Hello, I host my own mail server with Roundcube as a webmail, integrated with Radicale for the contacts and calendar. Hope it helps !

It is up to you. Using Docker makes it easier for administration and evolution, but bare metal is sufficient if you are comfortable with it (which every self-hoster should be).

I use port forwarding with Nginx and Crowdsec for the services I want widely exposed, and Wireguard for those I want accessed only by myself.

There must be a way to open ports on your modem (that is NAT forwarding). If no port is open, there is no way to gain access to your server. If a port is open, then there might be a way for an intruder to get into your network. The reality is a bit more complex (man in the middle, ...) but it would make sense only if your data is of value or if someone means you harm.