After reading about rainloop I could see wanting to run it locally, but as soon as you put it on a VM somewhere you're create a very public access point for all of your email accounts if that server gets compromised aren't you? Seems like creating a weak link on purpose.
I don't know specifically about RainLoop, but I usually put services like that behind a BasicAuth on the web server. It's a simple but effective way to protect myself from PHP/application vulnerabilities - at a minor annoyance to the users (authenticating twice, every once in a while).
I don't think that's true. A home computer can be firewalled with no incoming connections allowed. Your VM in the cloud has potential attack vectors through your own control interfaces (http/ssh/pop/imap) as well as the hosting control panel. In addition it may be listening for incoming smtp. I might trust myself to configure all of those securely but I'm not sure.
