BCP blocking list for edge networks? (was: ingress SMTP)

Ok, mine is actualy even edgier than that; no transit at all, to
paraphrase Steeley Dan.

But does anyone have a pointer to a good set of ports to block in each
direction through my Shorewall DNAT setup, preferably annotated?

On reflection, that's actually only outbound; the necessity to set up
inbound DNAT manually makes it a default-deny environment, which is one
of the reasons that some people like NAT as a component of an edge

-- jra