I'm working on setting up an instance but I don't want to deal with the hassle and expense of having it send e-mails.
I don't think the loss of e-mail notifications is that big a deal - people can just use an app for that. However, I don't want to lose the ability to reset accounts.
So I'm thinking about setting up an MTA on the same server as the Lemmy instance and setting up a script to read e-mails it receives for passwords. If the script receives an e-mail from an address attached to the account it will set the account's password in the database based on the content of the e-mail. Users will be encouraged after login to manually update their password again so it is not stored in plain text anywhere.
My main concern with this is I'm not sure if it would be as secure as sending a password reset e-mail (even aside from the temporary plain text password). I would have the MTA check SPF and DKIM records of course. Is there a significant risk of, e.g., malicious actors spoofing e-mails to hijack accounts?
Yes, it is very much a terrible idea. If you aren't prepared to properly operate an instance, outside of making one for solely your own use, don't.