I can set up my own email server, and quite happy with it, using standard open source components - postfix, roundcube, etc on top of HardenedBSD or OpenBSD.
I'd like to offer the use of my email server to friends and family, as some of them have said in as many words that they'd like it and would benefit. But I have a real ethical issue over hosting something so personal to them without more privacy safeguards. Even if I wouldn't read anything, I feel very uneasy that in principle, I easily could.
I know that as the server admin, anything the software can do, I can do. As always, it's about raising the barrier, not about absolute data protection.
The family/friends who would like to use it, aren't sophisticated users Think parents/grandparents generation. I doubt they're doing anything very unusual. They wouldn't know how to use custom certs or PGP or similar, and most of their email contacts wouldn't either (online purchases, friends, etc). They'll use standard POP/IMAP/SMTP/webmail, with standard apps. So anything that's to be done, would have to be unilateral - not relying on them to understand complex setups, or things that won't work in common clients.
I cant avoid the need for at least one server admin with rights to configure things, and I know that any other users would have to rely completely on trust and it couldn't easily be "proven" what I'd done or not done. While they trust me (I help them routinely with email and host their backups as it is), it's just that, on principle, I don't feel that an email host should be able to look at third party users emails (other than where there's a clear expectation such as within an enterprise), and I want to get as close as I can to that, myself.
In other words, although trust is needed in any setup, there is a difference between trusting someone won't click and read (although it's trivial to do so), and trusting they have set it up and made it very hard to click and read.
Things I've thought of trying:
I've pondered setting it up in an encrypted VM, in such a a way that once booted with the correct passphrase (needed to boot but doesn't let it log in), the system actually locks out its root and admin accounts and only allows a limited account that can manage mail but not view other users' data. Or maybe give the root passphrase in written form to a trusted relative who lacks access, and locking down the admin IP to their IP, so it's accessible in an emergency but not otherwise. I don't know if that helps, or is naive, though.
I've also looked for prebuilt end to end encryption for users, as that would be ideal, but I don't think this can work unless the user, and their contacts, both use appropriate client software, or avoid "ordinary" clients and stick to very specific ones ... and that just isn't likely/achievable for their expected "ordinary" use.
Is there an easy way to build/set up an email server for family/friends who request it, which at least helps to raise the bar in these areas, and lets me feel safer that their privacy is real, and not easily intruded upon, even if not ideal or absolute?
What steps can I take that would help?