Email Setup to Prevent Identity Theft

My father-in-law asked me for ideas to improve his email security. He read an article about how some hackers, having gained access to a Gmail account, were able to reset the account holder's passwords for other services, such as Amazon.

This is what I've come up with so far, but more brainpower would really help as I've never thought of this before, so all critique and suggestions will be warmly welcome.

Starting Point: He has a website hosted on a LAMP / cPanel system, and his current email goes through the website's domain. The email account is set up in cPanel. He retrieves his email via pop3, deleting it from the server. I'm thinking this might be a decent starting point? No need for iMap as he only has one computer (no iPhone) and he deletes it as he goes?

Next Steps:

1. I am thinking to get him to set up several address forwarders on his cPanel: one for his bank, one for Amazon---basically one for each of the few accounts that are linked to a bank or a credit card. These forwarders would all forward to one central address, also set up in cPanel, which would be "private", in the sense that he would not use it to send emails. He would only use it to retrieve email via pop3.

2. Also thinking of getting him to can store his email on his computer on an encrypted virtual drive using TrueCrypt.

With this set-up it seems to me the messages are vulnerable in a few places:

• in transit from Amazon to his server, than from his server to his computer. Not much we can do about that as his bank or Amazon are not going to send him encrypted email.
• while stored on his cPanel LAMP set-up. I wonder how safe (unsafe) that is. If it was a shared host I'd be very worried. Being a VPS it might be a little safer. But still... Someone could hack in... How likely is that?
• on his computer, if someone gains access while he is logged in and the virtual drive is mounted.

Big thanks in advance, looking forward to your thoughts.

UPDATE: SUMMARY OF REPLIES SO FAR

How lucky, several thoughtful and detailed replies came in so far. Summarizing the replies so far.

Using the Web

• His router should be hardened, for example disallowing the Internet remote management console. Be mindful of the fact that a hack could reveal his IP address and ISP login password.
• Use long and complex passwords that are unique to each on-line account that he uses. Strong passwords (16 characters or more)
• Creating different email accounts off one domain for different services: Pros: prevents the "Epic Wired hacking". Cons: increases the number of vulnerable nodes Use a secure browser. For Firefox, see Top 10 Best Firefox Security Add-ons, esp. noscript

Retrieving Messages (Thunderbird)

• Use SSL
• PGP encryption for sensitive correspondence (requires the counterpart to have a key)

Local Machine

• Firewall
• A good anti-virus suite is also a must.
• Disable unused network services
• Encryption => Applications leak an unbelievable amount of data throughout the whole system in caches and logs, rendering a solely encrypted local mailbox somewhat irrelevant. If you encrypt, Truecrypt the whole drive.

Hardening the Server

• Uninstall every unessential service or product that may listen or access the Internet and more.
• Grsecurity or a similar system to prevent buffer overflow attacks
• He should login to his webserver using its IP address and not the domain-name which can redirect him elsewhere: If a DNS server is hacked, then when browsing he could find himself confronted with a login page to any website or even his own server that is an exact duplicate of the real page.

Fischer's Set-up

(Special category as Fischer's workflow is different system from the other replies)

• If you don't know how secure your lamp server is, host it on outlook.com instead (free)
• Forward all email accounts to GmailAC#1 and delete from server
• After reading, PGP-encrypt messages and forward to GmailAC#2
• Retrieve via Thunderbird