The first thing I wanted to do was identify the compromised computer and clean it. With more than 80 computers on the LAN, I needed a centralized way to do that. Luckily, my Fortigate 60C firewall can spit out a report with that information. Under System -> Config -> Advanced, there was a packet capture widget which could give me what I needed. Here's how I captured all traffic on port 25:
The packet capture file was in PCAP format, which is a Wireshark format. I opened up the file in Wireshark, and I could see (in this case) that 172.16.1.107 (which is not the mail server) was sending a lot of traffic over port 25 to a lot of different locations. This was my culprit. I cleaned the computer using Malwarebytes and then delisted the public IP from the various blacklists it was on.
I'm going to look at options for having all network traffic go out on a different IP than the one that the mail server uses to avoid this in the future. That could be a long term solution to this issue.