Hi Przemek,
In this case I'm not sure I fully understand the question.
If by secure email you mean the messages in Web Messenger, that will not be possible, simply because they never leave the server (only the notifications of new message). The external user must login to the server's webpage to read and send email.
You need to have the "https://keys.domain:port (default is 443)" accessible for the external user.
If by secure email you mean the "normal" encrypted email, then you need to configure the Mail Proxies.
With this configuration prefer having two connectors, one inbound and one outbound connector, because this will give clear communication paths to configure the environment.
Rgs,
dcats