Anyway to block sasl logins external on only port 25?

I'm embarrassed to say that I'm still using ISPConfig2. It's for one client with multiple locations and businesses.
So, many years ago, they setup a few generic accounts, lets call them newcars@domain and usedcars@comain
Well last week, newcars@domain got compromised. Apparently, a weak password. A more complexed password was given, then 150k+ emails removed from the queue. And then a few hours getting them delisted.
And then today, usedcars@domain was compromised. Same procedure, more complexed password, delete queue, and then start pitching the RBL providers.

Well, then the questions start:
"Hey email administrator, do something to keep this from happening" and "why did this happen? Do we need someone else to do your job?".
Frankly, I've love to give up email administration. But, that ain't happening. Part of my job, apparently.
So, I disabled all SASL logins in main.cf, and only opened up email from permitted networks. Then the calls come in "But, I need to email from my phone remotely" and "I don't wanna use a VPN" and "can you only block spammers?"

And the email filtering system, Spam Titan, is completely worthless to stop this. At least with ASSP, I can block Smtp auth requests on port 25, and force users to use 588 (NAT'd to 587). But this client has paid the money for Spam Titan and my bosses think it's the greatest thing since sliced bread.

So, how in the heck do I stop users from authentication and relaying mail on port 25? I'd love a way to deny SASL logins on port 25, but give mobile users a way to authenticate and relay on other ports, like 588 above.
Any thoughts?

 

Here's the funny part. The email server still runs Dapper.
Ubuntu 6.0.6
Weren't CRT monitors monochrome back then too?
I'll be scouring the internet for a dapper deb of this. Gonna be a long night. Might need more than a liter of beer.
In the meantime, I'll have sales pitch them for a new email server.