Hmm. I was imagining a personal server. If I were hosting a webmail client personally, I wouldn't expose it to inbound connections from the Internet at all, preferring to keep such a thing inside my LAN and via VPN only.
Clearly I overassumed though, because you're right, when it could be that one would have such a thing accessible to a small team of people who don't use a VPN.
You could also just stick it behind a reverse proxy with basic HTTP Authentication; that means you have to keep Apache/nginx/caddy/whatever up to date but that part is easy and then nothing else can get to the actual application if you've done it right.
Clearly I overassumed though, because you're right, when it could be that one would have such a thing accessible to a small team of people who don't use a VPN.