OpenLDAP multi-master with a bunch of custom schemas.
Can you explain what you mean with lightweight?
You expressed yourself just fine and my question is still valid. Do you have the capacity to handle multi Tbit traffic on the edge ips that you use to hide the backend ips? Because if all of those are flooded, not only will the backend app be unreachable, but all your customers will be unreachable as well.
Even if you can get the appZTNA stuff to work (which I doubt), how is your infra going to absorb multi Tbit traffic without customer impact?
See this howto: https://poolp.org/posts/2019-09-14/setting-up-a-mail-server-with-opensmtpd-dovecot-and-rspamd/
I have delivery to the inbox of all major providers using this. Email is not that hard…