Any SMTP server that is not listed as a public Mail Exchanger in the DNS zone of your domain(s) should not accept incoming connections from the internet. All incoming mail traffic should go through your incoming mail exchanger(s).
This consideration is not unique to SMTP servers. If you have machines that only serve an internal purpose within your site, use a firewall to restrict access to these.
This is a rule, so therefore there must be exceptions. However, if you don't know what they are, then the above applies to you.