That's what I do. Mailcow on an isolated machine, 25/587 open on firewall port forwarding to it, the rest of the various services it offers are only accessible via my home network (https, imaps, there's probably more). Then, I am always on my home network.
I started out with a different variation of this that was the same, except instead of using my (thankfully static) home IP in my MX record, I got some cheap hetzner/lightsail/whatever, then routed the incoming 25/587 across a 2 node wg network to the real mail server. It worked fine but ultimately I decided I'd rather expose my real IP in the MX record than pay $5/mo not to.
Of course, the secret to making this work without tearing my hair out is that my outgoing mail server only delivers mail to the relay I pay to deliver my mail to the 3 or 4 corporate behemoths who have taken over a once great decentralized service. I have no interest in tending to my deliverability or making appeals to Microsoft or whoever. Also at a personal mail volume with 0 transactional mail, it's very inexpensive.
Some https services are internet exposed with http basic auth as a first line auth requirement. Some services are available to friends, or I want access to from devices I can’t VPN from.
