I have never needed to do this, but I suggest you need to have a firewall rule configured with an external facing IP address and a non standard port that translates to you internal smtp server (commonly terrmed as NAT).
You should be able to restrict the source IP Address as well, I’m not sure if there is a specific range of IP addresses that the Cloud app servers use or not. You could use this as a starting point, but you should consult with your network/email admin as invariably each company has their own configuration for email, which may need further configuration, and it will require some testing to get it correct.
Hope that helps