100%.Or set host file entries on each endpoint to resolve the mail.domain.com to your internal ip that’s available only over vpn. Not going to be easy on mobiles.

There is an assumption though that the mail server has an internal IP address wherever you are hosting. That might not be true. I would always put the public IP on the firewall and then NAT with specific port 25 in to the private IP of the server, but who knows what this particular OP has done.