Hello,
As I see in your case, during Transition period, there is not much of a choice other than blocking via IPSec. Check this: http://support.microsoft.com/kb/813878
Again, agreed with pete's comment above.
However, once the Migration is complete in Symantec Endpoint Protection, it has Internet Email Auto-Protect, which protects both incoming email messages and outgoing email messages that use the POP3 or SMTP communications protocol over the Secure Sockets Layer (SSL). When Internet Email Auto-Protect is enabled, the client software scans both the body text of the email and any attachments that are included.
You can enable Auto-Protect to support the handling of encrypted email over POP3 and SMTP connections. Auto-Protect detects the secure connections and does not scan the encrypted messages. Even if Internet Email Auto-Protect does not scan encrypted messages, it continues to protect computers from viruses and security risks in attachments.
File System Auto-Protect scans email attachments when you save the attachments to the hard drive.
Reference:http://www.symantec.com/docs/HOWTO27134
Hope that helps!!