But it's not just postfix or sendmail you need to configure correctly and then put apt-get update/upgrade -y in cron to avoid the damage caused by making a mistake or falling asleep at the wheel. Casual self-hosters have other vectors of attack to mitigate, for example making sure sasl or whatever they may be using for imaps auth is solid, that passwords are strong and routinely changed, that php is also tight and so on. The stakes are relatively high, the efforts to compromise systems for this and other purposes are voluminous and incessant. So I'd say "it takes a village" to do this safely enough, not individual enthusiasts who cannot commit to administering a server diligently.
