I suggest you to take your time (maybe not now) and take a look to rpamd documentation as a possible alternative to make manage spam to Sophos. It seems a bit more powerful and manageable. Only remember to train as ham the “good mail” you had into your users folders.
Hope that this will be interesting stuff for @dev_team.
Also, consider for mailtransfer as “the last option” load the messages from IMAP. Even Outlook 2010 can use NethServer IMAP 
By Nethserver perspective is usual to have at least a green interface. You can setup a dummy/virtual interface and change role for the current network card setting as red.
Don’t forget before the change to verify under network services which services should be reached from your lan and the internet.
Due to your choice to put nethserver in DMZ i’m gonna ask what you are using for Backup 