one option would be to run two smtp services. One on port, say, 587 with no maps options, and one on 25 with as many as you want.
In this way you stop nasty things getting in, but do not cause problems for customers using your server for astp (as long as they change their mail client to use port 587).
But consider this: We have rbls on port 25 adn 587. One of our customers had their static IP blacklisted in CBL. This basically picks up malware/trojan and bot-infected systems as far as I can make out. As a result they could not send email via one of our servers.
This is a GOOD thing. Because if a malware-infected machine starts sending spam via our smtp server, more generic anti-spam blacklists will notice and blacklist it, causing problems for ALL customers.
Also consider that before long the spammers will start sending email on 587 and similar ports as a way to try to bypass rbls - to try and get in by the backdoor basically - in a similar way that they often use the lowest priority or last listed MX rather than the highest priority one, in the hope that the backup won't have as much spam filtering, or indeed send to the IP of the A record for the website, again hoping to bypass filters.
Faris.