or do it with DNS
... Firewall restricting/preventing access from outside to your Zimbra box's IP port 443 is (probably) best, but you could probably use DNS, and simply not make the zimbra's IP resolveable via public DNS servers, keep it's record only in your company's internal DNS.
bottom line though. You should have your mailserver in a DMZ (DeMilitarized Zone) behind a firewall.
please post more details of how your servers access the net / how the net accesses your servers so that we can provide better suggestions.
8.x NE + OSS KVM guests and Physical servers Ubuntu 12.04, RHEL 5 + 6 .
on Dell server hardware.
Previously: ZCS OSS and NE 7, 6, 5, 4, 3 variously on physical and virtual