Couldn't an updated server/computer be completely sealed against attacks? Why can't you block any incoming request for running something in your server?
For example, in my naiv view, a mail server could be getting emails (text files) sending emails, but never allowing anything entering the server to execute anything. What could break this?
But, how do hackers proceed to find and use a vulnerability?
For as long as software is written by people, who are inherently imperfect and can make mistakes, there will be bugs in code that can be exploited.
Servers need to expose themselves to the outside world in order to provide their services, which are definitely provided by software written by people installed on the server. For client computers, they need to run software that allows them to be useful to their owners, such as word processing software, and that is still written by people.
In that example you write of, an attacker can attack the email service exposed by the server. Then, a few zero days for sandbox/chroot escape, privilege escalation and suddenly the attacker has root on the server.
No amount of mitigation will stop a determined attacker with nigh unlimited resources from compromising a system; it's a risk management thing, like what sort of attackers you are aiming to protect against determines what kind of measures you take.
A server that doesn't do anything isn't a useful server. A text file may not be executable by itself, however generally processing has to be done on it. Zero-day vulnerabilities are generally not issues with normal program functionality, but rather exploit some obscure programming error such as having functionality get hijacked when particular malformed input is sent.
In your mail server example, perhaps there is a spam filter that parses it and if you put some length of e-mail it causes a bug in the behavior of the spam filter. Or perhaps when you send it a malformed SMTP request you can get it to execute arbitrary code that you put in your malformed SMTP request. The e-mails themselves may be text but that text has to be operated on at some point. The protocols to handle the exchange of those messages also have to do more advanced executions and need to write and read information from disk.
A possible zero day vulnerability could be present in any portion of the process and since developers aren't perfect, any part of it could potentially have an issue. The only way for a computer to be perfectly secure (to the outside world) is to not have it respond to the outside world at all. If you expose any kind of interactive functionality at all then it is possible a bug in that functionality may allow arbitrary commands to be executed by feeding it input that overwrites memory with a call to code that is included with the input.
This is called a buffer overflow, and while it isn't the only type of zero day vulnerability it is a pretty common one. In memory, there isn't any difference between data and program instructions. Things called pointers tell the computer where to go to look for data or its next instruction. If you can put instructions in as data and then alter a pointer to tell the program code to run the code you put in the data portion, it will think it is following the program rather than running on data. There are some technical measures that make this a little harder to do, but that's the basic idea and there isn't really a perfect way to stop it.
