Hi,
You will need to enforce this on your firewall, as viruses etc can circumvent policies/security setup on your workstations. To block all outbound port 25 except from the mail server:
----
Often administrators would like to block all outbound port 25 except from the mail server. To do so first you must remove the outbound port 25 policy rule so that outbound port 25 traffic goes through the rack in question. Then you need to create a rule to block all port 25 traffic with Destination Interface External then you need to create a rule just above that passes outbound port 25 traffic where the client is your email server. Beware, this means that mail coming from your mail server now goes through the rack and may be scanned by Spam Blocker, Phish Blocker, etc. Alternatively, You can add a rule in firewall blocking all port 25 traffic and then add a policy manager rule sending all outbound port 25 traffic from the email server to ">No Rack."
----
Source:
http://wiki.untangle.com/index.php/Firewall#How_can_I_block_outbound_SMTP.3FTo find out which nodes are generating the SMTP traffic, you can either enable logging on the above rule on your firewall or sniff the traffic in between your network and the firewall with using a hub or switch with span/mirror port capabilities and a packet analyzer such as Packetyzer. Using the log on your firewall will be easier.
Source:
http://forums.untangle.com/networking/8916-block-outgoing-smtp-except-email-server.html
