Outbound data on specific IP (pfsense)

pfsense with multiple virtual IPs. They have Comcast cable with 5 static IPs. The email IP, I do have a custom PTR record. They have an old sonicwall at the moment TZ-215. I am putting in a supermicro e200-9b with has an Intel N3700, 4GB DDR3 and a 60GB msata drive. I have PFSense 2.3.4 on it. They have just shy of 50 employees.

They have Exchange 2010 running on-premises and I want to use a virtual IP for all email. Now inbound is easy, my question is how to I make sure that outbound port 25 from that server goes out on that virtual IP. The main reason is I only allow the server to send outbound port 25 and I restrict the server to only send email to its smart hosts. But on the smart host I lock it down to that single IP. Similarly, I only allow the spamfters to send email inbound to the server on that single IP.

I have two spamfilters, one I host in my office and the second I host on a private cloud in a datacenter.

I am hesitant to use 1:1 NAT, 1.) because I am not sure if it will do what I need with outbound, but 2.) I am ONLY allowing port 25 between the spam filters and I have port 443 for ActiveSync. Everything else is blocked, but I may in the future need to steal a port on that IP for another service.

I may also want to limit 443 to only US based IP's but I had an issue with many users (200ish) and pfblocker where the cpu spiked at 100% and the temps hit 70C+ on the N3700. I also use Labtech and the agents will absolutely drive Snort and Suricata to go crazy. Unless Verizon Wireless and AT&T Mobility have URL based plaintext lists I can use the pfsense Aliases for, or maybe ARIN... Any other ideas welcomed. I know the "what if they travel?" Short answer, they can call ahead or use VPN.

Received an answer somewhere else...

Setting outbound NAT to Hybrid and then setting a rule from that server's IP address as a network in CIDR (i.e. /32 for single IP).

Then you can select the VIP.

Not as intuitive as I would have hoped, but not really that hard.