Licensing is not an issue Gateways use the SmarterMail Free license. You have to create a placeholder domain to get it configured, such as junk1.local, but you don't use it. Support helps with gateways as long as your primary server is licensed.
Another issue with auto-forwards: If your spam filtering process adds an content to the message, it will break DKIM signatures. Then when you auto-forward, the message will fail DMARC validation for any domains that have DMARC policy set to reject or quarantine. Your options are (a) never modify the message, or (b) rewrite the From address, using something like fromdomain=fromuser@localdomain. You could even make the rewrite conditional based on a test of whether the From domain has an enforceable DMARC policy. There is no off-the-shelf way to do the From rewrite in SmarterMail+Declude, but you could write a custom script to do so.
As has been said, auto-forwarding is an inherent security problem. Your spam filter will be different from the final recipient, so any spam that you let through is either (a) detected by the recipient and damages your reputation, or (b) is not detect by the recipient and damages them. If you ensure that your spam filtering is stricter than the recipient, then you will probably have enough false positives to make the end-user angry. Anyway I look at it, you lose.
Since auto-forwarding hides the reputation of the originator, and since auto-forwarding is hard to detect, the necessary solution is to scan the entire header chain for domains or IP addresses with negative reputation. Unfortunately, this is not part of most spam filters, including SmarterMail+Declude.