"but I don't want it open from the outside."
Then why did you setup a port forward? Only reason for a port forward is when you want unsolicited traffic from the outside to go to some box on the inside.
What your asking in a default setup would of already been allowed. Default rules allow anything on lan to go to anything on internet, and there would be NO allowed unsolicited inbound traffic.
So any box on your network would be allowed to talk to anything on 25 on the internet. If you want to limited that, then yes on your LAN you would create a rule to only allow your exchange box to talk out on 25, and create a specific rule to block everything on 25 right under that rule. Then under that rule you would have your default allow again. So exchange talking on 25 ok, anything else on 25 blocked. If talking on say 80 would be open.
You should have no portforwards in what you asked for.