Nice write up. It actually inspires me to attempt a similar thing, by running the email gateway as a VPN point, but running the server software locally.
I won’t use Helm because it requires a mobile app which requires registering an account with Apple or Google. A second reason is the email VPNs are AWS.
If both of those changed, I’d recommend this for most folks.