What worries me most is the possibility of an other root-server to play "router" for my traffic. [snip]
..by tricking both your server and the router. OK.
The websites are not too interesting for attackers
Umm.. see the issue of Cryptogram released today. Check http://www.counterpane.com/crypto-gram-0203.html#7, lesson number 1.
and login is done via ssh (v2) only, so at least I get a warning if something strange happens.
Be sure to notice host key changes and don't use server-stored passwords for authentication. They'd pass through the 'router' as well and he could rather easily set up an SSH proxy.
But the mail-traffic remains a problem! As far as I can see up to now, sendmail-tls and qpopper use plain text at least for the mail-body. So the content is disclosed to any attacker if not the username/password.
Well, SMTP and POP3 are clear-text protocols by nature. You can stack them on top of SSL/TLS, but you need clients that can do that as well. With emails, encryption and authentication of the message content using PGP or S/MIME is also in widespread use.
I sure try to avoid ftp, but webmasters on Mac are used to FTP... Maybe there's a scp-client for Macs? I'll have a look.
Another option would be to use IPSec or a functionally similar VPN technology. Cheers Tobias