Noone can answer those questions for you, it depends on your individual risk profile.
From my viewpoint a Web Application Firewall in front of mailcow is something you want to have.
But it makes no sense if you do not know how to set up hardening rules and especially alerting.
I use Sophos Firewall. With WAF you can limit or exclude URLs to be reachable. Its free for personal use.
But in fact, mailcow is pretty secure out of the box, with fail2ban already integrated. The most attacked surface are weak passwords and no 2FA and not up-to-date software. If you have this covered, its secure enough I would say.