I am inclined to say that if you are using postfix + dovecot that you already have a good email server. You can easily add security and encryption to it by enabling TLS. You can host virtual domains, such as your friends domain and he can have his own user name and password. The messages aer stored in the location specified, and the directory can be encrypted. If you are concerned about this, it might be easiest to give your friend an account and encrypt his home directory while using mbox (in the user's home dir) for mail delivery. Otherwise I would suggest using MySQL to host a set of virtual users, domains, and alaiases.
If you are looking for flexibility in managing user (virtual) accounts on Postfix, take a look at the PHP based postfix admin.