Kent-ITS engineered a self-hosted, virtualised private cloud platform designed for performance, resilience, and long-term control.

Infrastructure & Virtualisation

• Rack-mounted infrastructure with structured cabling
• Refurbished HP ProLiant DL380 G5 with RAID-backed storage
• Full firmware lifecycle management prior to deployment
• Virtualisation initially on VMware, later migrated to XCP-ng

Workload Architecture

• Dedicated virtual machines for:
  
  • Directory services (Ubuntu Server)
  • File services
  • Email platform (Zimbra Collaboration)

This separation ensured stability, simplified management, and enabled controlled scaling over time.

Email Platform Engineering

• Dedicated Zimbra Collaboration deployment
• IMAP-based migration from TSOhost with zero data loss
• Elimination of external IMAP latency

Result: Email performance improved from minutes to near-instant responsiveness.

Storage & Backup Strategy

Initial shared storage enabled VM mobility but introduced instability during snapshot operations.

Engineering Decision

• Migrated to local storage to eliminate read-only state risks
• Prioritised data integrity over live migration capability

Backup Architecture

• Application-aware backup using Zextras
• Continuous incremental protection
• Granular restore (single message → full system)

Security Architecture

Following a credential reuse incident, a full security hardening programme was implemented.

Controls Introduced

• fail2ban deployed on mail server and gateway
• Strong password policy enforcement
• Organisation-wide credential reset

Mail Flow & Threat Reduction

A dedicated mail gateway layer was introduced using Proxmox Mail Gateway.

Architecture

Internet → Mail Gateway → Mail Server

Security Controls

• Greylisting (450 temporary rejection)
• Reverse DNS validation
• DNSBL filtering (including Spamhaus)
• Recipient verification
• Firewall-level blacklisting

Outcome

• Significant reduction in spam and automated attacks
• Elimination of direct exposure of the mail server

Business Continuity Engineering

During a week-long broadband outage caused by infrastructure failure:

Response

• Deployment of LTE failover using MikroTik gateway
• Rapid rerouting of inbound mail services

Result

• Email service maintained
• No data loss
• Business operations continued uninterrupted

Why Not Cloud?

Cloud platforms such as Microsoft 365 were evaluated but ultimately rejected based on the organisation’s operational requirements and long-term cost profile.

Key Considerations

Performance

Cloud-hosted email introduces unavoidable latency due to external IMAP/Exchange connectivity.
The self-hosted platform eliminated this entirely, delivering consistently faster access.

Control & Data Sovereignty

• Full ownership of data and infrastructure
• No reliance on third-party service availability or policy changes
• Complete administrative control over configuration and security

Cost Predictability

Cloud services operate on a recurring per-user licensing model.

Over a 10-year period:

• Microsoft 365 equivalent cost: ~£21,000
• Self-hosted platform (Zextras): ~£3,000

Result: 86% reduction in licensing expenditure

"Note on Financial Accuracy: Microsoft 365 figures are based on 2015–2025 historical average rates for 25 seats. The self-hosted figure represents estimated licensing expenditure for the Zimbra environment and Zextras suite (based on 2017-era pricing of ~$227/year). Even accounting for hardware and power, the solution delivered a verified saving in excess of 80% over the decade."

Resilience & Independence

• Continued operation during ISP outages via LTE failover
• No dependency on external cloud availability
• Local recovery capability without vendor escalation

Engineering Trade-Off

Cloud platforms offer convenience and reduced management overhead.

However, in this case:

Performance, control, and long-term cost efficiency were prioritised over convenience.