scenarios — making it a preferred architectural solution for enterprise-level email systems.