thanks howard, i went the restricted firewall route as you suggested

HCL Notes/Domino 8.5 Forum (includes Notes Traveler)

Subject:

I ended up doing what Howard said. Thanks Howard. Allowing incoming smtp only from spam service. It meant that I couldn't offer standard POP / IMAP on those servers so I hesitated at first, but then went oh well and switched the users to Traveler.

I used the built-in firewall in Linux. Here are sample directions for anyone interested.

Configuring ufw is almost as simple as installing it. It’s a very intuitive tool.
Ufw comes disabled by default, so the first thing you want to do is enable it and answer y to the prompt:
$ ufw enable
Command may disrupt existing ssh connections. Proceed with operation (y|n)? y
Firewall is active and enabled on system startup

sample syntax for commands:

$ sudo ufw allow proto tcp to any port 22 from 192.168.n.0/24
$ sudo ufw allow proto tcp to any port 25 from 192.168.n.0/24 ' if SMTP routing in local intranet
$ sudo ufw allow proto tcp to any port 1352
$ sudo ufw allow proto tcp to any port 80
$ sudo ufw allow proto tcp to any port 443

Feedback response number WEBB9NPQVD created by ~Zach Quetponesononi on 09/06/2014