We’ve seen an uptick in inbound Zimbra inquiries from companies running Microsoft 365 increasingly concerned about data sovereignty, with their email data in Microsoft 365 and in many cases, all of their files in OneDrive. Yesterday, we got an inquiry from a company freaked out by the Stryker device wipe attack; the company is exploring having a non-Microsoft solution for their email, so that if their Microsoft-based applications are compromised, their global staff can still communicate.
None of these companies wanted to abandon their Microsoft investments (and personally, I think Active Directory is a pretty amazing piece of kit…), but since I had essentially the same conversation with all of these companies about data sovereignty and platform diversification, I thought it would be helpful in this post to explain how:
- Zimbra is self-hosted, ensuring data sovereignty;
- Zimbra easily and securely integrates with Microsoft Active Directory for authentication, while providing a fallback for local authentication in case of a major Microsoft disruption;
- Zimbra’s Briefcase can easily replace OneDrive, (and in many cases, also replace Microsoft Office applications (like Word, Excel and PowerPoint) entirely;
- Zimbra Professional’s built-in Mobile Device Management (“MDM”) provides the same basic capabilities as separate basic MDM, but without the cost;
- Zimbra’s Class of Service architecture effectively replaces Windows Security Groups for policy and access management within Zimbra;
- Zimbra Professional’s built-in Archiving and Discovery (“A&D”) provides the same basic archive and cross-mailbox search capabilities as a separate email archiving solution, but without the cost;
- Zimbra’s customizable and easy-to-navigate Admin Console can dramatically reduce the risk of a Stryker-like remote device wipe attack, and;
- Provide all of these enhanced benefits at a much lower cost than Microsoft 365.
Data Sovereignty Via Self-Hosting Zimbra
Your dedicated Zimbra system can be hosted in a cloud provider (we do a lot of hosting in Amazon Web Services, with all data encrypted at rest and in-flight) or in your own data center, thus ensuring data sovereignty. Zimbra also has Hosting Partners, called “BSPs” (Business Service Providers) that on a per-mailbox per-month basis, can host your mailboxes for you, typically in a multi-tenant environment; sometimes on dedicated, bespoke kit. This provides less robust data sovereignty that self-hosting it is true, but also relieves the customer from system maintenance tasks. Note that BSP customers still get access to a version of the Zimbra Admin Console that has had all system-level functions (like “Delete Server”) removed, so BSP customers can provision/deprovision mailboxes and domains, add aliases and distribution lists, and perform all similar user-level Admin Console tasks.
Zimbra Active Directory Authentication
Zimbra uses OpenLDAP with a custom schema to store account, domain and system configuration data attributes (not unlike Active Directory!). Some ~95% of these attributes can be managed via Zimbra’s Admin Console, and all of the attributes can be managed from the CLI. One set of domain-level attributes covers authentication, and each domain can have separate authentication settings. A common secure configuration is to configure the domain mycompany.com (containing all of the regular users) to authenticate against Active Directory, and then have accounts in the domain it.mycompany.com authenticate against Zimbra’s LDAP. The only accounts in it.mycompany.com are those the IT staff each use to log in to the Admin Console.
When configuring Active Directory authentication for mycompany.com, you can select multiple Active Directory servers Zimbra can use, so if one AD server is down, users can still log in to Zimbra. Further, you can enable “Fallback Authentication” so that if all of your AD servers are down or unreachable, users can still log in to Zimbra.
One important detail is encryption of users’ authentication credentials in flight between Zimbra and Active Directory. Almost all Windows domains are domiciled on .site or .local domains, and it’s been many years since you could get a commercial SSL certificate for these private TLDs. Since SSL certificates in such Windows domains are now self-signed, no non-Microsoft devices will trust those certificates. Not a problem; Zimbra provides a facility to export the certificates from your domain and import them into Zimbra’s trust store.
Essentially, you can continue to centralize user authentication in AD even when running Zimbra.
Zimbra’s Briefcase To Replace OneDrive
Zimbra’s Briefcase is like a cross between Google Docs and OneDrive. You can upload and download documents of any (allowed) type, create multiple Briefcases and folders and subfolders within each Briefcase, and share out folders to internal and (if allowed) to external users as well.
Zimbra ships with a custom roll of OnlyOffice. OnlyOffice is an open-source Microsoft Office replacement that we have found is ~98-ish% compatible with even the most heavily formatted Word and PowerPoint docs, and similarly contains almost all of the functions and features in Microsoft Excel. OnlyOffice in Zimbra supports collaborative document editing, so multiple team members can edit a document at the same time (just like Google Docs).
Unlike Microsoft 365 and Exchange, where those web clients are less than full-featured, Zimbra’s web client since Day One was intended to be the primary client for accessing all of Zimbra’s features. No local Outlook, Word, PowerPoint nor Excel clients to install, maintain and upgrade – just a web browser. (Though, to be fair, Zimbra Professional ships with the Zimbra Connector for Outlook that exposes those Zimbra groupware features that Outlook supports form within Outlook). Zimbra ships with two web clients: Classic and Modern, and Modern has a very Outlook-like interface to make user transitions a little easier.
Two feature bonuses included with Briefcase are that it supports document check out and check in, and, Briefcase also supports document versioning. These two features alone empowered one customer to save some $50,000 per year by migrating from a separate, standalone document management system to Briefcase.
Further, Zimbra’s roadmap for this year includes a built-in Large File Transfer feature that will eliminate customers’ need for a separate large file transfer application, again, enhancing data sovereignty by keeping such large files within a self-hosted Zimbra system.
Zimbra Mobile Device Management (“MDM”)
Zimbra Professional includes fully supported ActiveSync properly licensed from Microsoft. As an aside, Zimbra has enhanced ActiveSync to support Shared Folders on mobile devices connected via ActiveSync.
The Exchange Active Sync (“EAS”) protocol above certain versions supports various MDM functions, including both administrator-initiated manual remote wipe of the entire device (factory reset); automated remote wipe of the device after X number of failed login attempts; removal of the ActiveSync account and data from the device, leaving the rest of the device intact, and; application restrictions, unlock password length and complexity, and other device security requirements.
Again, like the check-out/check-in and versioning features in Briefcase, these MDM features are included in Zimbra Professional.
If you deploy autoconfigure records in public DNS, users will have as near-seamless experience adding their Zimbra ActiveSync account to their mobile device as they would when adding a native Microsoft 365 account to their mobile device.
Zimbra’s Class of Service Architecture (“CoS”)
Zimbra’s Classes of Service work not unlike Windows’ Security Groups. A CoS is a collection of settings, rights and policies. When applied to a domain, all accounts within the domain “inherit” that CoS. You can “break” that inheritance by applying a different CoS to an individual account, for example where on CoS mandates the use of 2FA and the other CoS does not.
Zimbra Classes of Service are therefore an efficient and easy-to-use way of ensuring audit compliance and consistent policy application across all accounts within a domain, with a typical CoS containing more than 550 entries in “attrubute:value” pairs.
Zimbra’s Archiving and Discovery (“A&D”)
Zimbra Professional’s Archiving and Discovery (“A&D”) provides tremendous cost savings for companies, municipalities and governments who would otherwise be required to deploy a separate email archiving system. Typically, there is a legal, regulatory or policy requirement to store a permanent (and sometimes immutable) copy of every inbound and outbound email. The Archiving component of A&D is turned on on a per-mailbox basis; doing so creates a hidden-from-regular-users mailbox that retains a copy of every email sent to or from the companion regular mailbox. Users are unaware by default that an Archiving mailbox has been created to cover their mailbox.
Each Professional license also includes a license for a companion Archive mailbox, so there is no additional licensing cost when enabling A&D.
The Discovery portion of A&D includes a robust, low-impact Cross Mailbox Search feature exposed in the Admin Console. Result of such searches can be populated in a new or existing folder in a new or existing mailbox.
When municipalities and government agencies respond to a Freedom of Information Act request, A&D is used to share the results of the FOIA request with the filer, by using Zimbra’s sharing feature to share out the target mailbox folder to the filer. When companies and other entities are involved in litigation, A&D is used to be responsive to discovery requests. The defendant’s attorney works with IT staff to craft a search in A&D, and the results of the search are shared out to defendant’s attorneys. Once they excise non-responsive material from the results, such results are then shared with plaintiff’s attorneys. Note that Zimbra has a separate “Litigation Hold” feature as well. Fortunately, none of my customers have ever had to use this!
Again, by keeping all of this data within Zimbra, data sovereignty is assured.
Further, some regulated industries (financial services in the United States for example) are required to store such archive mailboxes’ data on WORM (Write-Once; Read-Many) storage, which is readily configurable and supported in Zimbra.
Lastly, it’s typical to provision a separate mailbox server or servers to host just the Archive mailboxes (easily controlled by one’s Classes of Service BTW!). These archive-only servers can be domiciled in a separate data center if you wish, providing physical geographic protection for your Archive data. (You can also use a second data center for Zimbra Disaster Recovery, another no-additional-cost feature in Zimbra licensing, but that’s for a separate blog post…)
Zimbra’s Admin Console
Unlike Microsoft 365, which has multiple (and frequently changing) Admin Consoles, Zimbra has only one. It’s straightforward to navigate and handles managing hundreds of thousands of accounts and thousands of domains (some Zimbra systems even have millions of mailboxes).
Zimbra’s Admin Console is also customizable, so you can remove features which would be dangerous for a Tier 1 support desk team, who traditionally handle tasks no more complicated than like new device onboarding. You wouldn’t want a Tier 1 helpdesk agent to be able to, for example, delete the company domain and all of the mailboxes in it.
As compared to the InTune attack vector exploited in the Stryker attack (as surmised as of this writing), there is no facility in Zimbra’s Admin Console to wipe all devices all at once. Now, to be fair, if a bad actor obtained SSH access to one of your Zimbra servers via a Linux account that had sudoer privileges to become the “zimbra” user, then of course, all bets are off. But that sort of SSH access is a much higher bar (hopefully!) that just obtaining admin account credentials on an InTune administration console.
Zimbra’s Lower Licensing Costs
Zimbra’s licensing is very different from Microsoft’s. All you purchase is enough seats to cover all of the mailboxes you need. No per-server licenses, no CALs… just seats. If you buy 250 seats you’ll get a price break. You can deploy Zimbra on one or as many servers as you wish. You can deploy a warm standby disaster recovery system in a separate data center if you wish. You can provision as many domains, aliases, distribution lists, meeting rooms etc. as you wish and none of that changes the licensing costs.
For example, a one-year subscription, for a 250-seat order of Zimbra Professional — including Premier Support from Zimbra directly — has a list price of $32.03 per-seat per year. Microsoft E5 subscriptions (with a feature set comparable to Zimbra Professional) cost more than that per-month. For sure, you need to supply your own hardware, but for most companies, the marginal cost of doing so in their existing data center infrastructure is zero as they already have existing excess capacity.
Conclusions
Zimbra’s features as described above create the four-fold benefits of enhancing data sovereignty; decreasing the exposure to a Stryker-like attack; simplifying compliance, and; providing features comparable to Microsoft E3 and E5 subscriptions for a fraction of the cost.
If you’d like to explore how Zimbra can help you with enhanced data sovereignty, security, compliance and cost savings, fill out the form to start the conversation!
Hope that helps,
L. Mark Stone
Mission Critical Email LLC
13 March 2026
The information provided in this blog is intended for informational and educational purposes only. The views expressed herein are those of Mr. Stone personally. The contents of this site are not intended as advice for any purpose and are subject to change without notice. Mission Critical Email makes no warranties of any kind regarding the accuracy or completeness of any information on this site, and we make no representations regarding whether such information is up-to-date or applicable to any particular situation. All copyrights are reserved by Mr. Stone. Any portion of the material on this site may be used for personal or educational purposes provided appropriate attribution is given to Mr. Stone and this blog.