I just looked at this again and found the old thread: NixOS Firewall should automatically allow ports for enabled services. · Issue #19504 · NixOS/nixpkgs · GitHub
And Nixpkgs Reference Manual still states:
Ensure that the module respect other modules functionality.
- For example, enabling a module should not open firewall ports by default.
So I’d consider that a (security) bug of the Dovecot and Postfix modules and think that this should then at least be clearly mentioned in the documentation of their enable options.