It becomes easy when you make your employees use a VPN to access yor exchange server directly and have a smarthost mail server (sendmail, qmail, whatever that is set up secure) on a dmz that actualy is exposed to the internet at large. To the ISP the VPN traffic does not look like SMTP. You lose complexity and gain encrypted comunications.
Also if you are just using imap/pop other systems (besides echange) can be set up with the imap/pop auth allowing inbound imap/pop connections.
We are currently setting up CIPE to do just that. It seems to be working pretty well but we are still testing it. I was really curious though, if there was a viable solution in its current setup. Thanks for the reply.