Running an unmaintained mail server is a BAD thing.
Of course. You maintain it.
I think you are confusing gmail and google apps (or whatever it is called now, seems to change all the time).
Google apps uses the same restrictions. What I recall, you can disable SPF and DKIM checks for trusted sources, but you cannot disable reputation checks.
Wow. That sounds sooooooper not secure.
How? Of course, you must have some sort of secure communication between the access controller system, and the system that manages logins for the computers and such. Then when you scan the badge at your personal office space (where only you have access), the access controller tells the system to automatically logon the computer.
Another way is to have a RFID card reader where you put the badge to login computer, and remove badge to logout. Also a easy and secure system, but requires lots of integration work if you want to use it with third-party services.
If you have own in-house servers, you can just tell those servers to check on-the-fly with the access control system if there is a valid card on the reader before giving computer X access to account Y - making it secure, since you can then not tamper with anything to bypass the auth check - the server, which is located in secure space, formally asks the access controller "master", which is also located in secure space, if user X is authenticated at reader Y.
You cannot keep a mail server automatically updated, sorry. That is a fantasy.
You can. Ubuntu have packages with mail servers automatically updated. However, sometimes manual intervention is required to change the config when some security holes appear that cannot be resolved with patches.