Maybe one of the McAfee guys can advise better, but wouldn't think that doing this on the Firewall will make any difference.
If you are using Sendmail on the Firewall then it is acting as an MTA handling an SMTP transaction to the point of completion. After that it will then send the message on to your Ironmail server as a completely new SMTP transaction. External parties are never talking directly to your Ironmail server and I would personally expect that it will be necessary to do so in order for the correct TLS handshake to take place. While it is possible to configure mail security solutions to look into the SMTP header and discard a number of hops in the transaction in order to perform reputation checking and such like, all 'external' SMTP communications to/from your network are being conducted by Sendmail rather than by your Ironmail server.
In order to be able use TLS on your Ironmail server I would expect that you will need to disable Sendmail on the Firewall in favour or transparent SMTP proxies.
I would have to agree with Phil on this one. If your intentions are for Ironmail to negotiate TLS with outside servers, and you are going through the Firewall, then either a proxy or filter rule would be required. The other option would be for the firewall to use TLS itself when talking with outside servers.