You could get your firewall ACCEPT but LOG the outgoing 25 from anything but your mailhub.
Have often wondered whether a transparent mail-proxy could be set up, similar to a transparent web-proxy, with your firewall catching all port 80 and redirecting to 8080 on your squid server. Never got around to seeing whether this was possible …
… then again I agree with the others, blocking outgoing port 25 is the better idea, but only if it is not going to get you fired.
Cheers,