Whitelist your local network using the CLI as such -

nordvpn whitelist add subnet 192.168.0.0/16

Replace the IP with your subnet.

Cloudflare tunnels will proxy your connection so I don't think you can do both tunnels and NordVPN together.

If you want to stick with AWS, try WorkMail for incoming/outgoing and SES for outgoing to large group.

You can use Let's Encrypt DNS authentication to get an SSL without using any ports. The idea is to insert a CNAME of a string of text to your DNS to verify that you own the domain, thus getting the certificate issued. Google for that and there should be a guide for the OS that you use.