Thanks in advance for your insights and shared knowledge of the given Topi.
Context
The company I’m working for is currently hosting their website and mail server with Hostgator. That one dedicated server runs WHM/Cpanel for WordPress websites and emails. The server has a 1TB hard drive that is going to be filled soon. They were told to separate the two services but Ofc, they want to cut costs and not go to another web provider with a monthly subscription to host their emails. The company is heavily marketing-driven which depends a lot on their emails to send and receive emails with attachments. All their email accounts amount to 300Gb in size
Proposition
I have an old dell desktop PC with an Intel 3770 4c/8t, DDR3 32GB RAM. I also have another dell workstation desktop PC with Xeon E31280 4c/8t, DDR3 32GB RAM. We also have a DIA internet connection (symmetrical 25Mbps) with static IP and we’re allowed by the ISP to host anything we want. We also have FQDN.
I’m looking to solve this by migrating the contents of the existing server to a local VM running WHM/cPanel on a Linux distro and also adding another VM for server 2019 VM and migrating our AD, DNS, DHCP, and print server to that.
Your help;
Is the above-mentioned hardware sufficient to run those two VMs with XCP-ng?
Is it recommended to run a mail server and our local AD server on the same machine? What challenges and security risks does this propose?
If we’re to run WHM/cPanel, What is the recommended Linux flavor for this? I was going with CentOS but due to the recent events with Redhat, I don’t want to take that risk with CentOS 7 with support ending next two years.
Once again, Much appreciate your help and assistance.
I was hoping someone else would had responded to this post already as it really requires a lot of time and detail to speak to everything. So I’ll try to give a quick sentence or two for each question but it’s not going to be thorough as what you’re looking for. And I’ll preface all this by starting with this statement: You need to hire a qualified consultant and/or utilize an MSP for this deployment. At minimum you need to setup a DMZ, choose appropriate hardware, use a CDN for WordPress, develop an on-prem backup policy, and have at least one bare-metal AD DC outside your virtualized environment. The TLDR; when you get done reading this should be; If done properly, an on-prem deployment will be significantly more expensive than cloud and if not properly secured could lead to a very embarrassing/expensive data breach.
If you don’t mind me asking, what is your monthly budget?
Based solely on their ages, I wouldn’t recommend either machine for production use. At a bare minimum I would suggest a modern CPU, ECC memory, redundant PS, RAID (or HBA if using ZFS), and a hardware warranty with SLA (4 hours? 24 hours? How long can you be down?). And if you don’t want to pay for a warranty then you really need to deploy an HA cluster with shared storage such as a SAN. New Dell servers start around $10k/ea with mid grade Xeon CPUs and 256GB ram.
Doable but you need to segregate all public facing services into a DMZ. And you really should use a CDN to prevent some a-hole from taking your 25Mbit connection offline with a simple DoS attack. Prices start at $20/m for CloudFlare.
Things can get really messy if all your AD DCs are virtualized and your network goes completely down… especially if you’re using LDAP for auth on your hypervisors or are relying on DNS from the DCs. I recommend having at least one bare metal DC running in your environment that provides DNS and DHCP failover. Either of the two machines you listed above would work great for that purpose. DNS and DHCP are fine to run on the DC but I’ve never ran a print server so can’t comment on security implications. Do your research before deciding if it’s appropriate.
You absolutely never, never ever want to run public facing services (and I go further refusing to run internal services) on your DC. If a 0-day exploit for your SMTP server is chained with privileged escalation, you’ve just lost your entire domain. And likely the consequences will include ransomware, BEC, and/or data exfiltration. If fact when it comes to email services, you couldn’t pay me to deploy an on-prem Exchange server now in 2022. The only reason I have experience with on-prem Exchange was due to governance restricting use of cloud providers. Save yourself the headache and just pay Google for email hosting.
It’s compatible with just about every flavor, so whatever distro you are comfortable hardening and administrating.
Rocky Linux is a 1:1 RHEL compatible OS that I can comfortably recommend as a replacement.
Edit: Oh, and I forgot to mention the “costs” of using XCP-ng. Sure it’s a free to use, stable hypervisor but technical support requires an annual subscription. Are you comfortable relying on community forum based support? Or do you need a timely response when there is a business impacting issue? If you need a 1 business day response it’ll cost $600/yr per host. Or a 1 hr response will cost $1200/yr per host. Just something you really should factor into to the overall cost of on-prem.
@Four0Four Thank you very much for your response. Very much appreciate your time and knowledge. Really do. I understand what you’re saying and we’re no longer going to do any virtualization. We’ll leave the existing AD, DNS, and DHCP servers to run bear metal. As for the mail server, That’s going to run on a bare metal system.
For the Linux distro, I’m looking into ubuntu to run WHM/cPanel.
The server will not be hosting any websites, it’s sole purpose is for emails. Just a simple mail server. The internet connection is not passing through any firewall or switch. The bare metal system will directly be connected to the modem which is in bridge mode. That system alone will be using that connection.
What would your recommendation be if we were to go this route?
e.g. - Security protection, Hardware specs, software, or hardware RAID?
–We did present google email hosting but it’s too expensive for the business. We’re looking at $6 for 70 email accounts. Which is $420 a month. I know it’s not much for a business to pay but they are reluctant to pay that on a monthly bases. I’ll let them know the risk of going on-prem.