If you have a Gateway Server (for both Incoming and Outgoing) that your MX Records point to, then you can disable Port 25 on your primary Smartermail Server so long as no MX Records point to it.

 

To do this on your primary Smartermail Server (assuming you already enabled your Submission Port 587) you would go to SECURITY > BLACKLIST and add the range of IP addresses you do not want to accept Port 25 connections from (for example if your Gateway Server is 192.168.1.15 then you would blacklist 0.0.0.0 - 192.168.1.14 and 192.168.1.16 - 255.255.255.255) for SMTP only. This way all SMTP traffic from port 25 will be blocked with the exception of your Gateway Server which will still use Port 25 to connect to other Mail Servers (including your Primary).

What you need to do is set an outbound rule on your firewall to allow TCP port 25 ONLY from your mail server IP address; DENY TCP port 25 from ALL other IP addresses on your internal network. As a result any infected computer on your network will be unable to spam the rest of the world and cause your IP to be blacklisted.

The allow rule for your mail server must be on top of the deny rule as rules are processed from the top down. When a packet reaches your firewall it will be checked against the first rule and the port and IP addresses will be checked, if it is from your mail server it will be passed out, if it does not match it will be passed to the next rule which will be the deny rule for port 25 and will be blocked/dropped.

Hope this helps.