Perhaps the ipfilter.local file? It's not realllly a hack, per se. Astaro supports it's use since ASL will load entries placed in this file. Just drop the src ANY dst ANY dport 25 rule and load your own src ANY dst my_ip dport 25 rule. No sweat. The it locks down incoming traffic to only a single IP or interface.
