TLS1.0 introduced modularity via the concept of "extensions". It's everything but a minor evolution of the protocol.
One of the many things it brought is session tickets, enabling server-side session resumption without requiring servers to keep synced-up state. Another is Server Name Indication, enabling servers to use more than one certificate.
It would be great if Google supported rfc8414 and rfc7591. Right now most MUAs hardcode credentials instead of auto-discovering/registering/configuring them and decline to implement those standards "because the big boys don't support them". The practical result is that one cannot use oauth2 on their domain easily: the MUA needs to be told about which set of oAuth2 creds to use.
As one of the maintainers of Mailu, I'd say use Mailu!
Why? three main reasons: (a) security (as you have identified isolation matters, but that is not the only thing), (b) get the benefits of "battle-tested" setups and (c) features
On security: in its default config, Mailu scans emails for malicious macros via oletools (and optionally viruses via clamav). It also uses a hardened-malloc, Snuffleupagus (a security module for PHP), gates all PHP code behind an authentication wall (webmails), ... and does both DANE and MTA-STS validation to ensure your emails are delivered to the right place. The authentication stack handles "smart" rate-limiting: you get to limit the number of authentications with distinct credentials over a time-period (a misconfigured thick client won't trigger it), you have plenty of ways to avoid running into it (application tokens for thick clients, per-device cookies that give you a way out, whitelisting of "used" addresses, ...) and you also get to rate limit the number of sent emails (useful if a spammer gets their hands on the credentials of one of your users)
On the importance of "battle-testing" setups: well, there are plenty of non-subtle ways of breaking an email setup. Experience has shown that all the layers in the stack can be problematic... I can give you a bunch of examples of what we ran into recently if you want.
On features: your setup might be simpler but your users are missing out. Whether it's enhanced filtering (like with oletools), better indexing (full text search), indexing of attachments (with OCR! via Apache Tika), configuring server-side rules with managesieve or just "having an interface" to configure ooo, change their passwords, configure aliases or delegate permissions.
I have started spending time on Mailu because I don't like the bloat that comes with Mailcow. Give Mailu a shot; it is reasonably easy to debug when things go wrong (and not written in PHP :p).
Mailu is a simple yet full-featured mail server as a set of Docker images. It is free software (both as in free beer and as in free speech), open to suggestions and external contributions. The project aims at providing people with an easily setup, easily maintained and full-featured mail server while not shipping proprietary software nor unrelated features often found in popular groupware
FWIW, neither does the TLS layer: because the video is all chunked into fixed-time-length segments, each video causes a unique signature of variable-byte-size segments, making it possible to determine which Netflix movie someone is watching based simply on their (encrypted) traffic pattern. Someone built this for YouTube a while back and managed to get it up to like 98% accuracy.
Did TLS 1.3 fix this with content length hiding? Doesn't it add support for variable-length padding that could prevent the attacker from measuring the plaintext content length? Do any major servers support it?
Yes, we're talking about an attack against the zipper (and not the zip tie nor the bag)
The goal here is tamper evidence... sure you can open the bag through the zipper but you won't be able to close the zipper back if you can't move the sliders.
I dunno, I think something like [1] could do a pretty good job of putting the zipper back together and then you would just have to remove the underside component at the very end and then jiggle the existing zippers to hide the fact that it had ever been opened that way.
I suspect there might be even more surreptitious versions of such tools.
Sure you can defeat it using specialized tools... but at that point, you are far from "all I need is a pen" and opportunistic attacks. The tool will have to match the width of the zipper: you'll need a collection or to have done reconnaissance.
At that point, shimming the zip-tie itself is probably easier/faster (and doable without specialized tools).
They're all 3 certificates long (leaf/intermediate/root) apart from Let's Encrypt which, due to their cross-signature, are 4 certificates long for ECC.
ECB, issues with key generation, key negotiation, seldom authenticated data, ...
It definitely works better than MT but please stop lauding it for its cryptographic properties ;)
It's at the bottom of their TODO, under the heading "V2 protocol spec".