BranoI hate VogonsPremium,MVMReviews:
To add to my earlier note.
Regular mail is delivered via port 25 as usual.
Internal users have to go through submission port 587/TLS which then sends them to alternative filtering queue that is for example not checking the source IP/domain checks.
Submission port 587 is becoming de-facto standard for submission mail from end users, you should consider switching to it and use 25 for inbound mail. Then you can force TLS on 587 and do alternative filtering easy. All easily done with postfix.