Windows Server 2012 R2: closing smtp/pop3/imap ports (or deactivating the related services)

I am running a Windows Server 2012 R2. At the moment, I want to improve the security of my server, so I am looking for services (and open ports), that are not needed.

I disabled nearly every server role, except IIS (I need the IIS).

The windows firewall is configured so that every inbound/outbound connection without a rule, is automatically blocked.

I have created only some rules for port 80,443 and the remote-desktop-port. All other rules are deactivated (or set to private profile), hence there are no rules for other ports/protocols/services on my public network, and therefore, there shouldn't exist open ports.

But if I scan my server with nmap (tcp connect scan), there are some open ports. For example:

25/tcp   open  smtp
80/tcp   open  http 
110/tcp  open  pop3
119/tcp  open  nntp
143/tcp  open  imap
465/tcp  open  smtps
563/tcp  open  snews
587/tcp  open  submission
993/tcp  open  imaps
995/tcp  open  pop3s
3389/tcp open  rdp

I do not need pop,imap and the other services (except RDP 3389).

Now I have some questions: 1. How could it be possible that the ports are shown as open, if the firewall should block all ports wihtout rules (the ports above have no rules)? 2. With netstat -anop tcp I looked up which services are listening on this ports. It is the system-service. But why is the system-service listening on this ports and how could I stop the service from doing so?

Oh, an answer :DThe firewall-profiles are okay. I have a private profile for my vpn-adapter and a public profile for the internet-adapter. The curoius thing is, when I am using the private profile on the internet-adapter, the ports are not open. in the public profile are only the ports 80/443 and the vpn port opnened. It's the system-service that is listening on this port. All unused server-features/services are deactivated. Only the IIS is installed (with asp.net components)