We currently have a single firewall and public IP (with associated mx record) handling our incoming email, outgoing email, and HTTPS - SSL traffic for OWA. We also have these resources providing Internet services to the client desktops.
This is a bad situation as client PC's that get a virus, can get our public IP blacklisted. This is rare, but has happened with the CBL. Client PC's aren't able to relay mail (as per firewall rules), but the CBL will blacklist a public IP for non-email\spam related transgressions. Some trojan variants for example, where the PC is reaching to an IP in Russia or god knows where. Thankfully we have good logging in place so we can quickly identify the source PC.
Can I configure Exchange to use a different firewall (LAN IP and WAN IP with a secondary MX record) for sending only? I'd like to keep any incoming public IP addressing, primary MX record, and Exchange server default gateway unchanged. The idea being I can wait for secondary MX records to update and then test sending without worrying about disrupting any incoming internet mail traffic or connectivity for clients PC's\devices.
We currently have one Exchange server handling all roles.
Hope I'm making sense - thank you!