I don't understand. Are you asking how to block mail on port 25, or is it currently being blocked and you want to allow it?
If you do not have an external anti-spam appliance/system, you could just block port 25 on your own network range via firewall rules.
If you have an external anti-spam appliance, you can block port 25 on the firewall for all IP ranges except for your anti-spam appliance/system. This is what we do. Only our anti-spam appliance (IronPort in our case) is able to connect to Zimbra on port 25. All users route their mail through 465/587. Server-to-server mail is routed through our anti-spam appliance.
State University of New York at New Paltz