Exchange Server 2019 on a VPS

[aaronf15]

I am wanting to setup Exchange Server on a VPS. First of all, is this possible? I would obviously wanting to connect my domain. Would I need to set that up as the domain controller. I mean surely I wouldn't need to configure a DC as I'm not going to be Windows Server itself, just as a way to host an exch server. 

 

Would it need to be hosted on a VM of the server as I know people often don't host it on the main machine?

 

Any suggestions and ideas would be appreciated.

[Laaazz]

Exchange Server authenticates against Active Directory, so yes, you need a DC, and yes, you "can" have it on the same VM. It is just not recommended for AD to share a VM with another role. Maybe...? you can connect Azure's AD service (it's free until a crazy amount of objects afaik) not sure though.

 

I was able to setup AD+Exch on the same VM. Just make sure to give it enough CPU and Mem. For a low traffic server, 2vCPU 16GB Mem should be fine.  You could bump it up to 4vCPU if it's sluggish.  SSD for the OS drive, and store the mailboxes on a separate vdisk.

[aaronf15]

3 hours ago, Laaazz said:

Exchange Server authenticates against Active Directory, so yes, you need a DC, and yes, you "can" have it on the same VM. It is just not recommended for AD to share a VM with another role. Maybe...? you can connect Azure's AD service (it's free until a crazy amount of objects afaik) not sure though.

 

I was able to setup AD+Exch on the same VM. Just make sure to give it enough CPU and Mem. For a low traffic server, 2vCPU 16GB Mem should be fine.  You could bump it up to 4vCPU if it's sluggish.  SSD for the OS drive, and store the mailboxes on a separate vdisk.

So I could host the whole lot on the one VPS? So would I just setup the dc with a .local one or would that need to be connected to my external domains? My plan would be just to setup a .local DC and then in Exch configure my domains.

 

Also, I know on exch you need to activate it. What would be the drawback if I didn't after the grace period? 

 

 

I am also thinking about just hosting Windows Server on an old PC. Ideally I wouldn't want to pay the license cost. Would it still work without activating it after the 180 day grace period?

 

 

 

[aaronf15]

3 hours ago, Laaazz said:

Exchange Server authenticates against Active Directory, so yes, you need a DC, and yes, you "can" have it on the same VM. It is just not recommended for AD to share a VM with another role. Maybe...? you can connect Azure's AD service (it's free until a crazy amount of objects afaik) not sure though.

 

I was able to setup AD+Exch on the same VM. Just make sure to give it enough CPU and Mem. For a low traffic server, 2vCPU 16GB Mem should be fine.  You could bump it up to 4vCPU if it's sluggish.  SSD for the OS drive, and store the mailboxes on a separate vdisk.

The other thing is my internet connection doesn't have an external static IP. I would obviously setup a static IP to the router but I wouldn't be able to host it on a dynamic IP, is that correct?

[Sir Asvald]

19 minutes ago, aaronf15 said:

The other thing is my internet connection doesn't have an external static IP. I would obviously setup a static IP to the router but I wouldn't be able to host it on a dynamic IP, is that correct?

You'll need a static IP address, but you'll also need a business line. Most residential ISPs will block port 25. A word of advice... Setting up Exchange Server is no easy task. The hard part is managing it, the server needs to be on 24/7 if you want use it all the time.

 

You'll need a domain controller and it's not advised to have exchange and a domain controller installed on the Sam machine. As for the domain name, you can use your external domain as your domain name, I do that. It's up to you if you want to use .local domain but do remember, you won't be able to get certificates from LE because .local is not a routable domain (can't be reached to the internet). It's also advised that you install exchange on physical server rather than a VM, as Exchange Server uses a lot of resources. I have an exchange server and it's close to maxing out the 16gb it has. 

[aaronf15]

4 minutes ago, Sir Asvald said:

You'll need a static IP address, but you'll also need a business line. Most residential ISPs will block port 25. A word of advice... Setting up Exchange Server is no easy task. The hard part is managing it, the server needs to be on 24/7 if you want use it all the time.

 

You'll need a domain controller and it's not advised to have exchange and a domain controller installed on the Sam machine. As for the domain name, you can use your external domain as your domain name, I do that. It's up to you if you want to use .local domain but do remember, you won't be able to get certificates from LE because .local is not a routable domain (can't be reached to the internet). It's also advised that you install exchange on physical server rather than a VM, as Exchange Server uses a lot of resources. I have an exchange server and it's close to maxing out the 16gb it has. 

Right ok so I'll be using a VPS then. I mean I would just be hosting exch so I presume it wouldn't use as much. If it was really maxing out I would just upgrade it. 

 

This was the one I was looking at: 

 

Would this be ok? And I would just upgrade storage as and when I needed it. 

[Sir Asvald]

6 minutes ago, aaronf15 said:

Right ok so I'll be using a VPS then. I mean I would just be hosting exch so I presume it wouldn't use as much. If it was really maxing out I would just upgrade it. 

 

This was the one I was looking at: 

 

Would this be ok? And I would just upgrade storage as and when I needed it. 

4GB is way too low for exchange, the minimum for exchange 2019 is 16GB... were are going to install your domain controller?

[aaronf15]

2 minutes ago, Sir Asvald said:

4GB is way too low for exchange, the minimum for exchange 2019 is 16GB... were are going to install your domain controller?

Going back to a self-hosted solution. I have an old machine running 64GB ram i7 8th gen so I'd use that. If I used a dynamic DNS service like no-ip.org would that work? And I will have a look on my router now try opening port 15 both UDP and TCP and then check it on a port forwarding tester and see if it works. Would this work??

[Sir Asvald]

1 minute ago, aaronf15 said:

Going back to a self-hosted solution. I have an old machine running 64GB ram i7 8th gen so I'd use that. If I used a dynamic DNS service like no-ip.org would that work? And I will have a look on my router now try opening port 15 both UDP and TCP and then check it on a port forwarding tester and see if it works. Would this work??

You're going to install exchange and domain on the same machine? Not a good idea..

[aaronf15]

10 minutes ago, Sir Asvald said:

You're going to install exchange and domain on the same machine? Not a good idea..

No I will host the domain on the main machine then run a VM running exchange. Would I be ok not activating Exchange and Windows Server or do they need to be activated? Also what do you mean by LE Certificate? Could I not just use a self signed certificate?

[Sir Asvald]

28 minutes ago, aaronf15 said:

No I will host the domain on the main machine then run a VM running exchange. Would I be ok not activating Exchange and Windows Server or do they need to be activated? Also what do you mean by LE Certificate? Could I not just use a self signed certificate?

I don't know about non activation.. my exchange is activated.. As for LE  (Lets Encrypt is a free certificate service you can get a certificate for 3 months) certificate because you are using a .local domain you cannot get a certificate using the domain .local is not internet routable.. You can get a certificate for your public domain.. using self signed certificates is not the best ideas for exchange servers, best to get a free cert from LE

[aaronf15]

5 minutes ago, Sir Asvald said:

I don't know about non activation.. my exchange is activated.. As for LE  (Lets Encrypt is a free certificate service you can get a certificate for 3 months) certificate because you are using a .local domain you cannot get a certificate using the domain .local is not internet routable.. You can get a certificate for your public domain.. using self signed certificates is not the best ideas for exchange servers, best to get a free cert from LE

If you don't mind me asking how much was your license for Exchange? And what about non activation on WIndows server? Even if I had the DC as a .local if I configured Exchange with my external domain and set my web address to mail.customdomain.com then got LE to set a free certificate to that or should I just set the DC as my custom?

 

Only reason I'm asking this is because in Windows Server I've only ever used .local domains so I'm not familiar with external etc. What else would I need to do to connect it?

 

Thanks for your help  

[Sir Asvald]

11 minutes ago, aaronf15 said:

If you don't mind me asking how much was your license for Exchange? And what about non activation on WIndows server? Even if I had the DC as a .local if I configured Exchange with my external domain and set my web address to mail.customdomain.com then got LE to set a free certificate to that or should I just set the DC as my custom?

 

Only reason I'm asking this is because in Windows Server I've only ever used .local domains so I'm not familiar with external etc. What else would I need to do to connect it?

 

Thanks for your help  

Expensive, I can tell you right now. It's per CAL = Client access license..

[Sir Asvald]

16 minutes ago, aaronf15 said:

If you don't mind me asking how much was your license for Exchange? And what about non activation on WIndows server? Even if I had the DC as a .local if I configured Exchange with my external domain and set my web address to mail.customdomain.com then got LE to set a free certificate to that or should I just set the DC as my custom?

 

Only reason I'm asking this is because in Windows Server I've only ever used .local domains so I'm not familiar with external etc. What else would I need to do to connect it?

 

Thanks for your help  

You can get 180 days trial for your windows server and you "re-activate them" using the command slgmr re-arm and it'll give you another 180 days. You'd need to point your external servers to your server which your ISP internet.

[aaronf15]

18 minutes ago, Sir Asvald said:

You can get 180 days trial for your windows server and you "re-activate them" using the command slgmr re-arm and it'll give you another 180 days. You'd need to point your external servers to your server which your ISP internet.

Right ok. Could i please pm me your Discord in case I need to contact you in the future? If I open port 25 on my router and use open port checker will that be enough to prove if its blocked or not?

[Sir Asvald]

2 minutes ago, aaronf15 said:

Right ok. Could i please pm me your Discord in case I need to contact you in the future? If I open port 25 on my router and use open port checker will that be enough to prove if its blocked or not?

Sorry I meant you need to point your external domain to your email server*

 

[aaronf15]

So the DC would be .local and then I would just point the external domain to the email server when I configure that?

[wseaton]

Just curious, but why are you doing this? On prem Exchange is so 10 years ago.

 

The nano second you forward a piece of spam you will be blacklisted faster than a Thanos snap  

[Sir Asvald]

7 hours ago, aaronf15 said:

So the DC would be .local and then I would just point the external domain to the email server when I configure that?

Yes, you would point your external domain to your home IP address.

[Sir Asvald]

6 hours ago, wseaton said:

Just curious, but why are you doing this? On prem Exchange is so 10 years ago.

 

The nano second you forward a piece of spam you will be blacklisted faster than a Thanos snap  

Some companies still run On Prem because of regulation they cannot move their emails to the cloud, they need to keep their emails within the org. You can disable open relay, I've got email filter between my exchange server so no email spam or any spam.

[Laaazz]

I'm late to the party.

 

Most issues  were answered by Sir Asvld. However, I'd like to add a few more:

 

1. Most cloud providers block port 25 outgoing. From what i've read,  if you're on AWS, just contact support and they'll open it for you. If you're on Azure, (i've done this) outbound port 25 is for an "upper tier plan" thats available for big companies. Inbound is goods tho. You'll have to use an SMTP relay service - I tried SocketLabs. They have  developer tier that does SMTP relay that does 2000 emails per month for free. SendGrid is another option, much cheaper too! Tho, I haven't tried trier SMTP relay service yet.

 

2. Yeah, Exchange Server is expensive. at least 1k USD. Then you'll have to purchase a CAL license PER user. 

     

3.Not sure if Exchange will play nicely .local, but it should(?) work. You'll need a proper domain anyway in-order to send mail. AFAIK, the major mail providers reject email from domains that aren't configured properly. Which leads us to #4

 

4. DKIM, SFP DMARC DNS records. Remember to configure these  in the DNS records control panel. To put it simply, the 3 records tell external mail servers that email with @yourdomain. from IP "x.x.x.x" are legit, and prevent spoofing and phishing attacks.

 

 

[aaronf15]

17 hours ago, wseaton said:

Just curious, but why are you doing this? On prem Exchange is so 10 years ago.

 

The nano second you forward a piece of spam you will be blacklisted faster than a Thanos snap  

I'm doing it because I want to cut monthly costs that I'm paying at the moment to Microsoft for their hosted mailboxes.

 

11 hours ago, Sir Asvald said:

Yes, you would point your external domain to your home IP address.

I have 2 internet connections coming in. My secondary one isn't used 90% of the time so I'm not bothered it displaying my IP.

 

11 hours ago, Laaazz said:

I'm late to the party.

 

Most issues  were answered by Sir Asvld. However, I'd like to add a few more:

 

1. Most cloud providers block port 25 outgoing. From what i've read,  if you're on AWS, just contact support and they'll open it for you. If you're on Azure, (i've done this) outbound port 25 is for an "upper tier plan" thats available for big companies. Inbound is goods tho. You'll have to use an SMTP relay service - I tried SocketLabs. They have  developer tier that does SMTP relay that does 2000 emails per month for free. SendGrid is another option, much cheaper too! Tho, I haven't tried trier SMTP relay service yet.

 

2. Yeah, Exchange Server is expensive. at least 1k USD. Then you'll have to purchase a CAL license PER user. 

     

3.Not sure if Exchange will play nicely .local, but it should(?) work. You'll need a proper domain anyway in-order to send mail. AFAIK, the major mail providers reject email from domains that aren't configured properly. Which leads us to #4

 

4. DKIM, SFP DMARC DNS records. Remember to configure these  in the DNS records control panel. To put it simply, the 3 records tell external mail servers that email with @yourdomain. from IP "x.x.x.x" are legit, and prevent spoofing and phishing attacks.

 

 

So would the SMTP relay service be instead of using port 25. Is there a way to work around port 25?

[Laaazz]

9 hours ago, aaronf15 said:

So would the SMTP relay service be instead of using port 25. Is there a way to work around port 25?

SMTP relay providers usually have alternate ports. Just look up with ports they use. Do note that this if for outbound mail only. I haven't tried inbound relays as I used Azure.

 

 

I suggest you do a POC first with an open source mail server, like iRedMail, to check if inbound port 25 is open. Exchange Server is a real pain to install and setup. It'll be a huge waste of time if you went through hours of configuration just to find out you're unable to receive email.

 

While writing this, I thought "why didn't I look up inbound SMTP relays". After a quick G search, I found Email Store/Forward | Inbound SMTP Relay | Email Reflector | Email Service (dynu.com). Not sure how good their service is though.

 

 

A few things though

 

1. Outlook Online and Exchange Server's code base has been separated for a few years now, this means that Exchange Server is unlikely to receive feature updates. If this matters to you

 

2. While setting up my Exchange Server, I realized the hassle of running a mail server on my own - disaster recovery, redundancy, automated backups, WAN failover, to name a few, are too much trouble. I ended up signing up with Zoho Mail.  <Disclaimer: I'm a Zoho Workplace reseller>. Their free tier allows custom emails for upto 5 users @ 5GB per user. If you need more than 5 users, upgrading only costs 1USD/user/month and gives you 10GB of storage.

 

3. You said you'll have another internet line coming in, will it also have a static IP? If so, you'll have to have DNS failover that automagically switches the target IP should the primary go down.

 

 

While writing #3, it occurred to me that DDNS might work with the IP switching problem. Gonna try this out when i have time.

[NelizMastr]

15 hours ago, aaronf15 said:

I'm doing it because I want to cut monthly costs that I'm paying at the moment to Microsoft for their hosted mailboxes.

 

You'll need a lot of mailboxes before this endeavour makes sense.

 

You need to have both Exchange CALs and Windows Server CALs for all possible users accessing a mailbox or any other resource on said server(s)

You need a license for your Exchange server

You need a license for all Windows instances you're using

You need to also keep in mind Exchange 2019 will go end of life in 2025, there probably won't be an on-prem Exchange after that. 

 

So can you justify the few thousand dollars of upfront cost to go back to your original situation in 3,5 years? 

 

If not, forget about it. The $3 a month for a user mailbox won't break the bank.

 

[aaronf15]

8 hours ago, NelizMastr said:

You'll need a lot of mailboxes before this endeavour makes sense.

 

You need to have both Exchange CALs and Windows Server CALs for all possible users accessing a mailbox or any other resource on said server(s)

You need a license for your Exchange server

You need a license for all Windows instances you're using

You need to also keep in mind Exchange 2019 will go end of life in 2025, there probably won't be an on-prem Exchange after that. 

 

So can you justify the few thousand dollars of upfront cost to go back to your original situation in 3,5 years? 

 

If not, forget about it. The $3 a month for a user mailbox won't break the bank.

 

Every 180 days for Windows server i will just renew the trial license by running the command. What happens if I dont license exchange server?