To avoid spammers being able to directly deliver the spam to your mail servers without filtering it first, you have to make sure your mail server only accepts emails originating from the filtering system.
To only accept messages from your filtering nodes you need to allow emails based on your delivery hostname(s) or IP(s) . For ease of use, its recommended to create a delivery hostname in the DNS of all your filtering node IPs.
Please make sure your firewall does not block port 53 TCP.
Alternatively if allowing emails based on hostname is not an option, you could change your destination mail server to listen on an alternative one, such as port 2525 instead of the default 25 . The special port can be set for delivery when editing the destination route for your domain.