It is very convenient to host yggmail on some VM, and be able to connect to it from any other device in Yggdrasil.
But yggmail is defenseless against brute-force attacks. Anyone can run some script and try to login to SMTP or IMAP part of the node. Moreover, if you connect to the node, it shows a valid login in the banner.

It would be very good to implement some rate-control to login mechanisms with some temporary ban measures.
And get rid of that public key in the banner :)

Yes, absolutely. Rate limiting on the local IMAP and SMTP listeners should be straight-forward.

I guess the security was based on this being a localhost setup.

If you make this essentially available to the world then the username part of the login should likely also be something less obvious.