Maybe there is some relation with orange man erratic behaviour, canadian pm speech in davos, europe considering to abandon usa cloud and other countries that may follow suit?

Just sayin’…

In proxmox you create a vlan on the physical interface and not on a bridge.

Once the physical port has tagged traffic for all vlan but LAN, leave vmbr0 alone, create the new DMZ vlan in proxmox networking and a new vmbr on that vlan, that’s it.

If your vps is a firewall, you could use it as an exit point for different private networks: ip1 to mask the traffic for a guest subnet that you don’t trust and if the ip gets blacklisted there are no issues for lan traffic behind ip2 while ip3 is reserved for server traffic with specific rulesets on supplier’s systems for updates/backup/whatnot. Should you have more than one mail server because of reasons, if one is blacklisted the other could remain clean (in this situation you usually put them on different subnets but whatever).

Mailu is a mail server so it is suitable for the task.

You need a mail server somewhere, a mail client cannot listen for incoming messages. A possible workaround: you could activate your own mail server accessible only inside tailscale and use it to send and receive your local alerts.