@MrHoffman,
Thanks for the pointers and suggestions.
The config for my ISP's SMTP server is correct. I specified the port (:465), and double-checked userid/password. It's the same as used by all our e-mail clients (a half-dozen or so on various Macs, iPhones, iPads, Linux boxes), all of which work fine from my LAN.
As for DNS, it seems OK. (I am indebted to you for the excellent series of articles on servers and networking at http://labs.hoffmanlabs.com/node/1705 )
The changeip command reports:
The names match. There is nothing to change.
dirserv:success = "success"
However, I should point out that I do not have the DNS service enabled on ML Server. I already have a local DNS running on my gateway router. (it's an instance of the dnsmasq process that is part of Tomato firmware). It has local names defined for all the servers and hosts on my LAN, and provides rDNS for them as well.
However, what I haven't done is enabled the Mail service. You've (slightly) misunderstood the core of my plan. My intent is not simply to secure the local mail server against remote access. I don't want either remote or local users from accessing the mail server. I don't want it listening for POP or IMAP connections from anywhere (on my LAN or remotely). I don't want it receiving inbound mail from anywhere. I don't want it relaying outbound mail for any client on my LAN. All I want the ML Server to be able to do is to send me alerts (by e-mail) when it's in need of attention. Other appliances on my LAN (eg. a NetgearReadyNAS) can send me e-mails when they are unhappy, and I hope I can coerce the ML Server to do the same.
I know I don't have the expertise to operate and maintain my own mail server, and I'm quite happy with the mail service provided by my existing network service provider. Plus, I'm behind a cable modem with a dynamic IP address, so I'm unable to establish my own rDNS record (which I understand is required to handle inbound mail).
It looks like the next step is to turn on the Mail service. But I'm sure it's going to be unhappy since there's no MX record set-up. I was hoping there was a way that ML Server could simply send out its own outbound alerts (using my ISP's SMTP relay) without having the incoming part of the mail service active. But perhaps Apple didn't anticipate that sort of configuration.