Here is our set up for reference:
This puts a good firewall between you and the internet for both the LAN and DMZ. Then only open the ports you need for Firewall 2 and also on Zimbra. pfSense has worked for everything I've tried on it. And then figure out why your LAN machines are sending spam.
Multiple WAN IPs -> Switch --> Firewall 1 (LAN) --> Workstations
--> Firewall 2 (DMZ) --> Zimbra with firewall on server also
If you only have one external IP address:
WAN IP --> Firewall 1 (WAN) --> Switch (DMZ) (Zimbra with firewall on server also) --> Firewall 2 (LAN) --> Workstations
Thanks for the inputs.
I will use the DMZ for syncing with our standby Zimbra server.