[fredsted]

Virtualmin is a little old-school, and hosting-oriented, but you can easily set up a mail server with SPF, DKIM, SSL w/ LetsEncrypt, etc. out of the box. I've never had any problems in over 5 years with sending or receiving and I just turn on automatic updates for Debian. Only issue is if the IP you get from the hosting provider is blacklisted, so remember to check that before you start setting it up. I use DigitalOcean for hosting.

[Rjevski]

Watch out for vulnerabilities though. I always recommend staying away from such "panels" like Plesk, cPanel, etc. Virtualmin is no exception.

[SwellJoe]

Our security history is pretty good, and we provide a wide variety of security features like 2FA, TLS with Let's Encrypt certificates, various password and login policy options, etc.

I would argue that non-technical users are safer using Virtualmin (I can't speak to the security history or features of any other panels) than doing it themselves, because it's easy to make security mistakes when doing it yourself if you don't have a lot of time to research all the options. If someone can invest the time to learn how to manage all of their own services, and can invest the time to build out all of the security features included in a default Virtualmin installation, then absolutely removing the GUI is removing one vector of potential attack; you should always turn off services you don't need. But, based on history, I can say with reasonable confidence that Virtualmin is probably not going to be the way an attacker gets in (it's probably going to be weak passwords, old software, poorly designed custom web apps, etc.).

Disclaimer: I work on Virtualmin.