A few things, in no particular order:

• Docker interferes with user-defined firewall rules on the host. You need to expend a lot of effort to make your rules persist above docker. This functionally means that, if you are running a public-facing VPS/dedicated server and bind services to 0.0.0.0, even if you set up a firewall on the same machine, it won’t work and your services will be publicly accessible
• If you have access to a second firewall device  —  whether it is your router at home, or your hosting provider’s firewall (Hetzner, OVH both like to provide firewall controls external to your server)  — this is not the biggest concern.
• There is no reason to bind your containers to 0.0.0.0. You will usually access most of your containers from a certain IP address, so just bind them to that IP address. My preference is to bind to any address in the 127.0.0.0/8 subnet (yes, that entire subnet is loopback) and then use a reverse proxy. Alternatively, look into the ‘macvlan’ and ‘ipvlan’ docker network drivers.

Good luck

Ergo, formerly oragono, supports LDAP and possibly SAML. This is not something I have set up, but I have hosted a public ergo server before.

Good luck.

cc /u/badass6  —  no need to wait a day.

Could I set up WireGuard between the home server and VPS then have that handle sending out the email?

Yes, you can.

What software stack would I need? Would this be something like postfix to postfix or…?

I don’t think you need postfix-to-postfix. You just configure your VPS server’s VPN-facing IP address in your dovecot or mail client (instead of the conventual localhost address).