I understand that your Exchange is directly connected to Internet? You'll need to create a specific receive connector for Internet mailflow, and don't use Exchange Servers auth mecanism on it.

You'll need to scope the remoteIpRange of this connector so you'll have a unique binding on the IP : Port : RemoteIPRange. This can be done by NATing the incoming connection with your router IP, then creating a new receive connector for Internet.

I don't recommand messing with the default Exchange 2013 receive connectors, what work today may be messy tomorrow.

OK.  well that sounds good but this is my first time working with exchange so any guidance on how to do this?

You could use this code, be aware that if you use some antispam on your Exchange server, some features won't work anymore (reverse DNS, SPF and like) :

New-ReceiveConnector -Bindings 0.0.0.0:25 -RemoteIPRanges 'your firewall NATed IP' -Internet -Name "From Internet"  -AuthMechanism Tls -Fqdn 'your public FQDN' -PermissionGroups AnonymousUsers -TransportRole FrontendTransport

A simplier way would be to uncheck all "exchange server" stuff on the "Default Frontend" receive connector on both Auth and Permissions group, but usually I don't like to mess with default connector. It will work if you don't have any Exchange 2007 or 2010 server in your organisation.

we only have Exchange 2013 in our organisation but if I uncheck all the Exchange server stuff does that not make it less secure?