I recommend you use seperate interfaces for inbound vs outbound flows (though this is not required). If your scanner is in a DMZ, I woudl have the inbound (public) interface in the DMZ, and the outbound (private) interface on the inside. In the Scanner STMP config, make sure you restrict who can connect to the private interface to your mail servers.