I’ll leave with this. ANY service exposed publicly or not should not have vulnerabilities. If there is any hint that your NAS webserver has vulnerabilities, it shouldn’t even be used internally. So to me, it does not matter. I don’t expose my NAS webserver because I have no reason to increase my attack surface that wide.

But I’m comfortable exposing any of my internal services as needed because I’ve personally checked the source code for vulnerabilities, and have proper checks in place on top of regular security updates. I understand why others wouldn’t think the same way, as this takes a high level of confidence in your ability to assess the security posture of your systems and network. I’ve had penetration tests in my network, conduct them myself for business.

Meh, been doing it for 5 years now with minimal issues. Had one issue come up where my domain was flagged as malicious, but was solved in a few days and some emails to security vendors.

I think it’s important that those who can, and are educated enough to keep it running properly do host their own. Hosting your own email should be encouraged if capable because it helps reduce the monopoly, and keep a little bit of power for those who want to retain email privacy.

If your NAS is properly updated, and SSL is used, then the login screen it just as safe as any other web app with regular updates. I would ask why someone would want that.

The web version is most definitely safer. Most of the people here probably don’t penetration test their servers, conduct security audits or use best practices. Unless you are a cyber security guru on par with a dedicated team, the web version will be much safer for you.