Hi Pete,
It's good to know that you were able to resolve the issue.
For future reference, plesae note that in situations like these, looking at maillog (using the "watch maillog" CLI command) will be useful. For maillog to provide useful information for troubleshooting, you will need to change the logging level for Message Transfer Agent (MTA) to Information, but do not run the system at higher logging level for extended periods of time. When you are done with troubleshooting remember to change the logging level back to warning.
Here is an example of the rejected connection log entry in maillog:
2010 Mar 17 06:23:02 PDT (info) ecelerity: [20067] ML-REJECT: Rejection on: 10.160.248.102:25,200, sent to host: 10.160.248.103:53168, Audit ID 0aa0f865-b7b85ae000004e63-00-4ba0d7b6da41, 554 <unknown[10.160.248.103]>: Client host rejected: Access denied
Notice that 10.160.248.102 is the IP address of my outbound listener and this listener is configured to accept connections ONLY from specific IP addresses. Since the IP address 10.160.248.103 is NOT authorized to connect to the outbound listener of my SBG box, it gets rejected with the "554 <unknown[10.160.248.103]>: Client host rejected: Access denied " message.
Hope this information will be helpful for other customers running into similar issues.
Regards,
Adnan