Keep in mind that SMTP (TCP port 25) is permitted through the firewall or proxy server to allow incoming and outgoing email messages. In other words, establishing and maintaining a secure OS and email or web server is not enough since SPAM permeates SMTP. In addition to OS and email security, you'll need to implement an anti-SPAM integrated or intermediary server solution that filters email messages and maintains a blacklist of spammers. Another alternative is to hire an outside company to provide the SPAM filtering service for your site.
As you can already see, setting up an email server and a future web server for your company demands more than just good information when security is of primary concern. I applaud you for starting here and making an effort to understand the dynamics involved when it comes to a secure email and web server setup. Depending on the role of the web server (e.g., to host public sites), you could place the server outside the firewall with ACL's configured on your perimeter router, or you could set up the web server in the DMZ; as for the location of email server, I have typically configured this server behind the firewall on the internal network or subnet. The latter location supports minimal holes in the firewall when configuring a front-end web server (e.g., OWA) to access a back-end email server (e.g., Exchange Server).
I have included below some links that provide good information and best practice instructions for UNIX SendMail, Exchange Server, Apache and IIS. I'm sure that there are other viable solutions, but these are the ones that I'm most familiar with and support.