3.2. Blocking Access to Other SMTP Servers
Any SMTP server that is not listed as a public Mail Exchanger in the DNS zone of your domain(s) should not
accept incoming connections from the internet. All incoming
mail traffic should go through your incoming mail exchanger(s).
This consideration is not unique to SMTP servers. If you have
machines that only serve an internal purpose within your site,
use a firewall to restrict access to these.
This is a rule, so therefore there must be exceptions. However,
if you don't know what they are, then the above applies to you.