I got part of but not all of what I had hoped to accomplish done tonight.
Our client mail server is now chroot’d as are the incoming servers.
Our client mail server now signs mail with a DKIM signature and checks mail that comes to it with a signature though from a client that would be a rarity.
I also installed clam-AV on our client mail server so there is no longer any e-mail ingress routes for viruses that are known. Always there are some out there in the wild for which signatures haven’t yet been developed, but at least this will stop propagation of those that have.
I installed spamassassin on the incoming server but it will only affect local delivery and not relayed e-mail at present. I hope to fix that in the future.
I did not get DMARC installed yet. That is still a work in progress.