It will be much easier to post a screenshot of the ZS web-gui or a paste of the iptables rules.
Regarding 1) I suggest blocking it on the mail server itself, rather that looking how to block the destination nat.
On 2) I cannot help you, it depends on what your SIP server is expecting.
3) Making https work on other ports might need a little bit of hacking an preboot scripts. However from the main setup page, https tab can create an access list of which IPs and from which interface will connect to the ZS.