The Barracuda's spam filter is a great piece of hardware. We have two of them clustered here. We filter about 60,000 messages per hour, roughly 97% of which are legitimate. The number of false positives is maybe 1 per month, and we filter for almost 100 domains, including two ISPs. The only bad thing I can say about them is that because they run Linux as their core, they are susceptible to any number of weird, random issues that you can't fix on your own, so you want to keep your Energize Update contract current for support.
Depending on how much inbound email you get, it might be better to contract out with someone who hosts spam filtering. For instance, some of our customers get litterally hundreds of spam emails every 5 minutes. If all of that traffic were to go through their internet connection, there'd be no more bandwidth left for regular traffic. Instead, they pay us to go through our filter which is hosted in our colocation. We weed out the crap and only send the good stuff to their onsite servers.
As far as the servers themselves go, inbound connections only need to be allowed for the barracuda (obviously discounting OWA and things like that). You don't need to expose your mailserver to the public at all. Open up port 25 in to the barracuda, and that's it.
Facebook
Twitter