Seems that if you enable the SMTP proxy, it listens on all interfaces regardless.
Found this thread from 2007! which had the same issue and a fairly lame workaround involving setting up an invalid NAT rule.
https://community.sophos.com/products/unified-threat-management/astaroorg/f/56/t/48196
There's got to be a better way, no?
This thread was automatically locked due to age.